iptables is a powerful tool used on Linux to configure and manage firewall rules. It allows system administrators to define how incoming and outgoing traffic is handled. Here’s a guide to help you get started with iptables:

Basic Concepts of iptables

  • Chains: iptables rules are organized into chains, which are ordered lists of rules. The main chains are:
    • INPUT: Handles incoming traffic.
    • OUTPUT: Handles outgoing traffic.
    • FORWARD: Handles traffic passing through the system (e.g., a router).
  • Tables: iptables uses different tables to manage different types of network traffic.
    • filter: The default table for filtering network traffic.
    • nat: Used for Network Address Translation (e.g., port forwarding).
    • mangle: Used for specialized packet alteration.
    • raw: Used for handling packets before connection tracking.

Basic iptables Commands

1. List Current Rules

To view the current set of iptables rules, use:

sudo iptables -L

This will list all rules in the filter table. To view rules in a specific chain, use:

sudo iptables -L INPUT
sudo iptables -L OUTPUT
sudo iptables -L FORWARD

2. Add Rules

You can add rules to iptables using the following syntax:

sudo iptables -A <CHAIN> -p <PROTOCOL> --dport <PORT> -j <ACTION>

Where:

  • <CHAIN> is the chain where the rule should be applied (INPUT, OUTPUT, or FORWARD).
  • <PROTOCOL> can be tcp, udp, or other supported protocols.
  • <PORT> is the port number (e.g., 22 for SSH).
  • <ACTION> specifies the action to take on matching packets (e.g., ACCEPT, DROP, REJECT).

Example: Allow incoming SSH (port 22) traffic:

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

3. Delete Rules

To delete a rule, use the -D option:

sudo iptables -D <CHAIN> <rule_number>

You can find the rule number by listing the rules with -L and including the -n option to see numeric output.

For example, to remove the SSH rule you just added:

sudo iptables -D INPUT -p tcp --dport 22 -j ACCEPT

4. Block Traffic

To block all incoming traffic from a specific IP address:

sudo iptables -A INPUT -s <IP_ADDRESS> -j DROP

For example, to block traffic from 192.168.1.100:

sudo iptables -A INPUT -s 192.168.1.100 -j DROP

5. Save Changes

By default, changes made using iptables are not persistent across reboots. To save the current rules:

  • On Debian-based systems (e.g., Ubuntu): sudo iptables-save > /etc/iptables/rules.v4
  • On Red Hat-based systems (e.g., CentOS, Fedora): sudo service iptables save
  • You can also install the iptables-persistent package to ensure rules persist after reboot on Debian-based systems: sudo apt install iptables-persistent

6. Flush Rules

To remove all rules from a specific chain (e.g., the INPUT chain):

sudo iptables -F INPUT

To clear all rules from all chains:

sudo iptables -F

7. Set Default Policies

The default policy controls what happens to traffic that doesn’t match any rules. The default policy can be set to either ACCEPT or DROP.

# Set default policy to DROP for INPUT chain (blocks all incoming traffic)
sudo iptables -P INPUT DROP

# Set default policy to ACCEPT for OUTPUT chain (allows all outgoing traffic)
sudo iptables -P OUTPUT ACCEPT

8. Allow Loopback Traffic

To ensure that local services can communicate with each other on your machine (important for applications like web servers), allow traffic on the loopback interface (lo):

sudo iptables -A INPUT -i lo -j ACCEPT

9. Port Forwarding (NAT)

If you’re using a Linux machine as a router or gateway and want to forward traffic from one port to another, you can use iptables for port forwarding.

For example, to forward incoming TCP traffic on port 8080 to an internal server on port 80:

sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.0.100:80
sudo iptables -A FORWARD -p tcp -d 192.168.0.100 --dport 80 -j ACCEPT

10. Check Connections with Connection Tracking

To view active connections tracked by iptables, use:

sudo iptables -L -v -n

This will show details like the number of packets and bytes for each rule.

Common iptables Actions

  • ACCEPT: Allows the packet.
  • DROP: Discards the packet without notifying the sender.
  • REJECT: Discards the packet and sends a notification to the sender.
  • LOG: Logs the packet to the system log.

For example, to log and drop packets from a specific IP:

sudo iptables -A INPUT -s 192.168.1.100 -j LOG --log-prefix "Blocked IP: "
sudo iptables -A INPUT -s 192.168.1.100 -j DROP

Conclusion

iptables is a flexible tool that can be used to secure a Linux system by controlling network traffic. By creating rules to allow, block, or forward specific traffic, you can build a robust firewall that suits your needs. Always test your firewall settings to ensure they work as intended, and remember that incorrect configurations may lock you out of your system.

Posted by in Blog on November 29, 2024 |