Linux Tutorials Security

How To Configure iptables Firewall In Linux

how to configure iptables in linux

Iptables is a great firewall included in the netfilter framework of Linux. A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.

Configuring iptables manually is challenging for the uninitiated. Fortunately, there are many configuration tools available to assist: e.g., fwbuilder, bastille, and ufw.

how iptables firewall works

​First Concepts:Packet: a logical container representing the flow of data
Protocol: a language and set of rules that network devices operate by
Port: a numerical designation representing a particular protocol 

Iptables rules:

  1. MANGLE
    1. Rules to modify the packets
  2. NAT (Network Address Translation)
    1. PREROUTING
    2. POSTROUTING
  3. FILTER
    1. INPUT
    2. OUTPUT
    3. FORWARD

The iptables rules manage the packets of a specific protocol, for example, if you want to deny an internet connection iptables can do it.

Iptables Configuration

​See what rules are already configured.

# iptables -L
iptables configured rules

This allows anyone accesses to anything from anywhere. Delete the rules of iptables # iptables -F

delete iptables rules

Policies

a. ACCEPT
Allow the traffic
b. DROP
Deny the traffic

For example: if the default policies of INPUT are DROP, the firewall denies all the internet traffic.

accept or deny default politics of input in iptables

​If you want to change the policies you can do it with the following command:

iptables -P CHAIN POLITICS 
how to change default policies of iptables

​Protecting your system: Rules

​Setting the INPUT to DROP

protecting your system rules

​Allowing the packets from your LAN (first, you must know the local IP address using the ‘ifconfig’ command).

# iptables -A INPUT -s 192.168.100.0/24 -j ACCEPT 
Allowing the packets from your LAN

Allowing the internet traffic​

# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
allow the internet traffic in iptables

Allowing all outbound traffic

# iptables -A OUTPUT -j ACCEPT

Allowing HTTP and HTTPS connections from anywhere (the normal ports for websites

# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Allowing SSH connections. The –dport number is the same as in /etc/ssh/sshd_confi

# iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT 

Blocking an ip address with iptables

The Politics for INPUT must be DROP

Add a new rule to drop the traffic for the correspondent ip address (archlinux.org ip)

# iptables -A INPUT -s 66.211.214.131 -j DROP 

Add a new rule to allow the rest of the internet traffic (All the rules to drop traffic must be created before this rule

# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 
add a new rule in linux iptables

Common iptables options:

​-A ​Append, this option is to add a new rule
​-I Insert a new rule
-D Delete a rule
-R Change the position of a rule
-L List the rules
-L –line-numbers Show the position number of each rule
​-F Delete all the rules
-F CHAIN Delete the rules of an specific chain
-N CHAIN_NAME Create a new chain
-X CHAIN Delete a chain
​-P ​Change a politics
iptables -A CHAIN -s Specify a source (ip address)
iptables -A CHAIN -p Specify the protocol
iptables -A CHAIN -p tcp –dport Specify the port
​iptables -A CHAIN … -j Determine a politics for a specific rule

Iptables has a lot of possibilities, but this is a basic tutorial if you want to know more information about iptables you can follow these links:​http://netfilter.org/documentation/

https://wiki.debian.org/iptables

https://wiki.archlinux.org/index.php/Iptables

http://www.faqs.org/docs/linux_network/x-087-2-firewall.future.html

Our sponsor - Deploy your server within 3 minutes


1 comment

henrich November 11, 2019 at 2:16 am

thank you very much!

Reply

Leave a Comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More