Linux comes with a host based firewall called Netfilter. According to the official project site:
netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.
This Linux based firewall is controlled by the program called iptables to handles filtering for IPv4, and ip6tables handles filtering for IPv6. This post list most common iptables solutions required by a new Linux user to secure his or her Linux operating system from intruders.
As a side note, watch the below video how TCP/IP works:
The built-in chains for the
filter table are as follows:
INPUT — Applies to network packets that are targeted for the host.
OUTPUT — Applies to locally-generated network packets.
FORWARD — Applies to network packets routed through the host.
Packet Type — Specifies the type of packets the command filters.
Packet Source/Destination — Specifies which packets the command filters based on the source or destination of the packet.
Target — Specifies what action is taken on packets matching the above criteria.
Structure of IPTables Command Options
iptablescommands have the following structure:
-t<table-name>] <command><chain-name> \ <parameter-1><option-1> \ <parameter-n><option-n>
filtertable is used.
iptablesto perform a specific action. Only one command option is allowed per
iptablescommand. With the exception of the help command, all commands are written in upper-case characters.
iptablescommand options are as follows:
-A— Appends the rule to the end of the specified chain. Unlike the
-Ioption described below, it does not take an integer argument. It always appends the rule to the end of the specified chain.
-D <integer> | <rule>— Deletes a rule in a particular chain by number (such as
5for the fifth rule in a chain), or by rule specification. The rule specification must exactly match an existing rule.
-E— Renames a user-defined chain. A user-defined chain is any chain other than the default, pre-existing chains. (Refer to the
-Noption, below, for information on creating user-defined chains.) This is a cosmetic change and does not affect the structure of the table.
-F— Flushes the selected chain, which effectively deletes every rule in the chain. If no chain is specified, this command flushes every rule from every chain.
-h— Provides a list of command structures, as well as a quick summary of command parameters and options.
-I [<integer>]— Inserts the rule in the specified chain at a point specified by a user-defined integer argument. If no argument is specified, the rule is inserted at the top of the chain.
-L— Lists all of the rules in the chain specified after the command. To list all rules in all chains in the default
filtertable, do not specify a chain or table. Otherwise, the following syntax should be used to list the rules in a specific chain in a particular table:
-N— Creates a new chain with a user-specified name. The chain name must be unique, otherwise an error message is displayed.
-P— Sets the default policy for the specified chain, so that when packets traverse an entire chain without matching a rule, they are sent to the specified target, such as ACCEPT or DROP.
-R— Replaces a rule in the specified chain. The rule’s number must be specified after the chain’s name. The first rule in a chain corresponds to rule number one.
-X— Deletes a user-specified chain. You cannot delete a built-in chain.
-Z— Sets the byte and packet counters in all chains for a table to zero.
IPTables Parameter Options
iptablescommands, including those used to add, append, delete, insert, or replace rules within a particular chain, require various parameters to construct a packet filtering rule.
-c— Resets the counters for a particular rule. This parameter accepts the
BYTESoptions to specify which counter to reset.
-d— Sets the destination hostname, IP address, or network of a packet that matches the rule. When matching a network, the following IP address/netmask formats are supported:
N.N.N.N/M.M.M.M— Where N.N.N.N is the IP address range and M.M.M.M is the netmask.
N.N.N.N/M— Where N.N.N.N is the IP address range and M is the bitmask.
-f— Applies this rule only to fragmented packets.You can use the exclamation point character (
!) option before this parameter to specify that only unfragmented packets are matched.
-i— Sets the incoming network interface, such as
iptables, this optional parameter may only be used with the INPUT and FORWARD chains when used with the
filtertable and the PREROUTING chain with the
mangletables.This parameter also supports the following special options:
Exclamation point character (
!) — Reverses the directive, meaning any specified interfaces are excluded from this rule.
Plus character (
+) — A wildcard character used to match all interfaces that match the specified string. For example, the parameter
-i eth+would apply this rule to any Ethernet interfaces but exclude any other interfaces, such as
-iparameter is used but no interface is specified, then every interface is affected by the rule.
-j— Jumps to the specified target when a packet matches a particular rule.The standard targets are
RETURN.Extended options are also available through modules loaded by default with the Red Hat Enterprise Linux
iptablesRPM package. Valid targets in these modules include
REJECT, among others. Refer to the
iptablesman page for more information about these and other targets.This option can also be used to direct a packet matching a particular rule to a user-defined chain outside of the current chain so that other rules can be applied to the packet.If no target is specified, the packet moves past the rule with no action taken. The counter for this rule, however, increases by one.
-o— Sets the outgoing network interface for a rule. This option is only valid for the OUTPUT and FORWARD chains in the
filtertable, and the POSTROUTING chain in the
mangletables. This parameter accepts the same options as the incoming network interface parameter (
-p <protocol>— Sets the IP protocol affected by the rule. This can be either
all, or it can be a numeric value, representing one of these or a different protocol. You can also use any protocols listed in the
all” protocol means the rule applies to every supported protocol. If no protocol is listed with this rule, it defaults to “
-s— Sets the source for a particular packet using the same syntax as the destination (
1. Delete Existing Rules
Before you start building new set of rules, you might want to clean-up all the default rules, and existing rules. Use the iptables flush command as shown below to do this.
iptables -F (or) iptables --flush
2. Set Default Chain Policies
The default chain policy is ACCEPT. Change this to DROP for all INPUT, FORWARD, and OUTPUT chains as shown below.
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
When you make both INPUT, and OUTPUT chain’s default policy as DROP, for every firewall rule requirement you have, you should define two rules. i.e one for incoming and one for outgoing.
3. Block a Specific ip-address
Before we proceed further will other examples, if you want to block a specific ip-address, you should do that first as shown below. Change the “x.x.x.x” in the following example to the specific ip-address that you like to block.
BLOCK_THIS_IP="x.x.x.x" iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP
This is helpful when you find some strange activities from a specific ip-address in your log files, and you want to temporarily block that ip-address while you do further research.
You can also use one of the following variations, which blocks only TCP traffic on eth0 connection for this ip-address.
iptables -A INPUT -i eth0 -s "$BLOCK_THIS_IP" -j DROP iptables -A INPUT -i eth0 -p tcp -s "$BLOCK_THIS_IP" -j DROP
4. Allow ALL Incoming SSH
The following rules allow ALL incoming ssh connections on eth0 interface.
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
5. Allow Incoming SSH only from a Sepcific Network
The following rules allow incoming ssh connections only from 192.168.100.X network.
iptables -A INPUT -i eth0 -p tcp -s 10.0.10.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
In the above example, instead of /24, you can also use the full subnet mask. i.e “10.0.10.0/255.255.255.0″.
6. Allow Incoming HTTP and HTTPS
The following rules allow all incoming web traffic. i.e HTTP traffic to port 80.
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
The following rules allow all incoming secure web traffic. i.e HTTPS traffic to port 443.
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
7. Combine Multiple Rules Together using MultiPorts
When you are allowing incoming connections from outside world to multiple ports, instead of writing individual rules for each and every port, you can combine them together using the multiport extension as shown below.
The following example allows all incoming SSH, HTTP and HTTPS traffic.
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
8. Allow Outgoing SSH
The following rules allow outgoing ssh connection. i.e When you ssh from inside to an outside server.
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
Please note that this is slightly different than the incoming rule. i.e We allow both the NEW and ESTABLISHED state on the OUTPUT chain, and only ESTABLISHED state on the INPUT chain. For the incoming rule, it is vice versa.
9. Allow Outgoing SSH only to a Specific Network
The following rules allow outgoing ssh connection only to a specific network. i.e You an ssh only to 192.168.100.0/24 network from the inside.
iptables -A OUTPUT -o eth0 -p tcp -d 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
10. Allow Outgoing HTTPS
The following rules allow outgoing secure web traffic. This is helpful when you want to allow internet traffic for your users. On servers, these rules are also helpful when you want to use wget to download some files from outside.
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
Note: For outgoing HTTP web traffic, add two additional rules like the above, and change 443 to 80.
11. Allow Ping from Outside to Inside
The following rules allow outside users to be able to ping your servers.
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
12. Allow Ping from Inside to Outside
The following rules allow you to ping from inside to any of the outside servers.
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
13. Prevent DoS Attack
The following iptables rule will help you prevent the Denial of Service (DoS) attack on your webserver.
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
In the above example:
- -m limit: This uses the limit iptables extension
- –limit 25/minute: This limits only maximum of 25 connection per minute. Change this value based on your specific requirement
- –limit-burst 100: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level.
14. To save IPTABLE Rules
service iptables save --> it will update the file /etc/sysconfig/iptables
Practice it & enjoy !!