IPTables, what is it?!

The main firewall tool on ubuntu is iptables, which includes some useful tools like iptables-restore, iptables-save ed iptables. Iptables let you define throughput, input and out network policies and exceptions, otherwise accepting or denying specific kind of connection.
Vi sono 2 modi per utilizzare iptables:

COMMAND LINE

Quick and temporary, every rule will be forget on system reboot. You can set a rule or a policy a time, so it can be necessary to concatenate multiple commands together to avoid to ends up having a system unable to be reached from outside.

Policies INPUT, FORWARD and OUTPUT:

Shell

iptables -P

1

iptables -P

Defining a rule to open or close a specific port

Shell

iptables -A

1

iptables -A
RULES ON FILE

Efficient for definitive configurations, the file can be used one-time or for a permanent configuration.
The config file must follows some rules: to define policies they must be preceeded by *filter while each definition must starts with colon character (:), besides the last row of the file must contains COMMIT to confirm the execution of the defined rules. The sharp character (#) is the symbol for comments.

A config example:

Shell

# Policies *filter :INPUT :FORWARD :OUTPUT -A INPUT -A OUTPUT COMMIT

1
2
3
4
5
6
7
8

# Policies
*filter
:INPUT
:FORWARD
:OUTPUT
-A INPUT
-A OUTPUT
COMMIT

Once wrote the config file, you should use the following commands to be able to load or save a configuration from or to a file.
Apply and save the configuration

Load config from file:

Shell

iptables-restore < [file name]

1

iptables-restore < [file name]

Save config to file:

Shell

iptables-save > [file name]

1

iptables-save > [file name]

Save config permanently (“sudo -i” is not needed if you logged as root) :

Shell

sudo -i iptables-save > /etc/iptables.up.rules

1
2

sudo -i
iptables-save > /etc/iptables.up.rules

Firewall configuration

You are free to pick all or only the configs you need to make your own personal configuration file (except the first 3, they are mandatory) or to run a series of concatenated iptables commands. Just remember to append COMMIT ad the end of your config file
1. Read and clean up (LIST & FLUSH)
  
  Before starting your config, it might be necessary to remove or check the current applied rules on your system.
  
  List the current system rules (LIST):
  
  Shell
  
  iptables -L
  
  1
  
  iptables -L
  
  Cleanup the rule list (FLUSH):
  
  Shell
  
  # Allowing incoming connection iptables -P INPUT ALLOW # Flush all rules iptables -F
  
  1
  2
  3
  4
  
  # Allowing incoming connection
  iptables -P INPUT ALLOW
  # Flush all rules
  iptables -F
2. Filter policy
  
  Policies let you define the firewall default behavior against different types of connections. A good basic policy should deny (DROP) any incoming or forwarded (FORWARD) connection and allow all outgoing ones (OUTPUT).
  
  Basic policies definition in config file:
  
  Shell
  
  *filter :INPUT DROP :FORWARD DROP :OUTPUT ACCEPT
  
  1
  2
  3
  4
  
  *filter
  :INPUT DROP
  :FORWARD DROP
  :OUTPUT ACCEPT
  
  Defining such policies by command line is pretty easy and not far from the config file, just remember to concatenate them with loopback, persistence and SSH access to prevent to end up without any chance to access your server remotely anymore:
  
  Shell
  
  iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT
  
  1
  2
  3
  
  iptables -P INPUT DROP
  iptables -P FORWARD DROP
  iptables -P OUTPUT ACCEPT
3. LOOPBACK
  
  Allowing all incoming connection from loopback interface (kind of a service door for the system to communicate with itself: localhost / 127.0.0.1)
  
  Shell
  
  -A INPUT -i lo -j ACCEPT
  
  1
  
  -A INPUT -i lo -j ACCEPT
4. Connection persistence (ESTABLISHED and RELATED)
  
  Connections, in IpTables, can be of 3 types: New, Established and Related; so it’s necessary to grant access to Established and Related connection to allow automatically responses to connections established by the server itself to outside.
  
  Shell
  
  -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  
  1
  
  -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
5. SSH (must have for working remotely)
  
  Open the TCP port 22 to allow incoming ssh connections
  
  Shell
  
  -A INPUT -p tcp --dport 22 -j ACCEPT
  
  1
  
  -A INPUT -p tcp --dport 22 -j ACCEPT
6. HTTP
  
  Open the TCP port 80 to allow incoming connection to your web server (like apache for example).
  
  Shell
  
  -A INPUT -p tcp --dport 80 -j ACCEPT
  
  1
  
  -A INPUT -p tcp --dport 80 -j ACCEPT
7. HTTPS
  
  Open the TCP port 443 to allow incoming connection to your secure web server (like apache for example).
  
  Shell
  
  -A INPUT -p tcp --dport 443 -j ACCEPT
  
  1
  
  -A INPUT -p tcp --dport 443 -j ACCEPT
8. DNS
  
  Open the UDP port 53 to be able to provide DNS services (like bind9 for example, you can read a complete guide here) to other computers inside your network or in the internet and allow requests on TCP at any port requested by starting port 53.
  
  Shell
  
  -A INPUT -p udp --dport 53 -j ACCEPT -A INPUT -p tcp --sport 53 -j ACCEPT
  
  1
  2
  
  -A INPUT -p udp --dport 53 -j ACCEPT
  -A INPUT -p tcp --sport 53 -j ACCEPT
9. SAMBA
  
  Open TCP ports 139,445, UDP 137 and 138 to let SAMBA server be reachable
  
  Shell
  
  -A INPUT -p tcp --dport 139 -j ACCEPT -A INPUT -p tcp --dport 445 -j ACCEPT -A INPUT -p udp --dport 137 -j ACCEPT -A INPUT -p udp --dport 138 -j ACCEPT
  
  1
  2
  3
  4
  
  -A INPUT -p tcp --dport 139 -j ACCEPT
  -A INPUT -p tcp --dport 445 -j ACCEPT
  -A INPUT -p udp --dport 137 -j ACCEPT
  -A INPUT -p udp --dport 138 -j ACCEPT
10. FTP
  
  Open the TCP port 21 to enable FTP access
  
  Shell
  
  -A INPUT -p tcp --dport 21 -j ACCEPT
  
  1
  
  -A INPUT -p tcp --dport 21 -j ACCEPT
11. SMTP
  
  Open the TCP ports 25 and 587 for SMTP server
  
  Shell
  
  -A INPUT -p tcp --dport 25 -j ACCEPT -A INPUT -p tcp –dport 587 -j ACCEPT
  
  1
  2
  
  -A INPUT -p tcp --dport 25 -j ACCEPT
  -A INPUT -p tcp –dport 587 -j ACCEPT
12. IMAP
  
  Open the TCP port 143 to enable IMAP server access
  
  Shell
  
  -A INPUT -p tcp --dport 143 -j ACCEPT
  
  1
  
  -A INPUT -p tcp --dport 143 -j ACCEPT
13. IMAPS
  
  Open the TCP port 993 for IMAP secure server
  
  Shell
  
  -A INPUT -p tcp --dport 993 -j ACCEPT
  
  1
  
  -A INPUT -p tcp --dport 993 -j ACCEPT
14. POP3
  
  Open TCP ports 110 and 995 for POP3 server
  
  Shell
  
  -A INPUT -p tcp --dport 110 -j ACCEPT -A INPUT -p tcp --dport 993 -j ACCEPT
  
  1
  2
  
  -A INPUT -p tcp --dport 110 -j ACCEPT
  -A INPUT -p tcp --dport 993 -j ACCEPT
15. Hamachi
  
  Open TCP ports 12957, 32976 and UDP port 17771 to let the tunnelling logmein-hamachi service to work properly.
  
  Shell
  
  -A INPUT -p tcp --dport 12957 -j ACCEPT -A INPUT -p tcp --dport 32976 -j ACCEPT -A INPUT -p udp --dport 17771 -j ACCEPT
  
  1
  2
  3
  
  -A INPUT -p tcp --dport 12957 -j ACCEPT
  -A INPUT -p tcp --dport 32976 -j ACCEPT
  -A INPUT -p udp --dport 17771 -j ACCEPT
16. COMMIT (only when using the config file)
  
  As said before, it’s necessary to insert that command at the end of the config file, while it’s not recognized when working with the command line because rules are applied immediately.
  
  Shell
  
  # End of rules and policies COMMIT
  
  1
  2
  
  # End of rules and policies
  COMMIT

Twitter

Facebook

Tumblr

Questo post è disponibile anche in: Italian

IPTables: Firewall with on Ubuntu

IPTables, what is it?!

COMMAND LINE

RULES ON FILE

Apply and save the configuration

Firewall configuration

Read and clean up (LIST & FLUSH)

Filter policy

LOOPBACK

Connection persistence (ESTABLISHED and RELATED)

SSH (must have for working remotely)

HTTP

HTTPS

DNS

SAMBA

FTP

SMTP

IMAP

IMAPS

POP3

Hamachi

COMMIT (only when using the config file)