If you own a Linux server, you know how important securing it is. A server is available to the whole world, when it's connected to the internet, and soon bad guys will try to break in. Without a firewall anybody can connect to your server and send messages to it. IPTables solves just that. It allows you to block traffic both incoming and outgoing.

---

IPTables Settings

In iptables we have so called chains. We have 3 main chains:

• Input
• Output
• Forward

Today we'll look at mostly INPUT because that's how bad guys can reach our server.
In forward you can, well forward traffic from one port to another, or to another address.
In output you can restrict the traffic that leaves your computer, but i don't want to do that.
In input we can restrict the traffic reaching our machine.

Set the default option

Now that you know the chains, we can start setting default actions.
Basically there's two ways to restrict the INPUT chain

1. Specify the connections to be blocked and accept everything else
2. Specify the connections to be accepted and block everything else

I will choose the second option, because it offers more security, basically nothing reaches my machine without me knowing about it.
Important: Do this step only after you've added the rules you want. Dropping every incoming connection can result in losing access to your server.
So to set the default action to block connections execute:
iptables -P INPUT DROP
where

• -P defines that we want to set the default action
• INPUT is the chain to modify
• DROP is the default action.

Actions

Actions tell how a connection should be treated.
Note: Actions are case sensitive!
Here are some of the actions that we'll work with:

Adding rules

Now we know some of the basics, we can start adding rules. To add rules use the -A flag with the rule to add.
The first rule i recommend is to leave the loopback interface alone, the loopback connections originate from your machine, so you don't have to filter them, but you have the option to do so.
Leave the Loopback interface alone: iptables -A -i lo -j ACCEPT
where

• -i specifies and interface
• lo is the loopback interface
• -j specifies the action to execute.

Another common rule is to accept established state connections, this rule is really important, and most things won't work if you leave this one out. To explain this please imagine, that you

1. Connect to a server (this is output traffic)
2. The server accept's your connection, and sends you a message (this is INPUT traffic)
3. IPTables sees that a server tries to send traffic to your machine to a random port, but there is no rule for that random port, so it DROPs the connection.

To avoid this execute: iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
where

• -m enables a module
• state is the module to inspect the connection state with
• RELATED and ESTABLISHED are the states we will accept as input.

We have one more common rule, it's blocking pings coming in too fast. This is used to prevent ping based DDoS attacks, and is recommended to add to you INPUT chain.
iptables -i eth0 -p icmp -m icmp -m limit --icmp-type 8 --limit 1/second -j ACCEPT
where

• -i is used to specify an interface for this rule
• eth0 is in my case the network interface card, facing the internet
• -p is used to specify a protocol for this rule (it can be icmp, udp or tcp)
• icmp module is used to filter icmp specific data
• limit module is used to limit the number of connections
• --icmp-type is used to specify the icmp message type, 8 is ECHO aka Ping
• --limit is limiting the number of connections to 1 connection per second

Examples

At this point you have the recommended default rules added to your INPUT chain, the rules from here are dependent on your machine. I will provide some examples to create your own rules for your own server. My interface facing the internet is eth0

Allow SSH Traffic

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
where

• --dport is the destination port (the port of your server the client connects to)

Allow Web Traffic

iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT HTTP
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT HTTPS

Allow Incoming OpenVPN connections

iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT

Log a specified connection

iptables -A INPUT -i eth0 --dport 21 -j LOG --log-prefix "Got FTP Incoming" --log-level 6
where

• --log-prefix Specifies the prefix of the message added to syslog
• --log-level Specifies the severity of the message

There's more

Remember the command to set the default action for a chain? We need to execute that now, because we have rules, for the filtering to take effect. Also IPTables doesn't need to be restarted every time you make a change unlike a web server for example.

Saving and Loading your rules

Important: Your rules only last until the next reboot, that's why we have to save them!
iptables-save > /root/iptables-rules to export the current rules into a file
To load back the rules after a reboot you need to execute:
iptables-restore < /root/iptables-rules

Listing and removing rules

Listing

To list your rules type: iptables -L, this will give you a user friendly representation of your current rules.
To get the commands of your rules use iptables -S, this will give you the commands executed to add the rules

Removing

To remove a rule, first you need the command of the rule you added, you can get this with the previous -S option.
After you got the command, for example -A INPUT -p tcp --dport 21 -j ACCEPT you can delete it using:
iptables -D -p tcp --dport 21 -j ACCEPT, in other words just change -A to -D to remove that rule

Summary

IPTables is a very powerful firewall for server machines, it can do a lot more like pre- and postrouting, but to keep it simple I just showcased the basic usage. If you didn't understand something or I missed something, or you just have a question, then feel free to comment on this post! Now go and secure that server!

Sources

IPTables Man Page