Setting up of a firewall is a significant stage in securing most of the modern operating systems. Most Linux distributions come equipped with different firewall tools that we can use to configure our firewall. In this guide, we will be discussing how to configure Iptables firewall to Ubuntu 14.04.
Note: This tutorial covers IPv4 security. In Linux, IPv6 security is maintained separately from IPv4. For example, “iptables” only maintains firewall rules for IPv4 addresses but it has an IPv6 counterpart called “ip6tables”, which can be used to maintain firewall rules for IPv6 network addresses.
Before following this guide, you must have access to non-root superuser account, with sudo privileges set up on your server. First you need to know that iptables commands must be run with root privileges only. To implement this condition, we shall add “sudo” before all the commands in this guide. We can also login as root user by using “su” or “sudo -i” commands but we will stick with “sudo” for this guide.
Initially we need to find the current rules that are configured for the iptables. This is achieved by using the following command:
# sudo iptables -L But let's throw in a <b>tag</b>. Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
We can also see the current rules in a simpler format using the -S flag instead of -L flag:
# sudo iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT
In both the results we can see three chains displayed as INPUT, FORWARD and OUTPUT. We also see that each chain’s default policy is set as ACCEPT , but there are no actual rules set in the results above. This is because Ubuntu does not ship with default rules set.
If there are rules already configured into the Iptables, we can flush them completely by using -F flag as follows:
Note: If you are flushing the rules remotely then the policies of INPUT and OUTPUT chains should be set to ACCEPT. This can done by typing
# sudo iptables -S # sudo iptables -P INPUT ACCEPT # sudo iptables -P OUTPUT ACCEPT # sudo iptables -F
Rules for iptables can be set in two ways. One way is allow default rule to ACCEPT and block any unwanted traffic by setting specific rules. The other method is to configure allowed traffic and block everything else. The second method is often the preferred one.
The first rule that needs to be assigned is to accept all the inbound traffic by typing the following command:
# sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
We can see the result of the above command by using the -L flag again.
# sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Here we can see that the policy of the INPUT chain is changed as compared to before applying the rule. The next step is to allow traffic to specific port to enable SSH connections . This can be done by following:
# sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
“ssh” translates to port number 22 by default. Any port number can be used in the place of “ssh”. To allow access to HTTP web server, type the following command:
# sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
There is one more ACCEPT rule that needs to be assigned to our Iptables so that our server runs properly.
# sudo iptables -I INPUT 1 -i lo -j ACCEPT
So far we have added only ACCEPT rules to our Iptables. We need to assign block rules as well since all the network packets will get accepted as per the rules assigned to our Iptables. One way is to assign a DROP rule into the default policy of our INPUT chain. This catches all the packets that fall through our INPUT chain and drops them.
# sudo iptables -P INPUT DROP
One of the implications of this type of a design is that it falls back on dropping packets if the rules are flushed.
The alternative approach is to keep the default policy for the chain as accept and add a rule that drops every remaining packet to the bottom of the chain itself.
If you changed the default policy for the INPUT chain above, you can set it back to follow along by typing:
# sudo iptables -P INPUT ACCEPT
Now, you can add a rule to the bottom of the chain that will drop any remaining packets:
# sudo iptables -A INPUT -j DROP
Before saving the Iptables, it is better to check the assigned rules once. Our current rules are set as follows:
-P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -j DROP
By default Iptables rules will be wiped out once the server is restarted. To save the Iptabels rules permanently, the settings can be saved in a few different ways, but the easiest way is with the “iptables-persistent” package. This can be download from Ubuntu’s default repositories:
# sudo apt-get update # sudo apt-get install iptables-persistent
Save your firewall rules with this command:
# sudo invoke-rc.d iptables-persistent save