Firewall Configuration using Iptables with Advanced Security on Ubuntu 14.04

2018-06-08 By Tarun Kumar 7331 Views linux firewall iptables ubuntu security networking
2 reviews


Setting up a firewall is a significant stage in securing most of the modern operating systems. Most Linux distributions come equipped with different firewall tools that we can use to configure our firewall. In this guide, we will be discussing how to configure the Iptables firewall to Ubuntu 14.04.

Note: This tutorial covers IPv4 security. In Linux, IPv6 security is maintained separately from IPv4. For example, “iptables” only maintains firewall rules for IPv4 addresses but it has an IPv6 counterpart called “ip6tables”, which can be used to maintain firewall rules for IPv6 network addresses.

Basic commands

Before following this guide, you must have access to a non-root superuser account, with Sudo privileges set up on your server. First, you need to know that iptables commands must be run with root privileges only. To implement this condition, we shall add “sudo” before all the commands in this guide. We can also log in as root user by using “su” or “sudo -i” commands but we will stick with “sudo” for this guide.

Initially, we need to find the current rules that are configured for the iptables. This is achieved by using the following command:

# sudo iptables -L
But let's throw in a <b>tag</b>.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

We can also see the current rules in a simpler format using the -S flag instead of -L flag:

# sudo iptables -S

In both the results, we can see three chains displayed as INPUT, FORWARD and OUTPUT. We also see that each chain’s default policy is set as ACCEPT, but there are no actual rules set in the results above. This is because Ubuntu does not ship with the default rules set.

If there are rules already configured into the Iptables, we can flush them completely by using the -F flag as follows:

Note: If you are flushing the rules remotely then the policies of INPUT and OUTPUT chains should be set to ACCEPT. This can be done by typing

# sudo iptables -S
# sudo iptables -P INPUT ACCEPT
# sudo iptables -P OUTPUT ACCEPT
# sudo iptables -F

Setting rules for Iptables

Rules for iptables can be set in two ways. One way is allowing the default rule to ACCEPT and block any unwanted traffic by setting specific rules. The other method is to configure allowed traffic and block everything else. The second method is often the preferred one.

The first rule that needs to be assigned is to accept all the inbound traffic by typing the following command:

# sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

We can see the result of the above command by using the -L flag again.

# sudo iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Here we can see that the policy of the INPUT chain is changed as compared to before applying the rule. The next step is to allow traffic to a specific port to enable SSH connections. This can be done by following:

# sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT

“ssh” translates to port number 22 by default. Any port number can be used in the place of “ssh”. To allow access to the HTTP web server, type the following command:

# sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

There is one more ACCEPT rule that needs to be assigned to our Iptables so that our server runs properly.

# sudo iptables -I INPUT 1 -i lo -j ACCEPT

Adding a drop rule

So far we have added only ACCEPT rules to our Iptables. We need to assign block rules as well since all the network packets will get accepted as per the rules assigned to our Iptables. One way is to assign a DROP rule to the default policy of our INPUT chain. This catches all the packets that fall through our INPUT chain and drops them.

# sudo iptables -P INPUT DROP

One of the implications of this type of design is that it falls back on dropping packets if the rules are flushed.

The alternative approach is to keep the default policy for the chain as accept and add a rule that drops every remaining packet to the bottom of the chain itself.

If you changed the default policy for the INPUT chain above, you can set it back to follow along by typing:

# sudo iptables -P INPUT ACCEPT

Now, you can add a rule to the bottom of the chain that will drop any remaining packets:

# sudo iptables -A INPUT -j DROP

Before saving the Iptables, it is better to check the assigned rules once. Our current rules are set as follows:

-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

Saving Iptables rules

By default, Iptables rules will be wiped out once the server is restarted. To save the Iptabels rules permanently, the settings can be saved in a few different ways, but the easiest way is with the “iptables-persistent” package. This can be downloaded from Ubuntu’s default repositories:

# sudo apt-get update

# sudo apt-get install iptables-persistent

Save your firewall rules with this command:

# sudo invoke-rc.d iptables-persistent save

Related Feature on LayerPanel

Related Tutorials

What do you think about this article?

Rate this article
Need assistance?

Try this guide to receive free bundled services at signup on a new free account.

Sign Up

Your Feedback Is Important

We hope you’ll give the new products and updates a try. If you have an idea for improving our products or want to vote on other user ideas so they get prioritized, please submit your feedback on our Community platform. And if you have any questions, please feel free to ask in the Community or contact our Technical Support team.