For beginners and advanced users of the Linux operating system, a special firewall (the so-called “firewall”) was developed to protect against external threats, which is called Iptables. Below in the instructions, we will explain how to install and configure it on any machines running Linux.
What is iptables
This utility is a reliable firewall that minimizes the risk of virus and hacker attacks. The firewall configuration process takes place through the command line using established commands that allow the user to independently control the flow and flow of traffic. When trying to establish connections with a PC, the utility turns to its rules and checks whether to skip or restrict the connection. In the case where no specific rule is set, the actions are taken by default.
A firewall is standard on all Linux operating systems. To install, if it was suddenly not in the assembly, or updates, you should use the following command:
sudo apt-get install iptables
Firestarter can serve as an alternative to this utility – it has a graphical interface and is designed specifically for users who have difficulty working through the command line.
In the case of Iptables settings over a remote SSH connection, the user should be careful: one erroneous rule can interrupt the connection and prevent the user from accessing the remote machine.
What are the rules
For easy work with the firewall, three basic rules (commands) have been developed:
1.Input.
The rule is applied when it is necessary to control incoming traffic. For example, when a user connects to a remote server using the Secure Shell protocol, the firewall will start comparing his IP with other IPs from his list. Depending on the result, that is, on the presence in the list of bans, access to the user will be opened or closed.
2.Forward.
The rule is used in cases where it is necessary to check an incoming message passing through this computer. For example, a router constantly forwards messages to the destination from network users or applications. Often this rule is not used, unless the user purposefully configures routing on his device.
3.Output.
The rule applies to outgoing connections. For example, a user wants to check the ping to one of the given sites – the utility will again check its rules from the list and determine what to do when pinging a website: allow or deny.
Note:
When pinging an external host, the machine not only sends a packet, but also waits for a response back. Therefore, when setting up Iptables, you should not forget about the presence of two-way communications and prohibit connecting to servers via the SSH protocol.
How to determine the purpose of the firewall
Before setting up the utility, you will need to understand its purpose, namely, the current chains of rules, that is, what it will do by default. How to react when the requested connections don’t match any rule?
First you need to understand which of the firewall settings are already installed. To do this, use the -L command:
For a clear and understandable display of information, you can use the additional “grep” command. As a result, we get three chains, each of which has permission to receive traffic. Such rules are preferred to be set in the standard setup.
If during the operation of Iptables the configuration was changed by someone, the values \u200b\u200bmay be different. You can check this in a couple of seconds, just enter the commands:
iptables --policy INPUT ACCEPTiptables --policy OUTPUT ACCEPTiptables --policy FORWARD ACCEPT
It would be more correct to allow all incoming / outgoing connections in advance, and then set bans for a specific port and IP address.
You can do the opposite method: set a ban on all connections, and then grant permissions only to some of them. This can be implemented in this way:
iptables --policy INPUT DROPiptables --policy OUTPUT DROPiptables --policy FORWARD DROP
What to do with the connection
Having configured the behavior of the utility, which will occur automatically, you should proceed to the rules that process incoming / outgoing traffic. The main ways to interact with traffic:
•Accept – permission for a specific connection;
•Drop – ignoring requests (the firewall continues to function as if no request has occurred, and the requesting resources do not know about ignoring);
•Reject – block incoming traffic and send response messages with an error indication (in this case, the requesting resources will be notified that their traffic was blocked).
An example of what ping would look like for
Allowed connection (Accept):
Ignored traffic (Drop):
Rejected connection (Reject):
Allow and block specified Iptables connections
Once the traffic attitude policy is configured, it’s time to start defining rules for specific connections. We will consider the option of rejecting the specified connection. The methods for allowing and ignoring will be set in a similar way.
Let’s use the -A command. It will allow you to add a new rule to an existing chain. The firewall starts checking from the top, going through each rule until it finds a match or finishes the list.
In the case when you need to place the rules in a specific place (before some specific one), you should use the command:
iptables -I [chain] [position number in list for new rule]
What to do with connections from one IP
To block traffic coming from the same source (for example, IP 120.120.120.120), the command is suitable:
iptables -A INPUT -s 120.120.120.120 -j DROP
To block traffic coming from several IPs within a certain range, you should use the standard notation of masks with a slash:
iptables -A INPUT -s 120.120.120.0/24 -j DROP
Or by writing the required range:
iptables -A INPUT -s 120.120.120.0/255.255.255.0 -j DROP
Connections to a specific port
The following command will block Secure Shell connections to host 120.120.120.120:
iptables -A INPUT -p tcp --dport ssh -s 120.120.120.120 -j DROP
Any protocol can be used in place of the Secure Shell. The -p command is followed by the connection type, in this case TCP. If another type is used, it should be specified.
Any IP address will be prohibited from connecting to the machine via a Secure Shell connection if you execute:
iptables -A INPUT -p tcp --dport ssh -j DROP
About connection states
There are many protocols that require two-way communication. For example, a user needs to work with an SSH connection, he will have to add a rule to both Output and Input at once.
What if the user wants to grant permission only to the incoming connection? In this case, the connection state will help. It will allow the user to describe any two-way communication in which a given direction connection is allowed.
Let’s allow an SSH connection coming through the host 120.120.120.120. The system will send data using this protocol only if the session is established.
iptables -A INPUT -p tcp --dport ssh -s 120.120.120.120 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -d 120.120.120.120 -m state --state ESTABLISHED -j ACCEPT
How to save firewall configuration changes
After all the changes we made to the firewall chain, we need to save them. Otherwise, restarting the utility will delete the settings we have made. The save command will vary from Linux distribution to distribution.
For Ubuntu, the command looks like this:
=sudo /sbin/iptables-save
For Red Hat and CentOS:
=/sbin/service iptables save
Or
=/etc/init.d/iptables save
Additionally
To display a previously configured rule:
iptables –L
To view data on incoming/outgoing packets and traffic, just add the –v switch.
Data about the host name, protocols, networks will appear in digital form if you add -n to the command.
It is possible to delete all existing established rules at once with the command:
iptables –F
Welcome to the world of DomainRooster, where roosters (and hens) rule the roost! We're a one-stop shop for all your entrepreneurial needs, bringing together domain names and website hosting, and all the tools you need to bring your ideas to life. With our help, you'll soar to new heights and hatch great success. Think of us as your trusty sidekick, always there to lend a wing and help you navigate the sometimes-complex world of domain names and web hosting. Our team of roosters are experts in their fields and are always on hand to answer any questions and provide guidance. So why wait? Sign up today and join the ranks of the world's greatest entrepreneurs. With DomainRooster, the sky's the limit! And remember, as the saying goes, "Successful people do what unsuccessful people are not willing to do." So don't be afraid to take that leap of faith - DomainRooster is here to help you reach for the stars. Caw on!