Iptables is a firewall included in Linux kernel since version 2.4 which is included in the operating system. It is a rules-based firewall, its operation is based on applying rules that the same firewall executes. These IPtables are also found in the Linux-based firmwares and of course the Android devices.
Using IPtables is quite complex, so let’s take a general look at its options:
To Start / Stop / Restart Iptables we must execute these commands:
- sudo service iptables start
- sudo service iptables stop
- sudo service iptables restart
The main IPtables commands are the following (command arguments):
- -A –append → add a rule to a chain.
- -D –delete → delete a rule from a specified chain.
- -R –replace → replace a rule.
- -I –insert → insert a rule instead of a string.
- -L –list → shows the rules that we pass as an argument.
- -F –flush → remove all rules from a chain.
- -Z –zero → zeroes all counters in a chain.
- -N –new-chain → allows the user to create their own chain.
- -X –delete-chain → delete the specified chain.
- -P –policy → explain to the kernel what to do with packets that do not match any rule.
- -E –rename-chain → change the order of a chain.
Main conditions for Iptables:
- -p –protocol → the rule applies to a protocol.
- -s –src –source → the rule applies to a source IP.
- -d –dst –destination → the rule applies to a destination IP.
- -i –in-interface → the rule applies to a source interface, such as eth0.
- -o –out-interface → the rule applies to a target interface.
TCP / UDP conditions
- -sport –source-port → select or exclude ports from a specific source port.
- -dport –destination-port → select or exclude ports from a specific destination port.
There are many more conditions for an advanced firewall configuration, but the elementary ones are already listed.
Configure default rules
The default configuration of a firewall should be, translated into Spanish, «block everything except [reglas]». To configure the firewall to block all connections we must type:
- iptables -P INPUT DROP
- iptables -P FORWARD DROP
- iptables -P OUTPUT DROP
With this we will run out of internet, so next we must start creating permissive rules.
To apply a rule that filters a certain port, we must execute:
- iptables -A INPUT -p tcp –sport 22 22 → create a rule for the source port tcp 2222
To block traffic from a certain IP, we must execute:
- iptables -A INPUT -p tcp -m iprange –src-range 192.168.1.13-192.168.2.19 (IP example)
We could also block by MAC with the –mac-source condition.
- iptables -A INPUT -m mac –mac-source 00: 00: 00: 00: 00: 01
Once the rules that we want to apply have been executed, we must save them by typing sudo service iptables save
View firewall status
Parameter L shows open lines. V allows to receive more information about the connections and N returns the IP addresses and their corresponding ports without going through a DNS server.
Delete existing rules
To erase all the firewall configuration to reconfigure it again we must type:
Allow incoming connections
We will type the following parameters:
- iptables -A INPUT -i [interface] -p [protocolo] –Dport [puerto] -m state –state NEW, ESTABLISHED -j ACCEPT
-i: we must configure the interface, for example, eth0. This is useful in case of having several network cards, if we have only one, we do not have to specify this parameter.
-p: protocol. We must specify if the protocol will be TCP or UDP.
–Dport: the port we want to allow, for example, in the case of HTTP would be 80.
An example to allow incoming connections from web pages:
- iptables -A INPUT -i eth0 -p tcp –dport 80 -m state –state NEW, ESTABLISHED -j ACCEPT
Allow outbound connections
- iptables -A OUTPUT -o [interfaz] -p [protocolo] -sport [puerto] -m state –state ESTABLISHED -j ACCEPT
-o: we must configure the interface, for example, eth0, as in the previous case.
-p: protocol. We must specify if the protocol will be TCP or UDP.
–Sport: the port we want to allow, for example, in the case of HTTPS would be 443.
An example to allow outbound traffic to web pages:
- iptables -A OUTPUT -o eth0 -p tcp –sport 80 -m state –state ESTABLISHED -j ACCEPT
Allow ICMP packets
By default, ping is disabled. We must enable it manually by adding the corresponding entries in iptables. For this we will type:
In order to ping other servers:
- iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT
To allow receiving ping requests from other computers:
- iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT
Allow internal traffic to go to the internet
In the case of having 2 network cards (eth0 locally and eth1 connected to the internet) we can configure the firewall to forward the local network traffic through the internet. For this we will write:
- iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
Block and prevent DDoS attacks
- iptables -A INPUT -p tcp –dport 80 -m limit –limit 25 / minute –limit-burst 100 -j ACCEPT
Query packets rejected by iptables
To know the packets that iptables has rejected we must type:
How to block incoming connections through port 1234:
- iptables -A INPUT -p tcp –dport 1234 -j DROP
- iptables -A INPUT -i eth1 -p tcp –dport 80 -j DROP → hang on interface eth1
Block an IP address:
- iptables -A INPUT -s 192.168.0.0/24 -j DROP
Block an outgoing IP address:
- iptables -A OUTPUT -d 18.104.22.168 -j DROP
We can also block a url, for example, facebook:
- iptables -A OUTPUT -p tcp -d www.facebook.com -j DROP
Block traffic from a MAC address:
- iptables -A INPUT -m mac –mac-source 00: 0F: EA: 91: 04: 08 -j DROP
Block ping requests:
- iptables -A INPUT -p icmp –icmp-type echo-request -j DROP
UFW (Uncomplicated Firewall) is a firewall configuration tool for Ubuntu from the console, developed to facilitate the configuration of the Iptables firewall. Ufw provides an easy way to create an IPv4 or IPv6 host-based firewall.
The first thing to do is install ufw from apt-get with:
Now we run the firewall by typing sudo ufw enable. To stop the firewall, we will type sudo ufw disable, and to restart it, we will first stop it and then restart it with the specified commands.
Once we have the firewall working, we can begin to establish rules in its operation. To apply a rule that allows all traffic by default, we type:
On the contrary, to block all traffic, we will type:
To apply rules to certain ports, we will do it using the command:
- sudo ufw allow deny [puerto]/[protocolo]
- sudo ufw allow 1234 / tcp (allows connections from port 1234 in tcp)
- sudo ufw deny 4321 / udp (blocks connections from port 4321 in udp)
There is a file containing more predefined rules in the path /etc/ufw/before.rules where, for example, we can allow or block external ping. To do this, we will put a # in front of the line -A ufw-before-input -p icmp –icmp-type echo-request -j ACCEPT
We can consult the firewall rules from a terminal by typing sudo ufw status
As we can see, with UFW it is quite easy to manage our iptables firewall at the ipv4 and ipv6 level. We can manage all of this from a terminal without the need for a graphical interface, but we can still make it easier with another application, called gufw, which is a graphical interface for ufw that further simplifies its use.
To install gufw we must write in a terminal sudo apt-get install gufw
Once installed, we run it by typing gufw or looking for it in the applications panel.
The first window that the program shows us allows us to activate and deactivate the firewall, establish default rules for incoming and outgoing traffic (allow, reject and deny), and, at the bottom, create rules.
If we click on the + button at the bottom, we access the rules configuration menu. Here we can add custom rules regarding ports, applications, source ips, etc.
To add a rule per port as we have specified from the terminal, we select if we want to allow (allow) or block (deny), if we want the incoming or outgoing traffic to be filtered, the protocol, either tcp or udp and the port to be filtered .
The possibilities of iptables are practically endless, and the configuration difficulty increases exponentially depending on how complex the configurations we want to make are. From RedesZone we hope that with this small tutorial you can configure your iptables firewall at a basic level in a simple way.
Article written by Rubén Velasco (ruvelro) for RedesZone.net.
Article exclusively for RedesZone.net
Its total or partial reproduction without the consent of the author.