Setup and Quick Use of IPTables on Ubuntu

The Iptables Linux firewall is used to monitor incoming and outgoing traffic to a server and filter it based on user-defined rules, to prevent anyone from gaining access to the system. Using Iptables, you can set rules that will only allow selected traffic on your server. In this Iptables tutorial, you will learn how to secure your web application using Iptables.

What you will need

Before you start with the Iptables tutorial, you will need the following:

  • A local machine with an SSH client (see tutorial on  how to use putty ssh client )
  • A VPS running Ubuntu 16.04

If you want to learn more about SSH and SSH commands, follow this tutorial.

Iptables basics

All data is sent as packets over the Internet. The Linux kernel provides an interface to filter incoming and outgoing traffic packets using packet filter tables. iptables is a Linux command-line application and firewall that you can use to configure, maintain, and inspect these tables. Several arrays can be defined. Each array can contain multiple strings. A chain is just a set of rules. Each rule defines what to do with the packet, if it matches that packet. When the packet matches, it is assigned a  TARGET . A target can be another string, to match either of the following special values:

  • ACCEPT  : This means the packet will be allowed to pass.
  • DROP  : This means that the packet will not be allowed to pass.
  • RETURN  : This means skip the current chain and return to the next rule in the chain in which it was called.

For the purposes of this Iptables tutorial, we’ll be working with one of the default tables called  filter . The filter table has three chains (rule sets).

  • INPUT  – This string is used to monitor incoming packets to the server. You can block/allow connections based on port, protocol or source IP address.
  • FORWARD  – This string is used to filter out packets that enter the server but need to be forwarded elsewhere.
  • OUTPUT  – This string is used to filter packets going out of your server.
Iptables tutorial - filters table

Step 1 – Install Iptables Linux Firewall

  1. Installing iptables  

Iptables comes pre-installed in almost all Linux distributions. But if you don’t have it installed on your Ubuntu /Debian system:

sudo apt-get update
sudo apt-get install iptables
  1. Checking Current Iptables Status

With this command you can check the status of your current Iptables configuration. The Here  -L option  is used to list all rules and the -v option   for a more tedious list. Please note that these options are  case sensitive .

sudo iptables -L -v

Example of result:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source             destination         
 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source             destination         
 
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source             destination

This is the output of the above command. Here, the three strings are set as default for the  ACCEPT policy . There are currently no rules for any of the channels.

To make this Iptables tutorial more practical, we will modify the  INPUT chain  to filter incoming traffic.

Step 2 – Set Channel Rules

Defining a rule means adding it to the list (string). Here is the Iptables command formatted with regular options. We don’t have to specify them all.

sudo iptables -A  -i <interface> -p <protocol (tcp/udp) > -s <source> --dport <port no.>  -j <target>

Here   -A  means append. String refers to the string we want to add to our rules. Interface is the network interface on  which you want to filter traffic. Protocol refers to the  network protocol of the packets you want to filter. You can also specify the  port number  on which you want to filter traffic.

For more information about the Iptables command and its options, you can check  the main Iptables page.

  • Enabling traffic on localhost

We want all communication between applications and databases on the server to continue as usual.

sudo iptables -A INPUT -i lo -j ACCEPT

Example of result:

Chain INPUT (policy ACCEPT 7 packets, 488 bytes)
pkts bytes target     prot opt in     out     source               destination         
0     0 ACCEPT     all  --  lo     any     anywhere             anywhere

Here the –A option is used to add the rule to the INPUT   chain  , accepting all connections on the  lo interface . Lo means a loopback interface. It is used for all communications on the localhost, such as communications between a database and a web application on the same machine.

  • Enabling connections on the HTTP, SSH and SSL port

We want our regular HTTP (port 80), https (port 443), ssh (port 22) connections to continue as usual. Enter the following commands to activate them. In the following commands, we specified the protocol with the  -p option  and the corresponding port for each protocol with the -dport   (destination port) option.

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Now all TCP protocol connections with the specified ports will be accepted.

  1. Source-Based Packet Filtering

If you want to accept or reject packets based on source IP address or IP address range, you can specify it with the  -s option . For example, to accept packets from the address 192.168.1.3 –

sudo iptables -A INPUT -s 192.168.1.3 -j ACCEPT

You can drop packets from an IP address with a similar command with the   DROP option .

sudo iptables -A INPUT -s 192.168.1.3 -j DROP

If you want to drop packets from a range of IP addresses, you must use the  Iprange module with the -m  option   and specify the IP address range with  -src-range.

sudo iptables -A INPUT -m iprange --src-range 192.168.1.100-192.168.1.200 -j DROP
  1. Reject other traffic

Note:  It is important to  DROP  all other traffic after setting the rules, as this prevents unauthorized access to a server from other open ports.

sudo iptables -A INPUT -j DROP

This command rejects all incoming traffic other than the ports mentioned in the commands above. You can check your ruleset now with:

sudo iptables -L -v
  1. Deleting rules 

If you want to delete all the rules and start from scratch, you can use the Flush command.

sudo iptables -F

This command removes all current rules. If you want to remove a specific rule, you can do so with a  -D option . First, list all the rules with numbers by entering the following command:

sudo iptables -L --line-numbers

Then you will get a list of rules with numbers.

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  192.168.0.4          anywhere            
2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
3    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
4    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh

To delete a rule, specify the number in the list and the rule string. In our case, the INPUT string   and the number  3 .

sudo iptables -D INPUT 3


Step 3 – Persistent Changes

The Iptables rules we created are saved in memory. This means that we have to redefine them on reboot. To make these changes persist after reboot, use the following command on Ubuntu/Debian systems:

sudo /sbin/iptables-save

This command saves the current rules to the system configuration file which is used to reconfigure the tables on reboot. You must run this command each time you modify the rules. To disable this firewall, simply delete all rules and make the changes persistent.

sudo iptables -F
sudo /sbin/iptables-save


Conclusion

In this Iptables tutorial, we used the Linux Iptables firewall to only allow traffic on specific ports. We also made sure that our rules are saved after rebooting. This linux firewall will drop unwanted packets, but there is a limitation here is that Iptables can only handle ipv4 traffic. If your VPS box has ipv6 networking enabled, you need to set different rules for this traffic with ip6tables.

5/5 - (1 vote)
SAKHRI Mohamed
SAKHRI Mohamed

The blog of a computer enthusiast who shares news, tutorials, tips, online tools and software for Windows, macOS, Linux, Web designer and Video games.

Articles: 3747

Leave a Reply

Your email address will not be published.