IPtables: Configuration and usage in Linux

Now that you’ve successfully installed and configured your Linux-based system, we are now going to secure it. The first, and most important step would be keeping any sort of malicious actor from trying to take over our computer/server. One of these methods involves blocking undesirable traffic by configuring iptables.

IPtables

IPtables has been around forever on Linux operating systems. It is a staple in dictating what sort of traffic can make it into the system and what cannot, a firewall if you’re familiar with the term. It can also do some pretty neat tricks in terms of altering internet packets that pass through your system.

Configuring iptables is a simple process. On most Linux distributions, iptables is already installed by default. Let’s go ahead and take a look at what iptables looks like by typing the following command:

sudo iptables -L -v -n

You are then presented with a list of “chains” that dictate each rule. The “INPUT” chain tells iptables what to do when incoming network traffic is trying to make it to the machine itself. The “FORWARD” chain dictates network traffic that is trying to pass through the machine from one network interface to another, for example if the machine is acting as a router. The “OUTPUT” chain is for network traffic that is trying to leave the machine through a network interface.

By default, there are no rules defined in each of the chains available. You will also notice in parenthesis that their policies are set to “ACCEPT”. This means that all network traffic going through each of these chains will be accepted unless a “DROP” rule is added. We are going to change the “INPUT” chain to drop, but before we do that, we are going to need to add a rule first. If you are currently remotely connected to your Linux machine by means of SSH, you will then need to add a rule keeping yourself from getting kicked out:

sudo iptables -I INPUT 1 -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

An explanation for the above shell command:

  • The -I INPUT 1 allows this rule to always be added to the top of the “INPUT” chain.
  • -p tcp is the protocol for SSH.
  • –dport 22 tells us that if all incoming network traffic is destined for our SSH port.
  • -m conntrack – This part is a module for analyzing the connection state of each incoming packet.
  • –ctstate NEW,ESTABLISHED – If the network traffic coming in has already been negotiated with a remote server or if a new connection to our SSH server is being established. This will keep us from being disconnected when we apply our “DROP” rule.
  • -j ACCEPT – If the previous requirements in our rule are met, we will then tell it to “JUMP” to accept our incoming packets through.

Once your command is successful, type in the following:

sudo iptables -P INPUT DROP

List your iptables chains again by typing “sudo iptables -L”. You will now see the “INPUT” chain with the policy set to “DROP”. This also means that you won’t be able to download content from the internet. This can be easily resolved by adding the following rule:

sudo iptables -I INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Now your Linux machine can establish a connection to any remote server. Any packet that is trying to make a connection to your Linux machine will be dropped, unless it is SSH. This is because previously we have made a rule with the “NEW” ctstate in it allowing new SSH sessions to be made.

In the near future, you may notice that internal servers may not function properly or fail to forward data such as DNS queries. You will need to add the following rule to correct this:

sudo iptables -A INPUT -i lo -j ACCEPT

The -i refers to an incoming networking interface on your Linux machine such as eth0. In this case we need to allow the local loopback traffic 127.0.0.1 so that our server software can work properly.

Saving your rules/chains

By default, IPtables does not save your rules and will simply disappear upon reboot. Fortunately there is a way to alleviate that problem. We are going to install iptables-persistent. To do so, type in the following(Debian/Ubuntu):

sudo apt-get install iptables-persistent

Note: Package installation varies on Linux distributions.

All IPtables rules will be loaded from /etc/iptables/rules.v4 upon booting up. Though, we will need to save them first by running the following command:

sudo iptables-save -c > /etc/iptables/rules.v4

The -c argument tells the bash shell to put what is displayed in stdout into our rules.v4 file. Now, when Linux boots, our IPtables rules will be applied from this particular file.

Your Linux system is now even more secure than before since most connections cannot be established with the exception of SSH and outgoing client traffic.