Archive

Articles taggués ‘iptables howto’

Iptables HowTo

01/03/2016 Comments off

Basic iptables howto

Iptables is a firewall, installed by default on all official Ubuntu distributions (Ubuntu, Kubuntu, Xubuntu). When you install Ubuntu, iptables is there, but it allows all traffic by default. Ubuntu 8.04 Comes with ufw – a program for managing the iptables firewall easily.

There is a wealth of information available about iptables, but much of it is fairly complex, and if you want to do a few basic things, this How To is for you.

Basic Commands

Typing

sudo iptables -L

lists your current rules in iptables. If you have just set up your server, you will have no rules, and you should see

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Basic Iptables Options

Here are explanations for some of the iptables options you will see in this tutorial. Don’t worry about understanding everything here now, but remember to come back and look at this list as you encounter new options later on.

  1. -A – Append this rule to a rule chain. Valid chains for what we’re doing are INPUT, FORWARD and OUTPUT, but we mostly deal with INPUT in this tutorial, which affects only incoming traffic.
  2. -L – List the current filter rules.
  3. -m conntrack – Allow filter rules to match based on connection state. Permits the use of the --ctstate option.
  4. --ctstate – Define the list of states for the rule to match on. Valid states are:
    • NEW – The connection has not yet been seen.
    • RELATED – The connection is new, but is related to another connection already permitted.
    • ESTABLISHED – The connection is already established.
    • INVALID – The traffic couldn’t be identified for some reason.
  5. -m limit – Require the rule to match only a limited number of times. Allows the use of the --limit option. Useful for limiting logging rules.
    1. --limit – The maximum matching rate, given as a number followed by « /second« , « /minute« , « /hour« , or « /day » depending on how often you want the rule to match. If this option is not used and -m limit is used, the default is « 3/hour« .
  6. -p – The connection protocol used.
  7. --dport – The destination port(s) required for this rule. A single port may be given, or a range may be given as start:end, which will match all ports from start to end, inclusive.
  8. -j – Jump to the specified target. By default, iptables allows four targets:
    1. ACCEPT – Accept the packet and stop processing rules in this chain.
    2. REJECT – Reject the packet and notify the sender that we did so, and stop processing rules in this chain.
    3. DROP – Silently ignore the packet, and stop processing rules in this chain.
    4. LOG – Log the packet, and continue processing more rules in this chain. Allows the use of the --log-prefix and --log-level options.
  9. --log-prefix – When logging, put this text before the log message. Use double quotes around the text to use.
  10. --log-level – Log using the specified syslog level. 7 is a good choice unless you specifically need something else.
  11. -i – Only match if the packet is coming in on the specified interface.
  12. -I – Inserts a rule. Takes two options, the chain to insert the rule into, and the rule number it should be.
    1. -I INPUT 5 would insert the rule into the INPUT chain and make it the 5th rule in the list.
  13. -v – Display more information in the output. Useful for if you have rules that look similar without using -v.
  14. -s --source – address[/mask] source specification
  15. -d --destinationaddress[/mask] destination specification
  16. -o --out-interface – output name[ ] network interface name ([ ] for wildcard)

Allowing Established Sessions

We can allow established sessions to receive traffic:

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  1. The above rule has no spaces either side of the comma in ESTABLISHED,RELATED

If the line above doesn’t work, you may be on a castrated VPS whose provider has not made available the extension, in which case an inferior version can be used as last resort:

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allowing Incoming Traffic on Specific Ports

You could start by blocking traffic, but you might be working over SSH, where you would need to allow SSH before blocking everything else.

To allow incoming traffic on the default SSH port (22), you could tell iptables to allow all TCP traffic on that port to come in.

sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT

Referring back to the list above, you can see that this tells iptables:

  1. append this rule to the input chain (-A INPUT) so we look at incoming traffic
  2. check to see if it is TCP (-p tcp).
  3. if so, check to see if the input goes to the SSH port (–dport ssh).
  4. if so, accept the input (-j ACCEPT).

Lets check the rules: (only the first few lines shown, you will see more)

sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

Now, let’s allow all incoming web traffic

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Checking our rules, we have

sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www

We have specifically allowed tcp traffic to the ssh and web ports, but as we have not blocked anything, all traffic can still come in.

Lire la suite…