Setting Iptables

The iptables firewall allows all traffic by default. If we just set up our server, we are not going to have any rules as of yet. But to get an idea of what a table may look like, we use sudo iptables -L to list our rules for our default filter table. We list the rules by using the -L option, we can also specify a chain after our list option, sudo iptables -L INPUT would only show the rules for the INPUT chain.

~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Tables

There are 5 tables independent tables. We can view a specific table's rules with the -t table option, followed by the table's name. Using sudo iptables -t nat -L would list the rules for the nat table.

table description chains
filter Default table INPUT, FORWARD, OUTPUT
nat New connection packet PREROUTING, OUTPUT, POSTROUTING
mangle Specialized packet alteration PREROUTING, OUTPUT, INPUT, FORWARD, POSTROUTING
raw Configuring exemptions PREROUTING, OUTPUT
security Mandatory Access Control networking rules SECMARK, CONNSECMARK, INPUT, OUTPUT, FORWARD

Each table has a list of chains, and may include some user defined chains. A chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a target, which may point to a user-defined chain in the same table.

chain description
INPUT packets destined to local sockets
OUTPUT locally generated packets
FORWARD packets being routed
PREROUTING altering incoming packets before routing
POSTROUTING altering packets as they are about to go out

Commands

After either specifying a table, or using the default filter table, first 4 (of many) basic commands are:

option name description
-A append appends to a chain
-C check checks existence of rule in chain
-D delete deleted rule from chain
-L list list all rules, or of a chain if specified

After one of our commands, we would typically specify a chain such as -A INPUT.

Options

option name description
-m match Specifies extension module to test for a specific property.
-p protocol follows with a protocol: `tcp`, `udp`, `udplite`, `icmp` or `all`
-D delete delete rule from chain

Targets

We can target an item from the list below, a user defined chain, or an extension.

target description
ACCEPT allow packet through
DROP deny the packet's access
RETURN stop traversing this chain and resume at the next rule in the previous (calling) chain.

Creating Rules

Allowing

Now with the basics out of the way, we will have a basic understanding of what is happening, when we try to append our first rule. We are going to allow estalished sessions to recieve traffic.

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

We are telling iptables to --append to the INPUT chain for incomming packets, with a --match from the conntrack extension where the connection state --ctstate is ESTABLISHED or RELATED, and for packets that meet this rule, to --jump to the target, ACCEPT in this case.

The conntrack module extension provides provides access to the connection tracking state. Passing in --ctstate allows us to match connection state, other states to match include: INVALID, NEW, UNTRACKED, NONE, EXPECTED. More info regarding this and other modules and can be found in man iptables-extensions. But in our case, ESTABLISHED matches a packet that is associated with a connection which has seen packets in both directions. RELATED will match a packet that is starting a new connection, but is associated with an existing connection.

Next, we will allow incoming traffic on port 22 for SSH.

sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT

iptables will --append to the INPUT chain for incomming packets, the --protocol of tcp where destination port --dport matches ssh, these will --jump to the ACCEPT target. When the --protocol is used, it will load the module of the protocol type. So in the above command, iptables is loading the tcp module, and could be easily found in man iptables-extensions if we search for --protocol tcp, where we can see other commands that tcp will accept, such as --sport, --tcp-flags, --syn, and --tcp-option.

Command for allowing all web traffic

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Another --append to the INPUT chain for incomming packets, the --protocol of tcp where destination port --dport matches 80, these will --jump to the ACCEPT target.

Blocking

Once we have a rule to allow a packet, no more rules will effect it as long as those allowing rules come first. We can now write a statement to block all traffic, but ssh and web traffic on port 80 will be let through before it gets to this rule.

sudo iptables -A INPUT -j DROP

This code is simple enough, --append to INPUT chain for all incoming packets, and DROP them.

Saving

We will lose all configurations settings of our firewall upon restarting our server. In order to persist our settings, we will have to save using iptables-save. This will save to all tables, or we can specify using the table option iptables-save -t nat.