Working with iptables

Although iptables is not fresh and new, it is still in use and those in the IT profession should expect to come into contact with it at some point in the future. I will likely be setting up a server in the future with iptables enabled for a homelab project. Therefore, I have decided to put a short post about how to apply a few common rules and variations of them.

The basics

iptables commands are usually structured as such:

root@user# iptables [option][table][options…]

The following is a guide for options that will be used in the commands

 iptables                     leading command
 -A                               -append to table
 -s                                -source
 -d                               -destination
 -i                                 -in interface
 -o                               -out interface
 -p                               -port
 INPUT                       -packets coming into the system
 OUTPUT                   -packets leaving the system
 FORWARDING        -packets being routed through the system 

DROP: ignore the packet
ACCEPT: accept the packet
REJECT: Reject the packet and notify the sender that it was rejected

Save/backup iptables

This is the command that will be used to save and back up you rules. The file I named “iptables.rules” can have any name.

  [root@localhost ~]# iptables-save > /etc/iptables.rules  

Restore iptables rules

Saved rules can be restored from any path

[root@localhost~]# iptables-restore > /etc/iptables.rules

Set the default action of the tables

This portion deals with the INPUT, OUTPUT, and FORWARDING chains. The rules here make it so that, unless there is an exception to the rule, the packets reaching the chain will be dropped.

 [root@localhost ~]# iptables -P INPUT DROP
 [root@localhost ~]# iptables -P OUTPUT DROP
 [root@localhost ~]# iptables -P FORWARD DROP 

Allow incoming and outgoing connections that are established

From the man pages:

ESTABLISHED — meaning that the packet is associated with a connection which has seen packets in both directions,

RELATED — meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.

[root@localhost ~]# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
[root@localhost ~]# iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT 

Allow traffic to be routed from one interface to another

This is useful if you have two interfaces, such as in a router, because it will let packets traverse from one interface to another. Be sure to specify all the directions in which the packets could travel. The following rule only allows packets to cross from eth1 to eth2 but not the other way around.

 [root@localhost ~]# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT 

Allow host to use its own loopback device

This rule will allow the host to access its own services. LO indicates the loopback interface.

[root@localhost ~]# iptables -A INPUT -i lo -j ACCEPT
[root@localhost ~]# iptables -A OUTPUT -o lo -j ACCEPT 

Allow the host to be accessed from the outside, through ssh

In this example, the host is running an ssh server. The server is made accessible from the outside with this set of rules.

 [root@localhost ~]# iptables -A INPUT -i eth0 -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

 [root@localhost ~]# iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT  

You can also specify a specific address or set of addresses that can access the host.

[root@localhost ~]# iptables -A INPUT -i eth1 -s 192.168.0.0/24 -p tcp --dport 22 -m conntrack 
 --ctstate NEW,ESTABLISHED -j ACCEPT
  
[root@localhost ~]# iptables -A OUTPUT -o eth1 -d 192.168.0.0/24 -p tcp --sport 22 -m conntrack 
 --ctstate ESTABLISHED-j ACCEPT 

Allow HTTP or HTTPS into the host system

HTTP

[root@localhost ~]# iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j 
 ACCEPT
[root@localhost ~]# iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j 
 ACCEPT 

HTTPS

[root@localhost ~]# iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED 
 -j ACCEPT
[root@localhost ~]# iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j 
 ACCEPT 

Blocking IP addresses

Block a specific IP address

This can also be a range of addresses, destination addresses, or ports

[root@localhost ~]# iptables -A INPUT -s <ip_address> -j DROP

Block an IP on a specific interface

[root@localhost ~]# iptables -A INPUT -i eth0 -s <ip_address> -j DROP

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s