Getting Started with iptables in Linux

This detailed tutorial will get you started using iptables, the tried, trusted and true firewall, in Linux.

Linux machines are known to be pretty secure. Studies have shown that Linux has been designed in a secure manner. Yet, despite all the security features that come bundled with a Linux installation, you need to configure these features correctly to make them work for you. I’ll guide you through the process of setting up of one of the tools that help secure your machine – the firewall. We will use the iptables firewall in Linux for this exercise. I am assuming that you are using a server running Red Hat Enterprise Linux 4 or similar. However, most of the steps should work fine on other Linux distributions as well. In this article we will setup a firewall on a Linux server running the Apache Web Server, FTP, and SSH.

Let us first see what ports these applications use and which of them need to have a port open on the firewall.

The Apache web server runs on port 80 by default. Apache is going to server all our web content on this port, therefore we need to keep this port open on the firewall. The SSH service runs on port 22. We need to be able to remotely connect to our server to work, so we keep it open. FTP runs on port 21 and it too needs the port to be open to communication.

Next, make sure you have iptables installed. Run this command as the root user:

# rpm -qa | grep iptables

If you have iptables installed the system should give you the version of iptables you have installed. In case you don’t you can try something like the following to get it and start it:

# yum install iptables

# /etc/init.d/iptables start

To check what kind of configuration iptables is currently running with:

# iptables –list
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

This command will list out all the firewall rules that have been set currently. I will proceed with the assumption that you do not have any firewall rules in the iptables configuration on your Linux box. Let’s now configure the firewall to allow open communication on the ports 80 for your web server, 22 for SSH, and port 21 for FTP. We’ll also make sure that we block communication to any port other than specified.

Here’s a firewall script configuration script. Create a new file and call it iptable-firewall.sh. Copy the following text into it:

#!/bin/sh

ANY=”0/0″
OPEN_PORTS=”21 22 80″

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# Flush (-F) all specific rules
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT

for port in $OPEN_PORTS
do
iptables -A INPUT -i eth0 -p tcp -s $ANY -d $ANY –destination-port $port –syn -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -s $ANY -d $ANY –destination-port $port –syn -j ACCEPT
done

iptables -A INPUT -i eth1 -p icmp -s $ANY -d $ANY -j ACCEPT

#Allow any related/established connections
iptables -A INPUT -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -m state –state ESTABLISHED,RELATED -j ACCEPT

#Kill everything else
iptables -A INPUT -i eth0 -j DROP
iptables -A INPUT -i eth1 -j DROP

#write for boot
iptables-save > /etc/sysconfig/iptables

Now save the above file, grant it executable permissions and then run it:

# chmod +x iptable-firewall.sh

# ./iptable-firewall.sh

Now check your firewall rules:

# iptables –list

All your firewall rules should now be set. Your server is now secure. To make any modification or additions to this set of rules, edit the line where the OPEN_PORTS parameter is defined and add or remove ports form the list. Remember to run the script again after making any changes to it.


If this article helped you, I'd be grateful if you could share it on your preferred social network - it helps me a lot. If you're feeling particularly generous, you could buy me a coffee and I'd be super grateful :)

buy a coffee for simplehelp.net


Home » Linux » Getting Started with iptables in Linux

Leave a Comment

Your email address will not be published.