The basics of iptables

Iptables is a standard firewall system configured, integrated by default in most distributions of the Linux operating system (CentOS, Ubuntu ...). Iptables works by classifying and enforcing I / O packages according to the rules set before.


iptables


In this article, I will guide you to use Iptables in the simplest and easiest way so that you can set up your own VPS firewall, as well as open the port according to your needs.


 


1. Install Iptables


Iptables is usually installed by default in the system. If not installed:



  • CentOS: # yum install iptables

  • Ubuntu: # apt-get install iptables


CentOS 7 uses FirewallD as the default firewall instead of Iptables. If you want to use Iptables do this:


# systemctl mask firewalld
# systemctl enable iptables
# systemctl enable ip6tables
# systemctl stop firewalld
# systemctl start iptables
# systemctl start ip6tables

- Check that Iptables is installed in the system:
On CentOS:


# rpm -q iptables
iptables-1.4.21-28.el7.x86_64
# iptables --version
iptables v1.4.12

On Ubuntu:


# iptables --version
iptables v1.6.0

Note: Before installing on Ubuntu, you need to disable ufw to avoid conflicts since ufw and iptables are both default firewalls.


# ufw disable

- Check the status of Iptables, as well as how to enable and disable services on CentOS


# service iptables status
# service iptables start
# service iptables stop
# service iptables restart

- Start Iptables with the system


# chkconfig iptables on

On Ubuntu, Iptables is a command string that is not a service so you cannot start, stop or restart. A simple way to disable is to delete all the rules you set with the flush command:


# iptables -F

2. Principles of application in Iptables


To get started, you need to specify the services you want to open / close and the corresponding ports.


For example, with a normal website and mail server



  • To access VPS using SSH, you need to open SSH port - 22.

  • To access the website, you need to open port HTTP - 80 and HTTPS - 443.

  • To send mail, you will need to open SMTP ports - 22 and SMTPS - 465/587

  • In order for users to receive email, you need to open port POP3 - 110, POP3s - 995, IMAP - 143 and IMAPs - 993


After you have identified the ports to open, you need to set up the corresponding firewall rules to allow.


You can delete all the default firewall rules to start from scratch: # iptables -F


I will guide you to see and understand the rules of iptables. Lists the current rules:


# iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:urd
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Column 1: TARGET action will be applied to each rule



  • Accept: the packet is forwarded for processing at the end application or operating system

  • Drop: packet data is blocked, removed

  • Reject: the packet is blocked, dropped and sends an error message to the sender


Column 2: PROT (protocol) specifies the protocols that will be applied to enforce the rule, including all, TCP or UDP. SSH, FTP, sFTP ... applications use TCP protocol.


Columns 4, 5: SOURCE and DESTINATION the address of the hit allowed to apply the rule.


3. How to use Iptables to open VPS port


To open the port in Iptables, you need to insert the string ACCEPT PORT. The command structure to open port xxx is as follows:


# iptables -A INPUT -p tcp -m tcp --dport xxx -j ACCEPT

A ie Append - insert into the INPUT string (insert to the end)
or


# iptables -I INPUT -p tcp -m tcp --dport xxx -j ACCEPT

I ie Insert- insert into string INPUT (insert into the specified line rulenum)
To avoid conflicts with the original rule, you should insert the rule at the beginning, use -I


3.1. Open SSH port


To access VPS over SSH, you need to open SSH port 22. You can allow SSH connection in any device, by anyone and anyone.


# iptables -I INPUT -p tcp -m tcp --dport 22 -j ACCEPT

By default will display ssh for port 22, if you change ssh to another port iptables will display the port number


ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

You can only allow VPS connection via SSH only from a certain IP address (identified easily by accessing websites check ip or command # w)


# iptables -I INPUT -p tcp -s xxx.xxx.xxx.xxx -m tcp --dport 22 -j ACCEPT

Then, in iptables we will add a rule


ACCEPT     tcp  --  xxx.xxx.xxx.xxx       anywhere            tcp dpt:ssh

3.2. Open the Web Server port


To allow access to webserver via default port 80 and 443:


# iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

By default Iptables will display HTTP and HTTPS


ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https

3.3. Open the Mail port


To allow users to use SMTP servers over the default ports 25 and 465:


# iptables -I INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# iptables -I INPUT -p tcp -m tcp --dport 465 -j ACCEPT

By default, Iptables will display SMTP and URD


ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:urd

- In order for a user to read email on the server, you need to open POP3 port (default port 110 and 995)


# iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
# iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT

By default, Iptables will display POP3 and POP3S


ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s

In addition, you also need to enable IMAP mail protocol (default port 143 and 993).


# iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
# iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

By default Iptables will show IMAP and IMAPS


ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:imaps

3.4. Block 1 IP access


# iptables -A INPUT -s IP_ADDRESS -j DROP

- Block 1 IP from accessing a specific port:


#iptables -A INPUT -p tcp -s IP_ADDRESS –dport PORT -j DROP

After you have fully set up, including opening necessary ports or restricting connections, you need to block all remaining connections and allow all outbound connections from VPS.


# iptables -P OUTPUT ACCEPT
# iptables -P INPUT DROP

Once the setup is done, you can check the rules again


# service iptables status

Or


# iptables -L –n

-n that is, we only care about the IP address. For example, if you block connection from tino, iptables will show xxx.xxx.xxx.xxx with the parameter -n
Finally, you need to save the Iptables firewall settings otherwise the settings will be lost when you reboot the system. At CentOS, configuration is stored in / etc / sysconfig / iptables.


# iptables-save | sudo tee /etc/sysconfig/iptables

Or


# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]