Purpose
This article is to help provide some basic knowledge and information on setting up iptables for the Linux based computers.
For the most part, most Linux flavor computers come with iptables as the firewall resource.
Most of the Linux OS systems are using other firewalls, like firewalld or ufw, but most of them should have iptables as part of the system.
Requirements
You will need to have sudo or at least root privileges on the machine to execute iptables.
You should have console access to the machine in case you make a mistake with the firewall commands.
Basics
For the most part, here is a basic iptables baseline config you may wish to use
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [14039465:18394491353] # Keep Current connections alive -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow the UCSB Campus to ping the machine -A INPUT -s 128.111.0.0/16 -p icmp -j ACCEPT # Allow SSH Connections to the machine -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT # Allow the computer to talk to itself for its applications -A INPUT -i lo -j ACCEPT # Otherwise, drop the connection -A INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT
This file is just a simple baseline that will do the following:
- Keep the current connections that have been established.
- Allow machines on campus to ping/traceroute the machine.
- Allow SSH connections to the machine
- Allow the machine to talk to itself with regards to its own applications.
- Drop any connections that don't fall under the above conditions.
You can edit this file with additional lines if need be to restrict or open up allowances on the computer if need be.
Once you are sure about what you want the firewall to do, you can load the firewall config by using the following command:
iptables-restore < iptables.base
This should load the firewall configuration.
Checking the configuration
You can check the firewall configuration by typing:
iptables -L
What you should see is:
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT icmp -- 128.111.0.0/16 anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
Clearing iptables
If you need to clear out the firewall settings completely, you can do it with this command:
iptables -F
This will flush out all the rules and leave the system without a firewall.
Source Networks to take into account...
In most cases, you may want to restrict who can connect to the machine, this would be the source computer.
In some cases, you may want to restrict access to the following Networks:
UCSB Campus Network
The UCSB Campus Network is 128.111.0.0/16, this will cover most of the computers on the wired network, including the Campus VPN usage.
UCSB Wireless Network
The UCSB Campus Wireless Network uses
- 169.231.80.0/20
- 169.231.96.0/19
- 169.231.128.0/20
- 169.231.144.0/20
- 169.231.160.0/20
Or you can use 169.231.0.0/16
UCSB ResNet does also reside within the 169.231.0.0/16 subnet.
Additional Resources
Here are a few links to check if you wish more information on how to do iptables:
- Man Page for iptables - http://ipset.netfilter.org/iptables.man.html
- Digital Ocean's How-to on iptables - https://www.digitalocean.com/community/tutorials/how-to-list-and-delete-iptables-firewall-rules
- nixCraft's 25 iptables netfilter firewall examples - https://www.cyberciti.biz/tips/linux-iptables-examples.html
Related articles