IPTables - Basics

 Click here to expand...

Purpose

This article is to help provide some basic knowledge and information on setting up iptables for the Linux based computers.

For the most part, most Linux flavor computers come with iptables as the firewall resource.

Most of the Linux OS systems are using other firewalls, like firewalld or ufw, but most of them should have iptables as part of the system.

Requirements

You will need to have sudo or at least root privileges on the machine to execute iptables.

You should have console access to the machine in case you make a mistake with the firewall commands.

Basics

For the most part, here is a basic iptables baseline config you may wish to use

iptables.base file
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [14039465:18394491353]
# Keep Current connections alive
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow the UCSB Campus to ping the machine
-A INPUT -s 128.111.0.0/16 -p icmp -j ACCEPT 
# Allow SSH Connections to the machine
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
# Allow the computer to talk to itself for its applications
-A INPUT -i lo -j ACCEPT 
# Otherwise, drop the connection
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
COMMIT

This file is just a simple baseline that will do the following:

  • Keep the current connections that have been established.
  • Allow machines on campus to ping/traceroute the machine.
  • Allow SSH connections to the machine
  • Allow the machine to talk to itself with regards to its own applications.
  • Drop any connections that don't fall under the above conditions.

You can edit this file with additional lines if need be to restrict or open up allowances on the computer if need be.

Once you are sure about what you want the firewall to do, you can load the firewall config by using the following command:

iptables-restore < iptables.base

This should load the firewall configuration.

Checking the configuration

You can check the firewall configuration by typing:

iptables -L

What you should see is:

Example of iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
ACCEPT     icmp --  128.111.0.0/16       anywhere            
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 
ACCEPT     all  --  anywhere             anywhere            
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Clearing iptables

If you need to clear out the firewall settings completely, you can do it with this command:

iptables -F

This will flush out all the rules and leave the system without a firewall.

Source Networks to take into account...

In most cases, you may want to restrict who can connect to the machine, this would be the source computer.

In some cases, you may want to restrict access to the following Networks:

UCSB Campus Network

The UCSB Campus Network is 128.111.0.0/16, this will cover most of the computers on the wired network, including the Campus VPN usage.

UCSB Wireless Network

The UCSB Campus Wireless Network uses

  • 169.231.80.0/20
  • 169.231.96.0/19
  • 169.231.128.0/20
  • 169.231.144.0/20
  • 169.231.160.0/20

Or you can use 169.231.0.0/16

UCSB ResNet does also reside within the 169.231.0.0/16 subnet.

Additional Resources

Here are a few links to check if you wish more information on how to do iptables:

Related articles