~/src/www.mokhan.ca/xlgmokha [main]
cat iptables.md
iptables.md 7965 bytes | 2014-10-10 08:23
symlink: /dev/random/iptables.md

iptables

IP Tables is a powerful firewall built in to most linux distros. A vanilla instance of ubuntu may have the following iptables rules.

λ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
tajget     prot opt source               destination

There are 3 top level CHAINS. They are INPUT, FORWARD and OUTPUT. The INPUT chain describes a policy for all IP packets that are destined for the host. The OUTPUT chain is a policy for all IP packets that originate from the host. FORWARD describes a policy for all packets that are passing by the host.

For each CHAIN you can describe actions (targets) to apply for different protocols, ports and other settings.

man 8 iptables says:

  TARGETS
      A firewall rule specifies criteria for a packet and a target.  If
      the packet does not match, the next rule in the chain is
      examined; if it does match, then the next rule is specified by
      the value of the target, which can be the name of a user-defined
      chain, one of the targets described in
      iptables-extensions(8), or one of the special values
      ACCEPT, DROP or RETURN.

      ACCEPT means to let the packet through.  DROP means
      to drop the packet on the floor.  RETURN means stop
      traversing this chain and resume at the next rule
      in the previous (calling) chain.  If  the
      end of a built-in chain is reached or a rule
      in a built-in chain with target RETURN is
      matched, the target specified by the chain
      policy determines the fate of the packet.

The most useful actions are ACCEPT and DROP. ACCEPT allows the packet to continue, and DROP blocks the packet.

Most of the time you’re going to want to specify rules for incoming packets and allow all outbound traffic.

Let’s see if we can tighten up our INPUT chain.

Let’s set the default policy for the FORWARD chain to DROP.

$ sudo iptables -P FORWARD DROP

If we take a look at the rules now, we can see that the default policy for the FORWARD chain is now to drop all packets.

λ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Let’s add a couple of rules for the INPUT chain. We’ll set an ACCEPT action for all connections to the loopback interface (localhost). We set an ACCEPT action for established connections and we will allow SSH connections.

λ sudo iptables -A INPUT -i lo -j ACCEPT

In the above example, we add a new rule to the INPUT chain, for the lo interface with an action of ACCEPT. This will allow all IP packets destined to the host on the loopback interface. The loopback interface is commonly known as localhost or 127.0.0.1.

λ ifconfig | grep lo -A8
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:23105 errors:0 dropped:0 overruns:0 frame:0
          TX packets:23105 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:5150930 (5.1 MB) TX bytes:5150930 (5.1 MB)

The following rules will ACCEPT packets for already established connections, ssh, http, https. If you need to open up access for mysql (3306), postgres (5432), mongodb (28017) or anything else you can add rules for those ports as well.

$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
$ sudo iptables -A INPUT -j DROP

The very last rule changed the INPUT policy to DROP all packets that do not match any of the above rules.

Now if we list out our rules we should see the following:

λ sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Packets destined for the host will be dropped unless they match one of the ACCEPT rules. We have disabled the ability to forward packets and we are allowing all output connections.

If you restart your machine you will lose all of your rules.

Lines: 135 | Words: 883 | Reading time: 5 min