IP Tables is a powerful firewall built in to most linux distros.
A vanilla instance of ubuntu may have the following iptables rules.
There are 3 top level CHAINS. They are INPUT, FORWARD and OUTPUT. The
INPUT chain describes a policy for all IP packets that are destined for
the host. The OUTPUT chain is a policy for all IP packets that originate
from the host. FORWARD describes a policy for all packets that are
passing by the host.
For each CHAIN you can describe actions (targets) to apply for different
protocols, ports and other settings.
man 8 iptables says:
The most useful actions are ACCEPT and DROP. ACCEPT allows the packet to
continue, and DROP blocks the packet.
Most of the time you’re going to want to specify rules for incoming
packets and allow all outbound traffic.
Let’s see if we can tighten up our INPUT chain.
Let’s set the default policy for the FORWARD chain to DROP.
If we take a look at the rules now, we can see that the default policy
for the FORWARD chain is now to drop all packets.
Let’s add a couple of rules for the INPUT chain. We’ll set an ACCEPT action for all
connections to the loopback interface (localhost). We set an ACCEPT
action for established connections and we will allow SSH connections.
In the above example, we add a new rule to the INPUT chain, for the lo
interface with an action of ACCEPT. This will allow all IP packets
destined to the host on the loopback interface. The loopback interface
is commonly known as localhost or 127.0.0.1.
The following rules will ACCEPT packets for already established
connections, ssh, http, https. If you need to open up access for mysql
(3306), postgres (5432), mongodb (28017) or anything else you can add
rules for those ports as well.
The very last rule changed the INPUT policy to DROP all packets
that do not match any of the above rules.
Now if we list out our rules we should see the following:
Packets destined for the host will be dropped unless they
match one of the ACCEPT rules. We have disabled the ability to forward
packets and we are allowing all output connections.
If you restart your machine you will lose all of your rules.