How to Configure iptables image

Firewalls are protective systems designed to keep unauthorized outsiders from gaining access to a server, network or database. Those outsiders can include malicious scripts, such as SQL injections or even human hackers themselves – there’s a lot covered by this. Firewalls can protect against them all. They are put in place to guard private assets, such as web data, regardless of what sort of intrusion may be threatening those assets.

What Is the Linux Firewall?

The Linux Operating System, quite possibly the world’s foremost amalgam of open-source software, is known for being secure. It’s no secret that one of the leading reasons for the ongoing success Linux has enjoyed has been just how safe the OS is. There are several reasons for this. Chief among them is the Linux Firewall.

Now remember, there are actually several variations of the Linux Firewall. In fact, there are several firewall applications that can be run on Linux, but each of these programs can be boiled down to a single application within the Linux kernel itself, called iptables. Each of the separate firewall applications is actually just different configurations of iptables.

So What Is iptables?

iptables is the basic application that powers the Linux Firewall – each variation of it. iptables is a command-line utility that allows or blocks traffic based on policies that are set by the Admin. It’s almost always pre-installed in all Linux distros, but if you don’t see it on yours you can install (or update) iptables using this command:

sudo apt-get install iptables

Remember, there are other firewall programs that you can use, but for the most complete coverage with the most customizable configuration, iptables is your best bet.

How to Create Your Own Linux Firewall with iptables

To begin configuring your own iptables, you must first log in as root. Once you’ve done this, start by listing all the rules that are already configured for iptables. Use this command:

sudo iptables –L

You already know that your system is using3 chains: Input, Forward and Output. The Input chain controls behavior for incoming connections. The Forward chain manages behavior for incoming connections that are not delivered locally – a pass-through of sorts. The Output chain controls behavior for outgoing connections.

Next you’ll want to see if your system is already using (or needs to be using) the Forward chain. You can find out with this command:

iptables –L –v

You may also want to accept connections by default. If that’s the case, you’ll execute the following commands:

iptables -–policy INPUT ACCEPT

iptables -–policy OUTPUT ACCEPT

iptables -–policy FORWARD ACCEPT

To deny all connections by default, you will execute this command:

iptables -–policy INPUT DROP

iptables -–policy OUTPUT DROP

iptables -–policy FORWARD DROP

When setting up your firewall, you’re likely to want to allow or block specific connections. After all, that’s what custom configuration is all about! With iptables, you can set your policy chains to ACCEPT, REJECT or DROP specific IP addresses, ranges of IP addresses or ports.

If you ACCEPT these connections, it simply means they are allowed. If you REJECT them, then the connections are not allowed, but you will send back an error message. This can be used to block a source without letting them know you’re rejecting their connection with your firewall. If you DROP a connection, it basically gives the source the impression that your system doesn’t even exist.

To ACCEPT, REJECT or DROP a specific IP address (we’ll use 123.12.123.12 as an example), you’d simply execute the following command:

iptables –A INPUT –s 123.12.123.12 –j ACCEPT

iptables –A INPUT –s 123.12.123.12 –j REJECT

iptables –A INPUT –s 123.12.123.12 –j DROP

To execute the same for an entire range of IP addresses, you can execute commands using either a netmask or standard slash notation to specify the IP range. In the following example, we will demonstrate how to ACCEPT the range using an example range of /26 :

iptables –A INPUT –s 123.12.123.12/26 –j ACCEPT

To specify ACCEPT, REJECT or DROP commands to a specific port, you’d use the following command:

iptables –A INPUT –p tcp -–dport ssh –s 123.12.123.12 –j ACCEPT

Keep in mind that “ssh” can be replaced with either a specific port number or some other protocol. The protocol’s connection is revealed by the “-p tcp” snippet, so the “tcp” may actually be replaced by some other protocol depending on this.

Once you have made the desired changes and you’re feeling confident with the firewall you’ve configured, all that’s left to do is save your changes. This command will change a bit depending on which distribution of Linux you’re using.

Protecting Your Linux-Based VPS

At SemoWeb, your security is among our top priorities. That’s why we’ve chosen to only offer Linux-based VPS. While we do offer certain services to help protect your VPS, there is only so much we’re able to do – after all, most of our customers do use unmanaged VPS services! One way you can help protect your VPS is by learning to properly configure iptables to set up your own Linux Firewall. There’s plenty you can do, so we encourage all our VPS customers to use SSH to access their servers and make sure they are as safe as possible!

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>