Setting up a good firewall is necessary for every system administrator to secure their operating system. Iptables is a command line tool that
allows a linux system administrator to configure the tables provided by the linux kernel implemented within the Netfilter project.
Iptables is used to protect your server from unwanted traffic from the internet.
There are many different firewall tools available that you can use to configure your firewall. Iptables is one of them included in most linux distributions by default.
Iptables uses a set of tables with different chains, chains contains set of built in rules or user defined rules.
There are three types of tables available in iptable:
FILTER Table : This is the default table that contains following chains"
INPUT : This is the default chain that originating to system.
OUTPUT : This is the default chain that genrating from system.
FORWARD : This is the default chain that routed through the system.
NAT Table : This table is used when packet tries to create a new connection. It has the following built in chains.
PREROUTING : This chain alters packets before routing. This is used to translate the destination ip address of the packets that matches the routing on the local machine. It is also used for destination NAT.
OUTPUT : This chain is used for altering packets that is generated from local machine.
POSTROUTING : This chain is used for altering packets after routing. This is used translate the source ip address of the packets that match the routing on the local machine.
MANGLE Table : This table is used for packet altering. Currently there are five chains available.
If you can also limit the certain connections for specific port to specific network. For example if you want to allow outgoing connections on port 80 to network 192.168.0.1/24, then run the following command:
If you want to delete all iptable rules, run the following command:
sudo iptables -F
To delete chain, run the following command:
sudo iptables -X
You can delete chains from specific table like nat and mangle table by running the following command:
sudo iptables -t nat -Fsudo iptables -t mangle -F
You can also delete iptable rules by line number.
First, display all rules for INPUT chain with line number run the following command:
sudo iptables -L INPUT -n --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
In the above output, you can see the list of all rules with line number.
Now, to delete line number 5, run the following command:
sudo iptables -D INPUT 5
Testing Iptable Rules
You can list all open port on your system by running the following command:
sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 819/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1445/master
udp 0 0 0.0.0.0:5353 0.0.0.0:* 573/avahi-daemon: r
udp 0 0 0.0.0.0:34090 0.0.0.0:* 573/avahi-daemon: r
udp 0 0 127.0.0.1:323 0.0.0.0:* 586/chronyd
udp 0 0 0.0.0.0:58329 0.0.0.0:* 2327/dhclient
udp 0 0 0.0.0.0:68 0.0.0.0:* 2327/dhclient
You can see that port 22 and 25 are open.
To check whether iptables allowing access to the port 22 from outside or not by running the following command:
sudo iptables -L INPUT -v -n | grep 22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
You can also use the telnet command to see if firewall allows to connect to port 22.
On remote machine, run the following command:
telnet server-ip-address 22
You should see the following output:
Connected to 192.168.43.7.
Escape character is '^]'.
You can also use nmap command to check whether port 22 allow or not:
On remote machine, run the following command:
sudo nmap -sS -p 22 server-ip-address
Starting Nmap 6.40 ( http://nmap.org ) at 2016-08-17 14:25 IST
Nmap scan report for centOS-7 (192.168.43.7)
Host is up (0.00082s latency).
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 08:00:27:8C:3F:C6 (Cadmus Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds
Truth be told, it’s difficult for a web application that doesn’t have some kind of identification, even if you don’t see it as a security measure in and of itself. The Internet is a kind of lawless land, and even on free services like Google’s, authentication ensures that abuses will...
Although data persistence is almost always a fundamental element of applications, Node.js has no native integration with databases. Everything is delegated to third-party libraries to be included manually, in addition to the standard APIs. Although MongoDB and other non-relational databases are the most common choice with Node because if you...