Setting up a good firewall is necessary for every system administrator to secure their operating system. Iptables is a command line tool that
allows a linux system administrator to configure the tables provided by the linux kernel implemented within the Netfilter project.
Iptables is used to protect your server from unwanted traffic from the internet.
There are many different firewall tools available that you can use to configure your firewall. Iptables is one of them included in most linux distributions by default.
Iptables uses a set of tables with different chains, chains contains set of built in rules or user defined rules.
There are three types of tables available in iptable:
FILTER Table : This is the default table that contains following chains"
INPUT : This is the default chain that originating to system.
OUTPUT : This is the default chain that genrating from system.
FORWARD : This is the default chain that routed through the system.
NAT Table : This table is used when packet tries to create a new connection. It has the following built in chains.
PREROUTING : This chain alters packets before routing. This is used to translate the destination ip address of the packets that matches the routing on the local machine. It is also used for destination NAT.
OUTPUT : This chain is used for altering packets that is generated from local machine.
POSTROUTING : This chain is used for altering packets after routing. This is used translate the source ip address of the packets that match the routing on the local machine.
MANGLE Table : This table is used for packet altering. Currently there are five chains available.
If you can also limit the certain connections for specific port to specific network. For example if you want to allow outgoing connections on port 80 to network 192.168.0.1/24, then run the following command:
If you want to delete all iptable rules, run the following command:
sudo iptables -F
To delete chain, run the following command:
sudo iptables -X
You can delete chains from specific table like nat and mangle table by running the following command:
sudo iptables -t nat -Fsudo iptables -t mangle -F
You can also delete iptable rules by line number.
First, display all rules for INPUT chain with line number run the following command:
sudo iptables -L INPUT -n --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
In the above output, you can see the list of all rules with line number.
Now, to delete line number 5, run the following command:
sudo iptables -D INPUT 5
Testing Iptable Rules
You can list all open port on your system by running the following command:
sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 819/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1445/master
udp 0 0 0.0.0.0:5353 0.0.0.0:* 573/avahi-daemon: r
udp 0 0 0.0.0.0:34090 0.0.0.0:* 573/avahi-daemon: r
udp 0 0 127.0.0.1:323 0.0.0.0:* 586/chronyd
udp 0 0 0.0.0.0:58329 0.0.0.0:* 2327/dhclient
udp 0 0 0.0.0.0:68 0.0.0.0:* 2327/dhclient
You can see that port 22 and 25 are open.
To check whether iptables allowing access to the port 22 from outside or not by running the following command:
sudo iptables -L INPUT -v -n | grep 22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
You can also use the telnet command to see if firewall allows to connect to port 22.
On remote machine, run the following command:
telnet server-ip-address 22
You should see the following output:
Connected to 192.168.43.7.
Escape character is '^]'.
You can also use nmap command to check whether port 22 allow or not:
On remote machine, run the following command:
sudo nmap -sS -p 22 server-ip-address
Starting Nmap 6.40 ( http://nmap.org ) at 2016-08-17 14:25 IST
Nmap scan report for centOS-7 (192.168.43.7)
Host is up (0.00082s latency).
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 08:00:27:8C:3F:C6 (Cadmus Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds
Looking for the right web hosting solution for your website can be an intimidating task. Options nowadays are more diversified than ever, and each year brings new developments in the web hosting market. If you have no clue of what to look out for, you can find yourself overwhelmed with...
Content marketing continues to be one of the most valuable tools for today’s online businesses. With content, you can improve your chances of reaching your target audience, boost your search engine standing, and even unlock new opportunities for sales. The more content you produce, the more you can strengthen your...
User Experience (UX) is one of the most crucial factors to consider in web design. As the number of websites and applications in the world today continues to accelerate, businesses are under more pressure than ever to impress customers straight away. If a user visits your website and finds slow-loading...