Setting up a good firewall is necessary for every system administrator to secure their operating system. Iptables is a command line tool that
allows a linux system administrator to configure the tables provided by the linux kernel implemented within the Netfilter project.
Iptables is used to protect your server from unwanted traffic from the internet.
There are many different firewall tools available that you can use to configure your firewall. Iptables is one of them included in most linux distributions by default.
Iptables uses a set of tables with different chains, chains contains set of built in rules or user defined rules.
There are three types of tables available in iptable:
FILTER Table : This is the default table that contains following chains"
INPUT : This is the default chain that originating to system.
OUTPUT : This is the default chain that genrating from system.
FORWARD : This is the default chain that routed through the system.
NAT Table : This table is used when packet tries to create a new connection. It has the following built in chains.
PREROUTING : This chain alters packets before routing. This is used to translate the destination ip address of the packets that matches the routing on the local machine. It is also used for destination NAT.
OUTPUT : This chain is used for altering packets that is generated from local machine.
POSTROUTING : This chain is used for altering packets after routing. This is used translate the source ip address of the packets that match the routing on the local machine.
MANGLE Table : This table is used for packet altering. Currently there are five chains available.
If you can also limit the certain connections for specific port to specific network. For example if you want to allow outgoing connections on port 80 to network 192.168.0.1/24, then run the following command:
If you want to delete all iptable rules, run the following command:
sudo iptables -F
To delete chain, run the following command:
sudo iptables -X
You can delete chains from specific table like nat and mangle table by running the following command:
sudo iptables -t nat -Fsudo iptables -t mangle -F
You can also delete iptable rules by line number.
First, display all rules for INPUT chain with line number run the following command:
sudo iptables -L INPUT -n --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
4 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
5 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
6 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,ESTABLISHED
In the above output, you can see the list of all rules with line number.
Now, to delete line number 5, run the following command:
sudo iptables -D INPUT 5
Testing Iptable Rules
You can list all open port on your system by running the following command:
sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 819/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1445/master
udp 0 0 0.0.0.0:5353 0.0.0.0:* 573/avahi-daemon: r
udp 0 0 0.0.0.0:34090 0.0.0.0:* 573/avahi-daemon: r
udp 0 0 127.0.0.1:323 0.0.0.0:* 586/chronyd
udp 0 0 0.0.0.0:58329 0.0.0.0:* 2327/dhclient
udp 0 0 0.0.0.0:68 0.0.0.0:* 2327/dhclient
You can see that port 22 and 25 are open.
To check whether iptables allowing access to the port 22 from outside or not by running the following command:
sudo iptables -L INPUT -v -n | grep 22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
You can also use the telnet command to see if firewall allows to connect to port 22.
On remote machine, run the following command:
telnet server-ip-address 22
You should see the following output:
Connected to 192.168.43.7.
Escape character is '^]'.
You can also use nmap command to check whether port 22 allow or not:
On remote machine, run the following command:
sudo nmap -sS -p 22 server-ip-address
Starting Nmap 6.40 ( http://nmap.org ) at 2016-08-17 14:25 IST
Nmap scan report for centOS-7 (192.168.43.7)
Host is up (0.00082s latency).
PORT STATE SERVICE
22/tcp open ssh
MAC Address: 08:00:27:8C:3F:C6 (Cadmus Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds
If you find your cPanel disk space filling up, or an email address has hit its disk space quota, cPanel has a helpful built in Email Disk Usage tool. This will provide you with a simple to understand breakdown of how much disk space each folder for a particular email...
Although WHM will normally automatically keep itself up to date, you may want to manually check for server updates / push through an update that is pending, or it may be that you have automatic updates switched off on your cPanel server. In this guide we will show you how...
You may sometimes need to manually adjust the PHP settings on your cPanel server – for example if a site is hitting the PHP memory, or file size upload limit. WHM allows you to quickly change the settings of any PHP version installed on the server when needed, using the...