Setting Up and Managing iptables on Ubuntu
h3x0r
iptables
Installation
To get started with iptables on your Ubuntu system, you need to install it. Run the following command:
sudo apt install iptables
Check Version
After installation, you can verify the installed version of iptables with:
sudo iptables -V
Install iptables-persistent
To ensure your iptables settings are saved and persist after a server restart, install iptables-persistent:
sudo apt install iptables-persistent
Managing iptables Rules
Checking the Current List of Rules
You can list the current iptables rules with:
sudo iptables -L
The -L flag lists all the current rules in the tables.
Understanding iptables Chains
iptables operates through three primary chains:
INPUT: For incoming traffic.
FORWARD: For traffic that is forwarded through the server.
OUTPUT: For outgoing traffic.
You can also define custom chains to manage rules separately.
iptables Firewall Rules
Command Construction
The basic syntax for constructing iptables commands is:
sudo iptables <RULE:-A(Append),-D(Delete),-I(Insert)> <CHAIN:INPUT/FORWARD/OUTPUT> <FLAGS:-p(protocol),-i(interface) etc> <Interface Name,Port Number or Protocol Name> <More Args for Destination port/protocol/interface>
1. Rule to Allow SSH
This rule allows SSH connections on port 22 over TCP for new and established connections:
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Here, we are appending (-A) a rule to the INPUT chain. The -m conntrack module is used for stateful packet inspection, and --ctstate handles states like NEW and ESTABLISHED.
2. Rules to Drop Invalid Traffic
These rules drop any INVALID incoming and outgoing traffic:
sudo iptables -A INPUT -m state --state INVALID -j DROP
sudo iptables -A OUTPUT -m state --state INVALID -j DROP
3. Allow Loopback & Related Traffic
To allow loopback and related traffic:
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
For loopback traffic:
sudo iptables -A INPUT -i lo -j ACCEPT
4. Drop All Traffic Except the Rule List
Set the default policy to drop all traffic that does not match any rules:
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP
sudo iptables -P FORWARD DROP
5. Unblocking DNS
Allow outgoing DNS requests over TCP/UDP on port 53:
sudo iptables -A OUTPUT -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
6. Allowing ICMP/Ping
To allow ICMP (ping) traffic:
sudo iptables -A INPUT -p icmp -j ACCEPT
sudo iptables -A OUTPUT -p icmp -j ACCEPT
7. Allowing HTTP/HTTPS Traffic
Allow outgoing HTTP/HTTPS traffic:
sudo iptables -A OUTPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Logging
Create a new chain called LOGGING to forward packets for logging:
sudo iptables -N LOGGING
Set the rules to log packets:
sudo iptables -A INPUT -j LOGGING
sudo iptables -A OUTPUT -j LOGGING
Set logging parameters and time:
sudo iptables -A LOGGING -m limit --limit 1/minute -j LOG --log-prefix "FW-Dropped: " --log-level 4
Saving Firewall Settings
Finally, save your firewall settings so they persist across reboots:
sudo netfilter-persistent save
By following these steps, you can effectively manage your iptables rules on an Ubuntu system, ensuring both security and functionality.
Subscribe to my newsletter
Read articles from h3x0r directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
h3x0r
h3x0r
An aspiring cybersecurity student with a passion for keeping people and data safe. Constantly learning and adapting to the ever-changing landscape of cybersecurity to become a valuable asset to any organization.