Linux iptables basics
There is a powerful tool to control traffic in the Linux operating system – firewall, which is called iptables. In addition to the basic features related to security, iptables and related kernel modules can be used for many applications: providing broadcast addresses and ports, setting priorities, etc. Let’s look at examples of using iptables for basic tasks. Starting with a common, basic syntax for iptables to set the rules:
1 |
iptables -A queue -s source -j action |
Delete all rules with a specific queue by using the key -F:
1 |
iptables -F queue |
The simplest task firewall is to block all traffic from a specific IP in the direction of our servers. In order to do this, perform the following command:
1 |
iptables -A INPUT -s 1.2.3.4 -j DROP |
During filter installation all IP-packets from 1.2.3.4 address will be destroyed at the entrance. If the sender has to specify that a node is unavailable, it is necessary to use somewhat modified rule:
1 |
iptables -A INPUT -s 1.2.3.4 -j REJECT |
In the case of REJECT, system will form a special response for each incoming packet that informs the sender about failure in the delivery. Use REJECT only when necessary – server resources are used during formation of these responses, so in most cases it is sufficient to use the DROP.
The rules can also be used to filter by protocol. For example, you can block only UDP from a specific sender:
1 |
iptables -A INPUT -p UDP -s 1.2.3.4 -j DROP |
In the following example we will demonstrate how you can specify the port number. We use the key -dport (destination port) in order to prevent the host 1.2.3.4 from connecting to our server via SSH through the standard port 22:
1 |
iptables -A INPUT -p TCP -s 1.2.3.4 --dport 22 -j DROP |
It is possible to log the operation of certain rules. Let’s make it so that the log file (usually in /var/log/messages) will contain records of the filter. The first rule logs incoming packets and the second one destroys them:
1 2 |
iptables -A INPUT -p TCP -s 1.2.3.4 --dport 22 -j LOG --log-prefix "SSH Filter:" iptables -A INPUT -p TCP -s 1.2.3.4 --dport 22 -j DROP |
In iptables, you can specify not only a single address, but also the entire network. For example, let’s block the connection to our webserver (port 80) with a range of addresses 10.1.2.* (in CIDR-notation 10.1.2.0/24):
1 |
iptables -A INPUT -p TCP -s 10.0.0.0/24 --dport 80 -j DROP |
Next example shows how you can use iptables to check the contents of IP-packets. For instance, it is possible to log or destroy the packets, which contain a certain sequence of characters. In this case – ‘hack.php’:
1 |
iptables -I INPUT -p TCP -m string --string "hack.php" -j LOG --log-prefix "HACK:" |
Consider another practical problem: limiting the number of connections in the direction of our server per unit time. This can be useful to deal with a flood or simple attacks. We set the limit to 5 simultaneous connections from a single IP to our server via SSH by the following rule:
1 |
iptables -A INPUT -p TCP --syn --dport 22 -m connlimit --connlimit-above 5 -j REJECT |
It is possible to use a different configuration. Next rule will limit the number of new connections towards webserver at 25 per minute, and this limit will operate only if there were 100 connections during the previous minute:
1 |
iptables -A INPUT -p TCP --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT |
It is possible to limit the connections not by single address or whole system, but using a mask. In the following example, we will set a lock for the whole network /24, if there are more than 20 connections to its addresses:
1 |
iptables -A INPUT -p TCP --dport 80 -m iplimit --iplimit-above 20 --iplimit-mask 24 -j REJECT |
Finally, we consider how to maintain the programmed rules of iptables, so that when you reboot the operating system, they were active. In Centos, just run
1 |
service iptables save |
For Debian, it is recommended to install an auxiliary package iptables-persistent. It should be installed using the standard package manager:
1 |
aptitude install iptables-persistent |
After iptables-persistent installation, system will automatically save the current rules before operating system shuts down and will restore them, when it starts.
Finally, we want to give a sufficiently important recommendation: errors may occur during installation process, which will result into blocking yourself. We recommend you to get access to the console of your server (for dedicated servers – request IP KVM, for VDS – use the built-in VNC-client) before configuring the firewall. You can always restore access from the console by “dropping ” erroneous rules.