Can you recommend a good intro to iptables? [closed]

linux iptables router vpn

Solution 1:

Links to official and recommended documentation exist on the Netfilter Web site.

This is not a new subject, resources are limitless.

Most basic commands are fairly intuitive and can easily be reference to the manpage.

netfilter, which is the kernel level technology that enables the packet filtering, is quite advanced. There are additional tables that can mangle packets, translate packets, and otherwise affect routing. The iptables utility is the userland tool for interacting with netfilter. If you wish to learn about advanced functionality, I suggest you reference the aforementioned documentation. For an introduction to the basic functionality, please read further.

To list all existing rules:

iptables -L -n

-n prevents iptables from resolving ips, which produces faster output.

The default table is the filter table, which is what is used to apply basic firewall rules to the three chains. The three default chains in the filter table are INPUT, OUTPUT, and FORWARD.

The chains are largely self explanatory. The INPUT chain affects packets coming in, the OUTPUT chain affects locally generated packets, and finally FORWARD for any packets that route through the system.

Among the targets you can specify, you can DROP packets, meaning simply ignore and not respond. You can REJECT packets, where an icmp response would be sent to the source of the denial. Finally, you can ACCEPT them, which allows the packets to continue routing.

Often with an external facing firewall the default choice will be DROP as opposed to REJECT, as it reduces the visible footprint of your network on the Internet. For example, an IP that otherwise limits services to a specific host would have less visibility with DROP.

Note, -A means append to the end of the chain. If you wish to insert to the top, you can use -I. All rules are processed from the top down. -D for deletion.

To DROP an incoming packet coming from the 192.168.235.235:

iptables -A INPUT -s 192.168.235.235 -j DROP

This jumps to the DROP target for all protocols coming from that IP.

To accept:

iptables -A INPUT -s 192.168.235.235 -j ACCEPT

To prevent access to that IP from your local server or network:

iptables -A OUTPUT -d 192.168.235.235 -j DROP

You can specify the -p protocol, the -s source of the packet, the -d destination for the packet, the destination port --dport, the source port --sport, and many other flags that will affect how the packets are treated by the rule.

If your default INPUT policy were DROP and you wanted to allow everyone at the 192.168.123.0/24 subnet to access SSH on your server, here is an example:

iptables -A INPUT -s 192.168.123.0/24 -p tcp --dport 22 -j ACCEPT

That's right, you can use CIDR notation too!

Generally speaking, the best default policy is DROP for all chains. Every chain has a default policy, which is specified by the -P flag. Even if you have your policy set to default DROP, it is still advised to have the final entry in a chain to be a DROP as well.

For example, to change the policy to DROP for the INPUT, FORWARD, and OUTPUT chains:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

Be careful, if you specify the default policy of DROP for INPUT on a remote system without first allowing yourself SSH access, you could prevent yourself from accessing the system. If on a remote system, you could specify a temporary crontab to flush all rules every 5 minutes as a failsafe.

To delete all rules and allow all traffic:

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -X
iptables -F

Note, -X removes all created chains. -F flushes all rules.

There are native tools to save and restore the rules. Particularly, iptables-save and iptables-restore. Most modern Linux distributions have save and restore functions within an iptables init file provided with the system.

There are other firewall best practices, such as dropping malformed packets and other type of undesirable traffic. This is one advantage of using a front end utility such as Shorewall, as it will implement many of these polices by default. Nevertheless, I agree with your approach and prefer to maintain my own rules directly as well, and these same best practices can be implemented without a front end.

Solution 2:

Iptables Tutorial

Solution 3:

I found https://help.ubuntu.com/community/IptablesHowTo helpful recently. I don't think anything in there is especially Ubuntu-specific.

Related

Is there a working Linux backup solution that uses inotify?
How to tell if it's your problem or your ISP's problem
EC2 drive not EBS volume size
Free service for checking for DNS errors on your domain?
For an intranet server would you buy a ssl cert or use a self signed cert?
What is preventing you from deploying desktop Linux in your environment?
How can I use HAproxy with SSL and get X-Forwarded-For headers AND tell PHP that SSL is in use?
How to set up strongswan or openswan for pure IPSEC with iPhone client?
SSH authorized_keys command option: multiple commands?
I just did a chmod -x chmod
RSA certificate configured for SERVER does NOT include an ID which matches the server name
Windows serial console