Iptables Configuration Tips and Tricks
The built-in (kernel level) linux firewall, iptables, can be daunting to attempt to use, however is a simple redirection filter in practice. I have used iptables from everything from securing my home networks, to routing things over a VPN and through a Intrustion Prevention System (Suricata), to other advanced things such as redirecting traffic from a single user going to port 80 to a local squid proxy on a different port. Here I will teach you the basics of how iptables tools are used.
I also set up iptables and/or IDS/IPS software as a service
I suggest installing iptables-persistent from your distro’s package manager, as well as the iptables utilities (the latter should already be installed).
You’ll need access to the root account on the system to perform these tasks. It also must be a linux machine.
First remember that the order of the rules is critical. If you drop all your packets before the rest of the rules come into play, things won’t work right!
I first suggest that you take a look at your current iptables ruleset by running iptables -L -v. This should output something like:
This can varry widely depending on your current ruleset, so now you should definately do a
Which will save your current ruleset to a file that looks something like:
Important: This next command may kill your ssh session as well as other current sessions!
If you would like to flush the current tables you’re now free to do a:
Then you should reset your default policy to ACCEPT for this walkthrough:
Now you should also grab your current local IP address using something like
curl ifconfig.me and whitelist that, at the top of the rules so that you won’t lock yourself out. Also make sure that stateful connections will stay open using conntrack.
You should now make sure things like SMTP won’t work in case the box becomes compromised at some point by dropping all traffic to TCP 25 anywhere (you’ll need to not do this if this is intended to be a mail server).
Also make sure that DNS will always go through.
Make sure that stuff will work on the outbound:
You should also make sure that SSH inbound is open so that you can connect back in, and only have 5 active sessions at once:
Also to demonstrate that commands can be mixed and matched we’ll make sure that the user street can only use IRC from this server.
Then you can drop all pings that are not on your LAN by doing:
Then finally you should drop all other incoming packets you didn’t explicity let through earlier by doing:
After the preceding command, if you have any other things you need to drop, you’ll need to use
-I instead of
-A to insert further up the chain than your last DROP or you’ll end up dropping before getting to it.
So say you have an attacker 126.96.36.199, you can now do:
This will keep the ruls in order.
Once you play around with it until you get the ruleset you like, you should then run the command:
Which will restore the same iptables rules on reboot.
Note: If somehow you messed up, you can always run:
iptables-restore < /rootiptables.$(date -I).1 or resore your older last reboot ruleset with
iptables-restore < /etc/iptables/rules.v4.
Hope you’ve learned something, and enjoyed reading. If you have any questions, feel free to email me!
Happy New Years!
Bitcoin Donation Address: