iptables

Installation

To get started with iptables on your Ubuntu system, you need to install it. Run the following command:

sudo apt install iptables

Check Version

After installation, you can verify the installed version of iptables with:

sudo iptables -V

Install iptables-persistent

To ensure your iptables settings are saved and persist after a server restart, install iptables-persistent:

sudo apt install iptables-persistent

Managing iptables Rules

Checking the Current List of Rules

You can list the current iptables rules with:

sudo iptables -L

The -L flag lists all the current rules in the tables.

Understanding iptables Chains

iptables operates through three primary chains:

• INPUT: For incoming traffic.

• FORWARD: For traffic that is forwarded through the server.

• OUTPUT: For outgoing traffic.

You can also define custom chains to manage rules separately.

iptables Firewall Rules

Command Construction

The basic syntax for constructing iptables commands is:

sudo iptables <RULE:-A(Append),-D(Delete),-I(Insert)> <CHAIN:INPUT/FORWARD/OUTPUT> <FLAGS:-p(protocol),-i(interface) etc> <Interface Name,Port Number or Protocol Name> <More Args for Destination port/protocol/interface>

1. Rule to Allow SSH

This rule allows SSH connections on port 22 over TCP for new and established connections:

sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

Here, we are appending (-A) a rule to the INPUT chain. The -m conntrack module is used for stateful packet inspection, and --ctstate handles states like NEW and ESTABLISHED.

2. Rules to Drop Invalid Traffic

These rules drop any INVALID incoming and outgoing traffic:

sudo iptables -A INPUT -m state --state INVALID -j DROP
sudo iptables -A OUTPUT -m state --state INVALID -j DROP

3. Allow Loopback & Related Traffic

To allow loopback and related traffic:

sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

For loopback traffic:

sudo iptables -A INPUT -i lo -j ACCEPT

4. Drop All Traffic Except the Rule List

Set the default policy to drop all traffic that does not match any rules:

sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP
sudo iptables -P FORWARD DROP

5. Unblocking DNS

Allow outgoing DNS requests over TCP/UDP on port 53:

sudo iptables -A OUTPUT -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 53 -m conntrack --ctstate NEW -j ACCEPT

6. Allowing ICMP/Ping

To allow ICMP (ping) traffic:

sudo iptables -A INPUT -p icmp -j ACCEPT
sudo iptables -A OUTPUT -p icmp -j ACCEPT

7. Allowing HTTP/HTTPS Traffic

Allow outgoing HTTP/HTTPS traffic:

sudo iptables -A OUTPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

Logging

Create a new chain called LOGGING to forward packets for logging:

sudo iptables -N LOGGING

Set the rules to log packets:

sudo iptables -A INPUT -j LOGGING
sudo iptables -A OUTPUT -j LOGGING

Set logging parameters and time:

sudo iptables -A LOGGING -m limit --limit 1/minute -j LOG --log-prefix "FW-Dropped: " --log-level 4

Saving Firewall Settings

Finally, save your firewall settings so they persist across reboots:

sudo netfilter-persistent save

By following these steps, you can effectively manage your iptables rules on an Ubuntu system, ensuring both security and functionality.