The iptables use a set of rules for three type of data movement around the network interface. These movements are called CHAINS and are described as;
INPUT - rules to determine which inbound traffic will be accepted or denied
OUTPUT - rules to determine which outbound traffic will be accepted or denied
FORWARD - rules to determine which traffic to be forwarded will be accepted or denied
All three chain names are in uppercase.
Follow the steps below on the most common ways of how to use iptables. Before you begin this tutorial, have a web server running on port 80 and its a good idea to start with an empty set of rules. Start a command line terminal and type;
iptables -F
1. View Iptables Rules
List rules being usediptables -L
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
List rules and the the rule number
iptables -L --line-numbers
2. Append Rules
The decision on what to do with a packet of data is very frequently used with the command DROP and ACCEPT which are in uppercase.Add rule at the end of the rules list for an INPUT chain to allow users to SSH to the server
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
Add a simple rule to allow your web server to be accessed HTTP via port 80
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Add a rule to reject any other incoming request
iptables -A INPUT -j DROP
Now list the rules with its line numbers.
Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh 2 ACCEPT tcp -- anywhere anywhere tcp dpt:http 3 DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination
3. Insert a rule
Each time a new rule is append, it goes to the bottom of the rule list. The rules are executed in the order it is listed. E.g. if we added a new rule to the our current rules, it will never work because of rule #3 where every incoming packet is already asked to be drop.The insert option will place the rule before the rule number specified after the name of the chain.
Insert a rule before the DROP command to allow HTPS.
iptables -I INPUT 3 -p tcp --dport 443 -j ACCEPT
Allow loopback interface for programs to talk to each other on the same server.
iptables -I INPUT 1 -i lo -j ACCEPT
4. Delete a rule
Delete using a rule number.Delete rule #3 that allows HTTP connection.
iptables -D INPUT 3
Use a web browser to access your webserver which is behind the firewall. Its will just fail with a message like "This page can't be displayed". This happens because the firewall will drop all packets that do not meet previously listed rules.
5. Default Policy
As can be seen in step #1, the default policy is ACCEPT for all 3 chains. This default can be made strict to DROP a packet if there are no rules mentioned.
Change the default INPUT chain to DROP all packet unless they are allowed by the rules listed.
iptables -P INPUT DROP
Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere 2 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh 3 ACCEPT tcp -- anywhere anywhere tcp dpt:https 4 DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination
Change the default policy for INPUT back to ACCEPT
iptables -P INPUT ACCEPT
Save the configured rules to a file in /tmp folder.
iptables-save > /tmp/examples.1.iptables
In Redhat and Centos systems, the rules are stored in a file /etc/sysconfig/iptables where you can edit it directly then restart iptables.
To manually load rules from an iptables file, clear the existing rules then run iptables-restore. Make sure you have created the rule files as mentioned above.
iptables -F
iptables -L
iptables-restore < /tmp/examples.1.iptables
iptables -L
iptables -I INPUT 5 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
Describe the options being used in the 2 rules above.
2. Consider the default policy for each chain being ACCEPT, in Centos Linux it includes these rules
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
These REJECT command option --reject-with may have any one of the following types;
icmp-net-unreachable
icmp-host-unreachable
icmp-port-unreachable (type 3 is the default)
icmp-proto-unreachable
icmp-net-prohibited
icmp-host-prohibited or
icmp-admin-prohibited (*)
Describe the what happens with this rule when a user access using a web browser.
iptables -P INPUT ACCEPT
6. Saving the Rules
Changes done at the command line are not applied when iptables restart or the server restarts. These rules can however be saved to a file for loading during startup.Save the configured rules to a file in /tmp folder.
iptables-save > /tmp/examples.1.iptables
In Redhat and Centos systems, the rules are stored in a file /etc/sysconfig/iptables where you can edit it directly then restart iptables.
To manually load rules from an iptables file, clear the existing rules then run iptables-restore. Make sure you have created the rule files as mentioned above.
iptables -F
iptables -L
iptables-restore < /tmp/examples.1.iptables
iptables -L
Notes & Exercise
1. These are common rules to allow the web server access from any other connected PC. It assumes that the default centos rules are in place where rule number 5 is a REJECT commandiptables -I INPUT 5 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -I OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
Describe the options being used in the 2 rules above.
2. Consider the default policy for each chain being ACCEPT, in Centos Linux it includes these rules
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
These REJECT command option --reject-with may have any one of the following types;
icmp-net-unreachable
icmp-host-unreachable
icmp-port-unreachable (type 3 is the default)
icmp-proto-unreachable
icmp-net-prohibited
icmp-host-prohibited or
icmp-admin-prohibited (*)
Describe the what happens with this rule when a user access using a web browser.