iptables comments
Today I had to setup iptables for doing some very basic ip filtering on two servers. There is quite a bit of information scattered around the internet, but it took a while to get some helpful pieces. I suggest starting with netfilter.org for a good selection of documentation, check out Mastering IPTables article, and this tutorial is a good beginner starting point.
iptables -F INPUT
use this to flush the INPUT chain. This is good to add to the beginning of any script you write. Otherwise, your old rules remain unless your script specifically replaces them. The INPUT chain deals with packets destined for the local machine. There are two other chains: OUTPUT and FORWARD. OUTPUT applies to packets originating locally, and FORWARD applies to packets coming into the server but not meant for the server. You can also make your own chains. See the linked articles for more information.
iptables -A INPUT -s [ip address, network] -p tcp –destination-port ssh -j ACCEPT
this sets up the server to accept ssh connections from a specific set of IP addresses or from a specific network. You can eliminate the -s paramater to allow ssh from any server. You can substitute the ssh for any port number or service that you need a rule for.
In addition, you can change the ACCEPT to DROP or REJECT. DROP will just drop the packets with no response. REJECT will actually provide the ‘connection refused’ error. For example, I may list some rules for accepting tcp traffic on port 9999 from certain IPs, then I can follow up with the following to reject the any other traffic.iptables -A INPUT -p tcp –destination-port 9999 -j REJECT
If you want to check your progress then type
iptables –list
I also placed these statements into a shell script (/etc/firewall.sh) which I called from within /etc/rc.local. However, there are plenty of samples of more sophisticated startup scripts handling these rules. Be sure to check out other resources like Chapter 9, Linux Network Administrator Guide
Once again, I’m not a network or security expert…I just needed to block access to a few ports outside of a couple of servers. iptables proved to be a good, simple solution.