Install and managing iptables in Linux/Unix

Will see Install and managing iptables in Linux/Unix

IPTables is a firewall which comes by default with Linux/ Unix and it’s holds a bunch of rules as a chain. Below are some default chains.

INPUT – Incoming network traffic to this machine from outside.

FORWARD – Network traffic going to/  from machine to another side of this firewall.

OUTPUT – Outgoing network traffic from this machine

Rules are kept in a chain with below-mentioned action in order to do action like below.

ACCEPT – To allow incoming traffic from the outside

DROP –        Will drop the packets with no reply to sender

REJECT –     Packet will be dropped and a message sent to the sender with an appropriate message.

Check whether the iptables package installed or not using the command.

[[email protected] ~]# rpm -qa | grep iptables
iptables-devel-1.4.21-17.el7.x86_64
iptables-1.4.21-17.el7.x86_64
iptables-services-1.4.21-17.el7.x86_64

If the package not installed use yum to install it like below.

Note: yum package manager should be installed to use it.

[[email protected] ~]# yum install iptable*

Now enable the iptables permanently in this run level

[[email protected] ~]# systemctl enable iptables
 Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.

Command to start and check the status of the iptables:

[[email protected] ~]# systemctl start iptables

[[email protected] ~]# systemctl status iptables
 ● iptables.service - IPv4 firewall with iptables
 Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
 Active: active (exited) since Sun 2017-10-29 09:20:21 IST; 5s ago
 Process: 2331 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS)
 Main PID: 2331 (code=exited, status=0/SUCCESS)

Oct 29 09:20:21 server systemd[1]: Starting IPv4 firewall with ipta....
 Oct 29 09:20:21 server iptables.init[2331]: iptables: Applying firew...
 Oct 29 09:20:21 server systemd[1]: Started IPv4 firewall with iptables.
 Hint: Some lines were ellipsized, use -l to show in full.

To check default configuration of iptables use below command.

[[email protected] ~]# iptables -L
 Chain INPUT (policy ACCEPT)
 target prot opt source destination
 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
 ACCEPT icmp -- anywhere anywhere
 ACCEPT all -- anywhere anywhere
 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
 target prot opt source destination
 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
 target prot opt source destination

Another important command that will help to save the iptables configuration changes which we made. However, will not save the configuration changes and will lose the changes after restarting iptables/ machine.

Use the below command to save the rules changes which we made.

[[email protected] ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

or

[[email protected] ~]# iptables-save
# Generated by iptables-save v1.4.21 on Sun Oct 29 15:17:07 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [90:12391]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sun Oct 29 15:17:07 2017

Command to enable port in iptables. here we are going to enable port 80 for webserver(http) from outside to this server.

[[email protected] ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Command to enable port 80 to allow traffic from the server/firewall to outside in iptables.

[[email protected] ~]# iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

also will enable the port to specific host in iptables. For this we can  -s  option to mention the hostname in the command like below.

enabling 80 port to allow the traffic from the node1 alone.

[[email protected] ~]# iptables -A INPUT -p tcp -s node1.lbcdomain.com --dport 80 -j ACCEPT

Same like above will enable the ports for specific network to limit the access. So that, traffic allowed from the machines which all are falls under this network.

[[email protected] ~]# iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT

 

Leave a Reply

Your email address will not be published. Required fields are marked *