Linux iptables basics
There is a powerful tool to control traffic in the Linux operating system – firewall, which is called iptables. In addition to the basic features related to security, iptables and related kernel modules can be used for many applications: providing broadcast addresses and ports, setting priorities, etc. Let’s look at examples of using iptables for basic tasks. Starting with a common, basic syntax for iptables to set the rules:
iptables -A queue -s source -j action
Delete all rules with a specific queue by using the key -F:
iptables -F queue
The simplest task firewall is to block all traffic from a specific IP in the direction of our servers. In order to do this, perform the following command:
iptables -A INPUT -s 126.96.36.199 -j DROP
During filter installation all IP-packets from 188.8.131.52 address will be destroyed at the entrance. If the sender has to specify that a node is unavailable, it is necessary to use somewhat modified rule:
iptables -A INPUT -s 184.108.40.206 -j REJECT
In the case of REJECT, system will form a special response for each incoming packet that informs the sender about failure in the delivery. Use REJECT only when necessary – server resources are used during formation of these responses, so in most cases it is sufficient to use the DROP.
The rules can also be used to filter by protocol. For example, you can block only UDP from a specific sender:
iptables -A INPUT -p UDP -s 220.127.116.11 -j DROP
In the following example we will demonstrate how you can specify the port number. We use the key -dport (destination port) in order to prevent the host 18.104.22.168 from connecting to our server via SSH through the standard port 22:
iptables -A INPUT -p TCP -s 22.214.171.124 --dport 22 -j DROP
It is possible to log the operation of certain rules. Let’s make it so that the log file (usually in /var/log/messages) will contain records of the filter. The first rule logs incoming packets and the second one destroys them:
iptables -A INPUT -p TCP -s 126.96.36.199 --dport 22 -j LOG --log-prefix "SSH Filter:" iptables -A INPUT -p TCP -s 188.8.131.52 --dport 22 -j DROP
In iptables, you can specify not only a single address, but also the entire network. For example, let’s block the connection to our webserver (port 80) with a range of addresses 10.1.2.* (in CIDR-notation 10.1.2.0/24):
iptables -A INPUT -p TCP -s 10.0.0.0/24 --dport 80 -j DROP
Next example shows how you can use iptables to check the contents of IP-packets. For instance, it is possible to log or destroy the packets, which contain a certain sequence of characters. In this case – ‘hack.php’:
iptables -I INPUT -p TCP -m string --string "hack.php" -j LOG --log-prefix "HACK:"
Consider another practical problem: limiting the number of connections in the direction of our server per unit time. This can be useful to deal with a flood or simple attacks. We set the limit to 5 simultaneous connections from a single IP to our server via SSH by the following rule:
iptables -A INPUT -p TCP --syn --dport 22 -m connlimit --connlimit-above 5 -j REJECT
It is possible to use a different configuration. Next rule will limit the number of new connections towards webserver at 25 per minute, and this limit will operate only if there were 100 connections during the previous minute:
iptables -A INPUT -p TCP --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
It is possible to limit the connections not by single address or whole system, but using a mask. In the following example, we will set a lock for the whole network /24, if there are more than 20 connections to its addresses:
iptables -A INPUT -p TCP --dport 80 -m iplimit --iplimit-above 20 --iplimit-mask 24 -j REJECT
Finally, we consider how to maintain the programmed rules of iptables, so that when you reboot the operating system, they were active. In Centos, just run
service iptables save
For Debian, it is recommended to install an auxiliary package iptables-persistent. It should be installed using the standard package manager:
aptitude install iptables-persistent
After iptables-persistent installation, system will automatically save the current rules before operating system shuts down and will restore them, when it starts.
Finally, we want to give a sufficiently important recommendation: errors may occur during installation process, which will result into blocking yourself. We recommend you to get access to the console of your server (for dedicated servers – request IP KVM, for VDS – use the built-in VNC-client) before configuring the firewall. You can always restore access from the console by “dropping ” erroneous rules.