Sysadmins Most Used Linux iptables Rules Examples

In this article we will discuss the using of iptables command to secure your Linux box. We will use it to add, delete, set policies, and flush the applied rules. First, we will give some examples to use the iptables command, then we will add rules to secure the most used Linux services. All modification done with iptables command are non-persistent “temporary”, once we reboot the system all our modifications will gone, once we finish working with iptables command we need to save our work to be persistent “loaded at boot, and halt time”. At the end of this article we will show you how to save your iptables rules.

This article is suitable for using with any Linux family”RPM Family of Linux, and Debian family of Linux”.
Let’s start.

Requirements:

• We need a user with a root privilege.
• If you are configuring iptables for RPM Linux family “Redhat /CentOS /Scientific Linux”, at least you should first read one of these two article Iptables for CentOS 7  or  Iptables for CentOS 6, as I’m building on top of these articles.
• If you are configuring iptables for Debian Linux family” Debian 8 “jessie”/Ubuntu 14.04, and higher “, you should first read this article Iptables for Debian 8, as I’m build on top of this article also.

Here’s the first command we will run, we need to show all options available with iptables, run the following command:

# iptables --help
iptables v1.4.21

Usage: iptables -[ACD] chain rule-specification [options]
 iptables -I chain [rulenum] rule-specification [options]
 iptables -R chain rulenum rule-specification [options]
 iptables -D chain rulenum [options]
 iptables -[LS] [chain [rulenum]] [options]
 iptables -[FZ] [chain] [options]
 iptables -[NX] chain
 iptables -E old-chain-name new-chain-name
 iptables -P chain target [options]
 iptables -h (print this help information)

Commands:
Either long or short options are allowed.
 --append -A chain Append to chain
 --check -C chain Check for the existence of a rule
 --delete -D chain Delete matching rule from chain
 --delete -D chain rulenum
 Delete rule rulenum (1 = first) from chain
 --insert -I chain [rulenum]
 Insert in chain as rulenum (default 1=first)
 --replace -R chain rulenum
 Replace rule rulenum (1 = first) in chain
 --list -L [chain [rulenum]]
 List the rules in a chain or all chains
 --list-rules -S [chain [rulenum]]
 Print the rules in a chain or all chains
 --flush -F [chain] Delete all rules in chain or all chains
 --zero -Z [chain [rulenum]]
 Zero counters in chain or all chains
 --new -N chain Create a new user-defined chain
 --delete-chain
 -X [chain] Delete a user-defined chain
 --policy -P chain target
 Change policy on chain to target
 --rename-chain
 -E old-chain new-chain
 Change chain name, (moving any references)
Options:
 --ipv4 -4 Nothing (line is ignored by ip6tables-restore)
 --ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
 source specification
[!] --destination -d address[/mask][...]
 destination specification
[!] --in-interface -i input name[+]
 network interface name ([+] for wildcard)
 --jump -j target
 target for rule (may load target extension)
 --goto -g chain
 jump to chain with no return
 --match -m match
 extended match (may load extension)
 --numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
 network interface name ([+] for wildcard)
 --table -t table table to manipulate (default: `filter')
 --verbose -v verbose mode
 --wait -w wait for the xtables lock
 --line-numbers print line numbers when listing
 --exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
 --modprobe=<command> try to insert modules using this command
 --set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.

As you see from the above output, we use iptables version v1.4.21, and you also see the usage of the iptables, it’s options, and commands. If you need more details check the iptables man pages “man iptables”. In all of my rules, I’ll use the short options “i.e will use -A not –append“.

Part 1: Checking the existing applied iptables rules, and removing them.

First, we need to list the applied iptables rules, run the following command:

# iptables -L -n --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination 
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 
3 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22

Chain FORWARD (policy DROP)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

As we see, this is not the default iptables rules, these are the rules we applied in our previous articles. Always use option “–line-numbers” when listing your applied iptables rules, we will need the rule number later with other commands. Let’s clear these rules.
If you are a RPM Linux family sysadmin, run any of these two commands:

• For RPM Linux release 7

  # systemctl stop iptables

• For RPM Linux release 6

  # service iptables stop

If you are a Debian 8 Linux family sysadmin, run the following command:

# netfilter-persistent flush

Now, re-list the applied iptables rules again, you will notice that previously applied rules are removed, and policies are set to ACCEPT, as follow:

# iptables -L -n --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Now, we are ready to go and use iptables command in securing our Linux box.

Part 2: Dealing with iptables command.

Ordering is very important, when configuring iptables rules, and policies. I mean you must be very careful if you are configuring a remote server “connected through pseudo terminal device pty i.e using any remote terminal program xterm, screen, or ssh”. as loosing connections to your server will cost you some time.

To begin using iptables, you should first add a rule for allowing/accepting any existing connections to your server, this too important to not loose your current ssh connection to the server, run the command below to allow established connections:

# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Now, we will allow full loopback access to our server, we will allow all connections to the local interface, run the following command:

# iptables -A INPUT -i lo -j ACCEPT

A final important rule is to enable the new ssh connections to your server, run the following command:

# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

We need to check that our rules are successfully applied, run the following command to list the applied rules:

# iptables -L -n --line-numbers -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination 
1 182 15332 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
3 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 19 packets, 3480 bytes)
num pkts bytes target prot opt in out source destination

From the above output we see that our three rules are applied in order, we used another option “-v” for verbose mode, it gives the number of packets, and bytes for each rule. You can see that I only use the established ssh connections to my server, I did not make any new ssh connection to my server. Let’s go and connect to our server using a new ssh connection, and re-run the previous command. It’s new output will be like this:

# iptables -L -n --line-numbers -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination 
1 235 22133 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
2 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
3 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 65 packets, 13547 bytes)
num pkts bytes target prot opt in out source destination

From the above output we see that there is a new packet appeared with rule number 3, which means that there was one try to login to this server using ssh. This rule only used one time till now.

Now, it’s time to set our default policies for the three chains “INPUT, FORWARD, and OUTPUT”. We will set the default policy to “DROP” for INPUT, and FORWARD chains, and will leave it as it is “ACCEPT” for OUTPUT chain. By these policies, we will use our rules to define the allowed traffic and block everything else. This is the recommended approach for securing you Linux server.

To set the default policy to drop for INPUT, and FORWARD chains, run the following commands:

# iptables -P INPUT DROP
# iptables -P FORWARD DROP

At this point, we added the basics iptables rules for securing our OS. Next we will make these iptables rules persistent rules.

If you are using RPM Linux Family “Redhat /CentOS /Scientific Linux”, to make your applied iptables rules persistent rules, run the following command:

# service iptables save

If you are using Debian Linux Family “Debian 8 “jessie”/Ubuntu 14.04, and higher”, to make your applied iptables rules persistent rules, run the following command:

# netfilter-persistent save

To use the above command, you must first install this Debian package “iptables-persistent“.

What if you want to delete one of the applied iptables rules, you will need the rule number, run this command to get the rule number ” iptables -L -n –line-numbers -v “, then run the below command to delete the iptables rules:

# iptables -D INPUT 3

Here’s we removed the ssh iptables rules “which has rule number 3”, of course you will need to save your changes using any of the above commands “depending on you Linux Os family”.

Hint:
1. Do not delete the ssh iptables rule as I did in the above example, as I give only example for using iptables for deleting a rule.

Part 3: Securing the most used Linux services.

As we set out default policy to DROP for INPUT chain, we need to allow incoming connections for the public running services on our servers. Here’s the rules for allowing most services you may need to allow some of them.

 Ssh server iptables rules
1. Allow ssh traffic “open tcp port 22”

# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

Dns server iptables rules
1. Allow dns traffic “open both tcp, and udp port 53”

# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
# iptables -A INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT

Web server iptables rules
1. Allow http traffic “open tcp port 80”

# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

2. Allow https traffic “open tcp port 443”

# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT

 Mail server iptables rules
1. Allow SMTP traffic “open tcp port 25”

# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT

2. Allow SMTPs traffic “open tcp port 465”

# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT

3. Allow POP3 traffic “open tcp port 110”

# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT

4. Allow POP3s traffic “open tcp port 995”

# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT

5. Allow IMAP traffic “open tcp port 143”

# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT

6. Allow IMAPs traffic “open tcp port 993”

# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT

Databases iptables rules
1. Allow MySql traffic “open tcp port 3306”

# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT

2. Allow PostgreSql traffic “open tcp port 5432”

# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT

Ntp time server’s iptables rules
1. Allow time sync via NTP “open udp port 123”

# iptables -A INPUT -p udp -m state --state NEW -m udp --dport 123 -j ACCEPT

 Samba file server’s iptables rules
1. Allow samba file server traffic “open tcp ports 137, 138, 139, and 445”

# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 137 -j ACCEPT
# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 138 -j ACCEPT
# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT
# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT

 Nis server’s iptables rules
1. Allow NIS traffic ” open the following tcp, and udp ports”

# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 111 -j ACCEPT
# iptables -A INPUT -p udp -m state --state NEW -m udp --dport 111 -j ACCEPT
# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 853 -j ACCEPT
# iptables -A INPUT -p udp -m state --state NEW -m udp --dport 853 -j ACCEPT
# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 850 -j ACCEPT
# iptables -A INPUT -p udp -m state --state NEW -m udp --dport 850 -j ACCEPT

 Rsync iptables rules
1. Allow rsync connections “open tcp port 873”

# iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 873 -j ACCEPT

After setting all the rules , you need to save the rules to be loaded at boot, and halt time.

Summary

In this article we have explained the using of iptables command with it’s options, and commands. We showed you how to list the applied iptables rules, how to add, delete, and set the policies for chains. All our rules applied using iptables cli, so you need to save your applied rules to be persistent. Finally we included the most used iptables rules for the most used services you will need to secure them.

I hope this article is good enough for you.
See you in other articles.