Linux firewall (aka iptables) for beginners
It doesn't matter what role you have at your company either it's developer, sys admin, or blue team, you always should know the basics for Linux firewall. Just a little knowledge can make your work life much easier since there at these times cyber security is becoming much more important since cyber crimes are rising.
I personally have same problem and for me the rules are also little bit confusing. So why don't we look at this problem together. I've made this post for my self as well as these things can get very confusing all the time.
To list rules:
sudo iptables -L
This will list all rules. Now before playing with these rules I always recommend to backup them! Don't make the same mistake!
sudo iptables -L > backup.tables.bak
These rules are divided into separated chains (parts). These parts are: INPUT, FORWARD, OUTPUT. Those are only main types since there could be more types of chains. For example if you are docker installed on your machine docker adds his own DOCKER chain.
Important! You need to acknowledge that rules are loaded from up to bottom. That means if you have first rule to allow specific port and on the bottom rule blocking port - this port will be blocked.
sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Every rules has target.
ACCEPT means to let the packet through.
DROP means to drop the packet on the floor, i.e. to discard it and not send any response.
REJECT is used to send back an error packet in response to the matched packet: otherwise it is equivalent to
DROP so it is a terminating target.
QUEUE means to pass the packet to upper space.
RETURN if rule is matches - stop traversing this chain and resume at the next rule in the previous (calling) chain.
There is protocol specified. Source from where are packets coming and destination where are coming. This option can be set as anywhere which applies for anything or eg. specific ip. And finally rule description.
Adding rules could be done via switch
-A meaning rule will be appended to table of rules. Or
-I as inserted.
iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP
You can replace “ssh” with any protocol or port number. The
-p tcp part of the code tells iptables what kind of connection the protocol uses. If you were blocking a protocol that uses UDP rather than TCP, then
-p udp would be necessary instead.
-j to specify what should happen with packets. This time does the DROP.
To remove specific rule you can list rules by lines.
sudo iptables -L --line-numbers
All rules are numbered by chains so you need to specify chain and rule number when deleting rule. So if we need to dete input rule number 10:
sudo iptables -D INPUT 10
The changes that you make to your iptables rules will be scrapped the next time that the iptables service gets restarted unless you execute a command to save the changes. This command can differ depending on your distribution:
To clear all the currently configured rules, you can issue the flush command.