sys admin

Linux firewall (aka iptables) for beginners

Ales Lerch
Ales Lerch
- 2 min read

It doesn't matter what role you have at your company either it's developer, sys admin, or  blue team, you always should know the basics for Linux firewall. Just a little knowledge can make your work life much easier since there at these times cyber security is becoming much more important since cyber crimes are rising.

I personally have same problem and for me the rules are also little bit confusing. So why don't we look at this problem together. I've made this post for my self as well as  these things can get very confusing all the time.

To list rules:

sudo iptables -L 

This will list all rules. Now before playing with these rules I always recommend to backup them! Don't make the same mistake!

sudo iptables -L > backup.tables.bak

These rules are divided into separated chains (parts). These parts are: INPUT, FORWARD, OUTPUT. Those are only main types since there could be more types of chains. For example if you are docker installed on your machine docker adds his own DOCKER chain.

Important! You need to acknowledge that rules are loaded from up to bottom. That means if you have first rule to allow specific port and on the bottom rule blocking port - this port will be blocked.

sudo iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

Every rules has target. ACCEPT  means to let the packet through. DROP means to drop the packet on the floor, i.e. to discard it and not send any response.REJECT is used to send back an error packet in response to the matched packet: otherwise it is equivalent to DROP so it is a terminating target. QUEUE means to pass the packet to upper space. RETURN if rule is matches - stop traversing this chain and resume at the next rule in the previous (calling) chain.

There is protocol specified. Source from where are packets coming and destination where are coming. This option can be set as anywhere which applies for anything or eg. specific ip. And finally rule description.

Adding rules

Adding rules could be done via switch -A meaning rule will be appended to table of rules. Or -I as inserted.

iptables -A INPUT -p tcp --dport ssh -s -j DROP

You can replace “ssh” with any protocol or port number. The -p tcp part of the code tells iptables what kind of connection the protocol uses.  If you were blocking a protocol that uses UDP rather than TCP, then -p udp would be necessary instead. -j to specify what should happen with packets. This time does the DROP.

Deleting rules

To remove specific rule you can list rules by lines.

sudo iptables -L --line-numbers

All rules are numbered by chains so you need to specify chain and rule number when deleting rule. So if we need to dete input rule number 10:

sudo iptables -D INPUT 10

Saving rules

The changes that you make to your iptables rules will be scrapped the next time that the iptables service gets restarted unless you execute a command to save the changes.  This command can differ depending on your distribution:

sudo /sbin/iptables-save

To clear all the currently configured rules, you can issue the flush command.

iptables -F