iptables is a firewall programme that allows you to control server traffic on a Linux system.
By default, iptables allows all traffic.
Note: UFW is the default firewall configuration tool for Ubuntu - UFW (disabled by default) can simplify firewall setup.
Display iptables Info
-A flag denotes that the rule will be appended - added as the last rule in the chain.
-I flag denotes that the rule will be inserted - the precise line-number for insertion can also be controlled.
Delete a rule in a chain using the
-D option. You need to specify the chain, and the rule. The rule is either specified by entering the whole rule to match, or the line number of the rule to delete. Rules are numbered from the top of each chain, starting with 1.
View iptables Log
Logs are generated by the kernel, so they go to the file that receives kernel logs:
To view iptables denial in real time, run:
Blocking an IP
To block an attackers ip address (e.g. 188.8.131.52) enter:
Make iptables Rules Persistent
The iptables rulesets are held in memory, which means that they are not persistent across system reboots.
The easiest way to persist rules on Ubuntu is probably the
After starting, new ruleset files will be created:
/etc/iptables/rules.v6. These contain IPv4 and IPv6 rules respectively.
After amending iptables (or ip6tables), save changes to those files:
Import or Restore a Ruleset
There is a good basic ruleset from Linode here.
Sample iptables Ruleset
Restoring this ruleset may provide a decent starting point. The default policy is DROP - this means that the rules contain exceptions - if the specific condition is met, the packet is accepted.
The ruleset below allows:
- Loopback traffic
- Inbound traffic from established connections
- HTTP & HTTPS connections (internet)
- SSH connection on a custom port number
Notes Re iptables and UFW
If iptables rules have been added, they will appear before the UFW rules - and the first rules will take precedence.
Packets drop through a chain of rules. If the iptables INPUT chain rule has a default drop policy, it matches every remaining packet that reaches it. With iptables, order is important. The first rule that natches a packet of data is the one that will be applied.
Once a decision is made to accept a packet, no more rules affect it. As our rules allowing ssh and web traffic come first, as long as our rule to block all traffic comes after them, we can still accept the traffic we want. All we need to do is put the rule to block all traffic at the end.
Procedure to Flush Rules
If you need to flush firewall rules, first ensure that the remote connection can be maintained:
If you’ve been trying UFW, you may end up with a number of extraneous statements prepended “ufw-“. To remove these:
You might need to do something similar for ip6tables. Bash script for this procedure.
- Ubuntu Community iptablesHowTo - ggood resource, with good info on logging
- Digital Ocean - list & delete iptables rules
- Digital Ocean - Set Up Firewall using iptables on Ubuntu 14.04
- Firewall with UFW on Ubuntu - good tutorial, UFW as alternative to amending iptables directly
- iptables Essentials - Digital Ocean
- Good iptables tutorial
- Testing with nmap - attacking WordPress
- Log dropped packets
- Use psad to detect network intrusion attempts
- Intro to Fail2ban
- Intro to iptables setup
- Good Linode article on securing a server
comments powered by Disqus