Learn how to use iptables commands in Linode. Our Linode Support team is here to help you with your questions and concerns.
A Guide to the iptables Commands in Linode
The iptables command is a useful tool used to configure and manage the Linux kernel’s built-in firewall. It defines rules for controlling network traffic through tables and chains, enabling precise management of incoming and outgoing connections.
Today, we are going to explore its key features, including listing chains, setting default policies, and managing connections to ports and IPs.
An Overview:
- What are Chains in iptables
- How to Set Up Default Policies
- Block and Allow Connections by IP
- Block and Allow Connections by Port
- Save and Persist Rules
- Delete and Clear Rules
- How to Open Ports
- Best Practices for Managing iptables
What are Chains in iptables
Chains are lists of rules that match subsets of network packets. By default, the filter table contains three built-in chains: INPUT, FORWARD, and OUTPUT. We can list the rules in these chains using:
sudo iptables -L
For example, the output might look like this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
How to Set Up Default Policies
By default, no rules are set in a fresh configuration. So, we need to start by setting the default target policy to define how traffic is handled:
sudo iptables --policy INPUT ACCEPT
sudo iptables --policy FORWARD ACCEPT
sudo iptables --policy OUTPUT ACCEPT
We can change the default policy to DROP or REJECT to block traffic unless explicitly allowed.
Block and Allow Connections by IP
To block all incoming traffic from a specific IP address, use:
sudo iptables -A INPUT -s 192.168.1.1 -j DROP
For an entire subnet:
sudo iptables -A INPUT -s 192.168.1.1/24 -j DROP
To block outgoing traffic to an IP:
sudo iptables -I OUTPUT -s 192.168.1.1 -j DROP
This sets the default policy for all chains as “ACCEPT”. We can also opt to change this to “DROP” or “REJECT” if we want to disable access to any services on the server and manually allow the services we want to expose
Block and Allow Connections by Port
To block specific ports or services, specify the protocol and destination port as seen here:
- Block incoming SSH connections on port 22:
sudo iptables -I INPUT -p tcp --dport 22 -j DROP - Block HTTP traffic on port 80:
sudo iptables -I INPUT -p tcp --dport 80 -j DROP - Block a specific IP from accessing a service:
sudo iptables -I INPUT -p tcp --dport 80 -s -j DROP
To allow traffic, replace DROP with ACCEPT. You can also open a port in Linode via other methods.
Save and Persist Rules
To save the rules so they persist after a reboot, run:
sudo /sbin/iptables-save
Alternatively, we can use:
sudo service iptables save
Delete and Clear Rules
To delete a specific rule, find its line number:
sudo iptables -L –line-numbers
Then delete the rule using:
sudo iptables -D INPUT line_number
To clear all rules and start fresh:
sudo iptables -F
How to Open Ports
To open an incoming port, such as 2525:
sudo iptables -A INPUT -p tcp --dport 2525 -j ACCEPT
For outgoing ports, such as 3032:
sudo iptables -A OUTPUT -p tcp --dport 3032 -j ACCEPT
Save the changes to persist:
sudo service iptables save
Best Practices for Managing iptables
- Double-check the rules to avoid mistakes.
- Before saving, test new rules to ensure they function as intended.
- Save current settings to a file for quick restoration.
sudo iptables-save > /path/to/backup_file
[Need assistance with a different issue? Our team is available 24/7.]
Conclusion
Mastering iptables gives us better control over server traffic, bolstering security and optimizing performance. While it requires careful handling, following structured approaches ensures reliable configurations for our Linux server.
In brief, our Support Experts demonstrated using iptables commands in Linode.
0 Comments