Learn how to use iptables commands in Linode. Our Linode Support team is here to help you with your questions and concerns.
A Guide to the iptables Commands in Linode
The iptables command is a useful tool used to configure and manage the Linux kernel’s built-in firewall. It defines rules for controlling network traffic through tables and chains, enabling precise management of incoming and outgoing connections.
Today, we are going to explore its key features, including listing chains, setting default policies, and managing connections to ports and IPs.
An Overview:
- What are Chains in iptables
- How to Set Up Default Policies
- Block and Allow Connections by IP
- Block and Allow Connections by Port
- Save and Persist Rules
- Delete and Clear Rules
- How to Open Ports
- Best Practices for Managing iptables
What are Chains in iptables
Chains are lists of rules that match subsets of network packets. By default, the filter table contains three built-in chains: INPUT, FORWARD, and OUTPUT. We can list the rules in these chains using:
sudo iptables -LCopy CodeFor example, the output might look like this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Copy CodeHow to Set Up Default Policies
By default, no rules are set in a fresh configuration. So, we need to start by setting the default target policy to define how traffic is handled:
sudo iptables --policy INPUT ACCEPT
sudo iptables --policy FORWARD ACCEPT
sudo iptables --policy OUTPUT ACCEPT
Copy CodeWe can change the default policy to DROP or REJECT to block traffic unless explicitly allowed.
Block and Allow Connections by IP
To block all incoming traffic from a specific IP address, use:
sudo iptables -A INPUT -s 192.168.1.1 -j DROPCopy CodeFor an entire subnet:
sudo iptables -A INPUT -s 192.168.1.1/24 -j DROPCopy CodeTo block outgoing traffic to an IP:
sudo iptables -I OUTPUT -s 192.168.1.1 -j DROPCopy CodeThis sets the default policy for all chains as “ACCEPT”. We can also opt to change this to “DROP” or “REJECT” if we want to disable access to any services on the server and manually allow the services we want to expose
Block and Allow Connections by Port
To block specific ports or services, specify the protocol and destination port as seen here:
- Block incoming SSH connections on port 22:
sudo iptables -I INPUT -p tcp --dport 22 -j DROPCopy Code - Block HTTP traffic on port 80:
sudo iptables -I INPUT -p tcp --dport 80 -j DROPCopy Code - Block a specific IP from accessing a service:
sudo iptables -I INPUT -p tcp --dport 80 -s -j DROPCopy Code
To allow traffic, replace DROP with ACCEPT. You can also open a port in Linode via other methods.
Save and Persist Rules
To save the rules so they persist after a reboot, run:
sudo /sbin/iptables-saveCopy CodeAlternatively, we can use:
sudo service iptables saveCopy CodeDelete and Clear Rules
To delete a specific rule, find its line number:
sudo iptables -L –line-numbersCopy CodeThen delete the rule using:
sudo iptables -D INPUT line_numberCopy CodeTo clear all rules and start fresh:
sudo iptables -FCopy CodeHow to Open Ports
To open an incoming port, such as 2525:
sudo iptables -A INPUT -p tcp --dport 2525 -j ACCEPTCopy CodeFor outgoing ports, such as 3032:
sudo iptables -A OUTPUT -p tcp --dport 3032 -j ACCEPTCopy CodeSave the changes to persist:
sudo service iptables saveCopy CodeBest Practices for Managing iptables
- Double-check the rules to avoid mistakes.
- Before saving, test new rules to ensure they function as intended.
- Save current settings to a file for quick restoration.
sudo iptables-save > /path/to/backup_fileCopy Code
[Need assistance with a different issue? Our team is available 24/7.]
Conclusion
Mastering iptables gives us better control over server traffic, bolstering security and optimizing performance. While it requires careful handling, following structured approaches ensures reliable configurations for our Linux server.
In brief, our Support Experts demonstrated using iptables commands in Linode.
0 Comments