iptables: Configuring a Firewall on Linux

Why use iptables?

Even though simpler tools such as UFW or firewalld exist, understanding iptables is fundamental for a fine-grained mastery of network security on Linux.

• Granular control: Lets you create very specific rules based on IP addresses, ports, protocols, connection state, and so on.
• Power: Offers advanced features such as Network Address Translation (NAT) and packet modification (mangle).
• Universal: Present on virtually all Linux systems.

The basic concepts: Chains and Tables

• Tables: A set of chains. The most common are filter (the default, for filtering packets), nat (for address translation) and mangle (for packet modification).
• Chains: A list of rules. Packets traverse the chains in order. The default chains of the `filter` table are:
  • INPUT: For packets destined for the server itself.
  • OUTPUT: For packets generated by the server.
  • FORWARD: For packets that merely pass through the server (routing).
• Rules: A condition (e.g. "the packet comes from IP 1.2.3.4") and a target (e.g. "DROP" - discard the packet).
• Targets: The action to take if a packet matches a rule. The most common are ACCEPT (accept), DROP (silently discard), REJECT (refuse with a notification) and LOG (record the event).

Secure baseline configuration

The safest strategy is to block everything by default, then explicitly allow what is needed.

Step 1: Back up the current rules (if any)

sudo iptables-save > ~/iptables.bak

Step 2: Flush all existing rules

sudo iptables -F  # Flush all rules
sudo iptables -X  # Delete all non-default chains
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT

Step 3: Set the default policies (block everything)

sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT # We trust what leaves our own machine

Step 4: Allow already established connections and local traffic

This is crucial so you don't cut off your own SSH session and so services can communicate with each other.

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Step 5: Allow the necessary services

Only open what you need. Here are a few examples:

# Allow SSH (port 22)
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Allow HTTP (port 80)
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Allow HTTPS (port 443)
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Making the rules persistent

iptables rules are lost on reboot. To save them, the method depends on your distribution.

# On Debian / Ubuntu
sudo apt-get install -y iptables-persistent
# The package will ask you to save the current rules.
# To save manually later:
sudo netfilter-persistent save

# On CentOS / RHEL
sudo service iptables save
# or
sudo /sbin/iptables-save > /etc/sysconfig/iptables

Useful commands

# List the rules of the filter table
sudo iptables -L -v -n --line-numbers

# Delete a rule from the INPUT chain by its number (e.g. number 5)
sudo iptables -D INPUT 5

# Insert a rule at the beginning of the INPUT chain
sudo iptables -I INPUT 1 -p tcp --dport 2222 -j ACCEPT

Conclusion

iptables is an incredibly powerful and flexible tool. While its syntax may look intimidating at first, understanding its logic of chains, rules and targets gives you full control over your machine's network traffic. Mastering the basics of iptables is an essential skill for any security-conscious system administrator.