When you are running a production server, you must secure it to protect the customer data from the hackers. If you are using Linux operating system on your server, iptables can help you to secure your server.
IPtables is the utility program that helps system administrators to manipulate Netfilter module. Netfilter is a kernel module which is responsible for actual filtering while iptable is just an application used to manage Netfilter.
IPtable monitors the traffic coming to or going out of your server, and perform filtering using tables which are made up of a set of rules. These set of rules are called as chains.
Types of chains:
As mentioned before, chain is a set of rules those are processed in an order.
There are 5 types of chains:
Forward: Forward the packets coming to the server from some source to some destination.
Input: Useful for managing incoming traffic/packets.
Output: Useful for managing outgoing traffic/packets
Prerouting: This chain is responsible to decide what to do with the packet which has arrived at the network interface. It can drop, alter the packet or let the packet travel further without doing anything.
Postrouting: This chain exists at the exit point of the server. It makes sure that the packets are treated in the way defined by us.
When the packet or incoming traffic matches with the set of rules/chain mentioned, there is some action to be accomplished which is also called as target.
Major types of target:
Below are iptables’ own target:
ACCEPT: Allow the packet
DROP: Drop the packet without notifying the sender
RETURN: Tell the packet to stop moving forward through the current chain and go back to the previous chain
There are also some iptables’ extension’s targets. Their count is around 39. Below are a few of them:
REJECT, LOG, TRACE, TTL, MASQUERADE, etc.
What is table?
A collection of chains is called a table. There are 3 major types of iptables as shown below:
- Filter Table: Useful for controlling the flow of the incoming and outgoing packets.
- NAT Table: Used to redirect packets from one interface to another.
- Mangle Table: Used for modifying headers of the packets.
How to install iptables?
You can use package managers like yum/apt to install the package “iptables”. Below are the commands you can use on different flavors of Linux:
On Centos: yum install iptables
On Ubuntu/Debian: apt-get install iptables
How to use iptables to block connections?
Block incoming connections from one IP:
Please run the below command to block all incoming requests from a specific IP (we are using 192.168.2.9 here as an example):
iptables -A INPUT -s 192.168.2.9 -j DROP
Here is the explanation of the options used in this command:
-A: Append the rule to the chain (You can also use –I instead of –A which inserts the rule at the top of the chain/rule-set by default. If you specify a rule number, say 10, your rule will get inserted above the rule number 10)
INPUT: Chain for managing incoming traffic
-s: Source of requests/packets
-j: Jump to the target mentioned
DROP: Target name
To check if the IP has been blocked or not, please run the below command:
iptables -L | grep 192
-L: List the rules
The result should be like this:
[root@localhost ~]# iptables -L | grep 192
DROP all — 192.168.1.1 anywhere
To make your changes persistent; so that they won’t be lost after system reboot, please run the below command:
Let’s see how it actually works through GIF:
Block incoming connections from subnet:
You can use the below command to block incoming packets from subnet of IPs:
iptables -A INPUT -s 192.168.2.0/24 -j DROP
You just need to replace IP in the last command by the subnet.
Block outgoing traffic to a particular IP or subnet from your server:
The below command can be used to block outgoing traffic to a particular IP or subnet from your server:
iptables -A OUTPUT -s 192.168.2.9 -j DROP
Here, we are using OUTPUT chain as we need to filter/process the outgoing packets.
Similarly, to block connections going out from a subnet of IPs, please replace IP by subnet in the above command like this:
iptables -A OUTPUT -s 192.168.2.0/24 -j DROP
Please remember to run “iptables-save” command to save the changes permanently.
Block incoming/outgoing traffic on port from any IP:
To block all the incoming traffic on a specific port from any IP, you can run the below command (we are using port 22 as an example here):
iptables -A INPUT -p tcp –dport 22 -j DROP
New arguments/options used in this command are:
-p: Specify the protocol. It can be tcp, udp, icmp, etc
–dport: Destination port on which the traffic to be blocked
To block all the outgoing traffic on a specific port from any IP, you just need to change the chain name to OUTPUT as below:
iptables -A OUTPUT -p tcp –dport 22 -j DROP
Block incoming/outgoing traffic on port from specific IP:
To block incoming traffic from specific IP, please use below command and specify the source IP using “-s” option:
iptables -A INPUT -p tcp –dport 22 -s 192.168.2.9 -j DROP
To block outgoing traffic to a specific IP, please use the below command and specify the destination IP using “-d” option:
iptables -A OUTPUT -p tcp –dport 22 -d 192.168.2.9 -j DROP
In the same way, you can block a range/subnet of IPs. Please just replace the IP by subnet or range. Please remember to run
“iptables-save” command each time when you add a new rule in the iptable.
How to remove the rule from iptable?
Suppose, you blocked any IP by mistake, and now, you want to remove the blocking rule. Is it possible? Yes. To remove a specific rule, you should find out its line number. You can print all the rules with their line numbers using the command below:
iptables -L –line-numbers
Once you get the line number of the rule to be removed, please run the below command:
iptables -D INPUT 6
Here, INPUT is the chain from where you need to remove the rule while 6 is a line number of the rule to be removed.
To remove all the rules from iptable, please run:
-F means “Flush”