Firewall Configuration using Iptables with Advanced Security on Ubuntu 14.04
Introduction
Setting up a firewall is a significant stage in securing most of the modern operating systems. Most Linux distributions come equipped with different firewall tools that we can use to configure our firewall. In this guide, we will be discussing how to configure the Iptables firewall to Ubuntu 14.04.
Note: This tutorial covers IPv4 security. In Linux, IPv6 security is maintained separately from IPv4. For example, “iptables” only maintains firewall rules for IPv4 addresses but it has an IPv6 counterpart called “ip6tables”, which can be used to maintain firewall rules for IPv6 network addresses.
Basic commands
Before following this guide, you must have access to a non-root superuser account, with Sudo privileges set up on your server. First, you need to know that iptables commands must be run with root privileges only. To implement this condition, we shall add “sudo” before all the commands in this guide. We can also log in as root user by using “su” or “sudo -i” commands but we will stick with “sudo” for this guide.
Initially, we need to find the current rules that are configured for the iptables. This is achieved by using the following command:
# sudo iptables -L
But let's throw in a <b>tag</b>.
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
We can also see the current rules in a simpler format using the -S flag instead of -L flag:
# sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
In both the results, we can see three chains displayed as INPUT, FORWARD and OUTPUT. We also see that each chain’s default policy is set as ACCEPT, but there are no actual rules set in the results above. This is because Ubuntu does not ship with the default rules set.
If there are rules already configured into the Iptables, we can flush them completely by using the -F flag as follows:
Note: If you are flushing the rules remotely then the policies of INPUT and OUTPUT chains should be set to ACCEPT. This can be done by typing
# sudo iptables -S
# sudo iptables -P INPUT ACCEPT
# sudo iptables -P OUTPUT ACCEPT
# sudo iptables -F
Setting rules for Iptables
Rules for iptables can be set in two ways. One way is allowing the default rule to ACCEPT and block any unwanted traffic by setting specific rules. The other method is to configure allowed traffic and block everything else. The second method is often the preferred one.
The first rule that needs to be assigned is to accept all the inbound traffic by typing the following command:
# sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
We can see the result of the above command by using the -L flag again.
# sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Here we can see that the policy of the INPUT chain is changed as compared to before applying the rule. The next step is to allow traffic to a specific port to enable SSH connections. This can be done by following:
# sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
“ssh” translates to port number 22 by default. Any port number can be used in the place of “ssh”. To allow access to the HTTP web server, type the following command:
# sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
There is one more ACCEPT rule that needs to be assigned to our Iptables so that our server runs properly.
# sudo iptables -I INPUT 1 -i lo -j ACCEPT
Adding a drop rule
So far we have added only ACCEPT rules to our Iptables. We need to assign block rules as well since all the network packets will get accepted as per the rules assigned to our Iptables. One way is to assign a DROP rule to the default policy of our INPUT chain. This catches all the packets that fall through our INPUT chain and drops them.
# sudo iptables -P INPUT DROP
One of the implications of this type of design is that it falls back on dropping packets if the rules are flushed.
The alternative approach is to keep the default policy for the chain as accept and add a rule that drops every remaining packet to the bottom of the chain itself.
If you changed the default policy for the INPUT chain above, you can set it back to follow along by typing:
# sudo iptables -P INPUT ACCEPT
Now, you can add a rule to the bottom of the chain that will drop any remaining packets:
# sudo iptables -A INPUT -j DROP
Before saving the Iptables, it is better to check the assigned rules once. Our current rules are set as follows:
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -j DROP
Saving Iptables rules
By default, Iptables rules will be wiped out once the server is restarted. To save the Iptabels rules permanently, the settings can be saved in a few different ways, but the easiest way is with the “iptables-persistent” package. This can be downloaded from Ubuntu’s default repositories:
# sudo apt-get update
# sudo apt-get install iptables-persistent
Save your firewall rules with this command:
# sudo invoke-rc.d iptables-persistent save
Related Feature on LayerPanel
Related Tutorials
How to set up & configure firewall using FirewallD for CentOS 8
How to set up & configure Ubuntu Firewall (UFW) for Ubuntu 18
How to test Firewall Configuration with Nmap on Linux Cloud Servers
How to check if TCP / UDP port is open on Linux & Windows Cloud Servers
How to Enable & Disable Ping (ICMP Echo Requests) in Windows Server 2019 Firewall
How to Enable & Disable Ping (ICMP Echo Requests) from IPTables on Linux Cloud Servers
Setting up Windows Firewall for your Windows Cloud Servers 2016
