JIYIK CN >

This article explains how to iptables -Aadd iptables firewall rules using the (append) command.

-Afor appending. If it makes it easier for us to remember -Aas adding rules (rather than appending rules), then that's fine. However, remember that -Athe rules are added to the end of the chain.

Again, -Ait is important to remember to add the rule at the end.

Usually the last rule is to drop all packets. If we already have a rule that drops all packets, and if we try -Ato create a new rule from the command line with , we will end up adding the new rule after the current "drop all packets" rule, which will make our new rule almost useless.

Once you get the hang of iptables and implement it in production, you should use a shell script where you add all the rules using -A command. In that shell script, our last line should always be the "Drop All Packets" rule. When we want to add any new rule, modify that shell script and add our new rule above the "Drop All Packets" rule.

grammar:

$ iptables -A chain firewall-rule

• -A chain - Specifies the chain to which the rule should be attached. For example, use the INPUT chain for incoming packets and OUTPUT for outgoing packets.
• firewall-rule - Various parameters make up a firewall rule.

If you don't know what chains mean, you'd better read iptables basics first .

Firewall rule parameters

The following parameters apply to various firewall rules.

-pFor protocol

• Indicates the protocol of the rule.
• Possible values ​​are tcp, udp, icmp
• Use "all" to allow all protocols. If not specified -p, the "all" protocol will be used by default. It is not a good practice to use "all" and always specify a protocol.
• Use a name (for example, tcp) or a number (for example, 6 for tcp) as the protocol.
• The /etc/protocols file contains all allowed protocol names and numbers.
• We can also use--protocol

-sFor source

• Indicates the source of the packet.
• This can be an IP address, network address, or hostname
• For example: -s 192.168.1.101 indicates a specific IP address
• For the network mask, use /mask. For example: "-s 192.168.1.0/24" means the network mask 255.255.255.0 for that network. This matches the 192.168.1.x network.
• When we don't specify the origin, it will match all origins.
• We can also use --src or --source

-dFor destination

• Indicates the destination of the packet.
• This is the same as "-s" (except it stands for the target host, IP address, or network)
• We can also use --dstor--destination

-jis the target

• j stands for "jump to target"
• This specifies what needs to happen to packets that match this firewall rule.
• Possible values ​​are ACCEPT , DROP , QUEUE , RETURN
• We can also specify other user-defined chains as target values.

-iUsed in the interface

• i stands for "input interface"
• We might ignore this and assume that "-i" is for interfaces. Note that both -i and -o are for interfaces. However, -i is for input interfaces and -o is for output interfaces.
• Indicates the interface through which incoming packets enter via the INPUT , FORWARD , and PREROUTING chains.
• For example: -i eth0means that packets coming in through interface eth0 should be considered by this rule.
• If we do not specify the -i option, all available interfaces on the system will be considered as input packets.
• We can also use--in-interface

-oFor output interface

• o stands for "output interface"
• Indicates the interface through which outgoing packets are sent via the INPUT , FORWARD , and PREROUTING chains.
• If you do not specify the -o option, all available interfaces on the system are considered for outgoing packets.
• We can also use--out-interface

Additional options for firewall parameters

Some of the firewall parameters above in turn have their own options that can be passed along with them. Here are some of the most common options.

To use these parameter options, you should specify the corresponding parameters in the firewall rules. For example, to use the "--sport" option, we should specify the "-p tcp" (or "-p udp") parameter in the firewall rules.

注意: All of these options are preceded by two dashes. For example, sport is preceded by two hyphens.

--sport source port (for -p tcp or -p udp)

• By default, all source ports are matched.
• We can specify the port number or name. For example, to use the SSH port in the firewall rule, use "--sport 22" or "--sport ssh".
• The /etc/services file contains all allowed port names and numbers.
• It is better to use port numbers rather than port names in rules (for performance reasons).
• To match a range of ports, use a colon. For example, 22:100 matches port numbers from 22 to 100.
• We can also use--source-port

--dport for destination port (for -p tcp or -p udp)

• Same as --sport, but this is for the destination port.
• We can also use--destination-port

--tcp-flags Flags for TCP (for -p tcp)

• This can contain multiple values ​​separated by commas.
• Possible values ​​are: SYN, ACK, FIN, RST, URG, PSH. You can also use ALL or NONE

--icmp-type ICMP type for (for -p icmp)

• When using the icmp protocol "-p icmp", you can also use the "-icmp-type" parameter to specify the ICMP type.
• For example, use "-icmp-type 0" to represent "Echo Reply" and use "-icmp-type 8" to represent "Echo".

Example firewall rule to allow incoming SSH connections

Now that we understand the various parameters of firewall rules (and their options), let’s build a sample firewall rule.

In this example, let's allow only incoming SSH connections to the server. All other connections will be blocked (including ping).

警告: Playing with firewall rules can make your system inaccessible. If we don't know what we are doing, we can lock ourselves (and everyone else) out of the system. So only do all your learning on a test system that no one is using and where we have access to a console to restart iptables if we get locked out.

1. Delete existing rules

If we already have some iptables rules, please make a backup before deleting the existing rules.

Remove all existing rules and allow the firewall to accept everything. As mentioned before, use iptables flush to clear all existing rules and start from scratch.

Test to make sure we can ssh and ping this server from the outside.

After completing this example, you will only be able to connect to this server via SSH. You will not be able to ping this server from the outside.

2. Allow only SSH

Only incoming SSH connections are allowed to this server. We can connect to this server via ssh from anywhere.

$ iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

The above iptables command has the following 4 components.

• “-A INPUT” - This indicates that we are appending (or adding) a new rule to the INPUT chain. Therefore, this rule applies to incoming traffic.
• "-i eth0" - Incoming packets through interface eth0 will be checked against this rule.
• “-p tcp --dport 22” - This rule applies to TCP packets. There is a tcp option called “–dport 22” which means the destination port for this rule on the server is 22 (i.e. ssh).
• "-j ACCEPT" - Jump to accept, it just accepts the packet.

In simple terms, the above rule can be stated as: all incoming ssh packets through eth0 will be accepted.

3. Drop all other packets

Once we have specified a custom rule to accept packets, we should also have a default rule to drop any other packets.

This should be our last rule in the INPUT chain.

To drop all incoming packets, do the following.

$ iptables -A INPUT -j DROP

4. View SSH rules and test

To view the current iptables firewall rules, use iptables -Lthe command.

$ iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
DROP       all  --  anywhere             anywhere

As can be seen from the above output, it has the following two rules in sequence.

• Accept all incoming ssh connections
• All other packets are dropped.

Rather than adding firewall rules from the command line, create a shell script that contains the rules, as shown below.

$ vi iptables.sh
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -j DROP

$ sh -x iptables.sh
+ iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
+ iptables -A INPUT -j DROP

$ iptables -L INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
DROP       all  --  anywhere             anywhere

Similar to iptables append/addcommand, there are few other commands available with iptables. We will cover them in the subsequent articles in the iptables series. We will also provide several practical firewall rule examples that will be helpful in real life.