Linux iptables: Incoming and Outgoing Rules Examples (SSH and HTTP)
In our previous article in the iptables firewall series, we reviewed how to iptables -Aadd firewall rules using .
We also explained how to allow incoming SSH connections. At a high level, it involves the following 3 steps.
- Delete all existing rules: "iptables -F"
- Allow only incoming SSH: "iptables -A INPUT -i eth0 -p tcp –dport 22 -j ACCEPT"
- Drop all other incoming packets: "iptables -A INPUT -j DROP"
The above works. But it is not complete. One problem with the above steps is that it does not limit the outgoing packets.
Default chain strategy
The default policy for a chain is ACCEPT. If we don't understand what chains mean, it's best to read our iptables introduction article. So, the default policy for both INPUT and OUTPUT chains is ACCEPT. In the 3 steps above, we dropped all incoming packets (except incoming ssh) at the end. However, we did not restrict outgoing traffic.
As we notice below, it says “(policy ACCEPT)” next to all three chain names ( INPUT , OUTPUT , and FORWARD ). This indicates that the default chain policy is ACCEPT.
$ iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
So, you have two options.
Option 1: Add a drop rule
Finally, add the following three drop rules, which will drop all incoming, outgoing and forwarded packets (except those defined above these three rules). If you do this, the default chain policy will still be ACCEPT , which doesn't matter because you will drop all packets anyway.
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP
Option 2: Change the default chain policy to DROP
Initially, execute the following three commands to change the chain's default policy to DROP.
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
Now, if we add a rule to allow ssh: iptables -A INPUT -i eth0 -p tcp –dport 22 -j ACCEPTand then execute it iptables -L, we will notice that it says “(policy DROP)” next to all three chains.
$ iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
But there is a problem here. The rule allowing incoming ssh connections will no longer work, because all outgoing packets are dropped.
Allow incoming connections
When the default policy for the INPUT and OUTPUT chains is DROP, for each incoming firewall rule, we need to specify the following two rules.
- Request rule : This is a request from the client to the server for an incoming connection.
- Response rules : These are for responses sent from the server to the client (for the corresponding incoming request).
Example 1: Allow incoming SSH connections
This is to allow SSH connections from outside to our server. That is, we can ssh to our server from outside.
This involves two steps. First, we need to allow incoming new SSH connections. Once the incoming ssh connection is allowed, we also need to allow the return of the response to that incoming ssh connection.
First, allow incoming SSH connection requests as shown below.
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
In the example above:
- iptables -A INPUT : Append new rules to the INPUT chain. This always must be INPUT for incoming connection requests.
- -i eth0 : This refers to the input interface. For incoming connections, this always must be "-i".
- -p tcp : Indicates that this is for the TCP protocol.
- --dport 22 : This refers to the destination port for incoming connections. Port 22 is used for ssh.
- -m state : This indicates to use the “state” match module. We will discuss more about the “-m” option (and all the available match modules for iptables) in a future article.
- --state NEW, ESTABLISHED : The "state" option matches the module. In this example, only the NEW and ESTABLISHED states are allowed. The first time an SSH connection request is made from the client to the server, the NEW state is used. The ESTABLISHED state is used for all further requests from the client to the server.
Next, allow outgoing (ESTABLISHED status only) SSH connection responses (for corresponding incoming SSH connection requests).
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
In the example above:
- iptables -A OUTPUT : Append the new rule to the OUTPUT chain. Since this is a rule for responses from the server (for corresponding incoming requests), it should be OUTPUT.
- -o eth0 : This refers to the output interface. This always has to be "-o" for outgoing connections.
- -p tcp : Indicates that this is for the TCP protocol.
- –sport 22 : This refers to the source port for outgoing connections. Port 22 is used for ssh. Since the incoming request (from the previous rule) comes to the “destination” port, the outgoing response will go through the “source” port.
- -m state : This means use the “state” matching module.
- --state ESTABLISHED : Because this is a response rule, we only allow ESTABLISHED connections (not any NEW connections).
Example 2: Allow incoming HTTP connections
This is to allow HTTP connections from the outside to our server. That is, we can view the website you run on your server from the outside.
Just like the SSH incoming rule above, this also involves two steps. First, we need to allow incoming new HTTP connections. Once incoming HTTP connections are allowed, we need to allow responses back to that incoming HTTP connection.
First, allow incoming HTTP connection requests as shown below.
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
接下来,允许传出(仅限 ESTABLISHED)HTTP 连接响应(针对相应的传入 SSH 连接请求)。
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
注意:在上面的 HTTP 请求和响应规则中,除了端口号之外,一切都与 SSH 示例相同。
允许传出连接
当 INPUT 和 OUTPUT 链的默认策略为 DROP 时,对于每个传出防火墙规则,我们需要指定以下两个规则。
- 请求规则 :这是从服务器向外发出连接的请求。
- 响应规则 :这是针对从外部返回到服务器的响应(针对相应的传出请求)。
示例 3:允许传出 SSH 连接
这是为了允许从我们的服务器到外部的 SSH 连接。 即我们可以从服务器 ssh 到外部服务器。
这涉及两个步骤。 首先,我们需要允许传出新的 SSH 连接。 一旦允许传出 ssh 连接,我们还需要允许返回该传出 ssh 连接的响应。
首先,允许传出 SSH 连接请求,如下所示。
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
在上面的例子中:
- iptables -A OUTPUT :将新规则附加到 OUTPUT 链。 对于传出连接请求,这始终必须是 OUTPUT。
- -o eth0 :这是指输出接口。 对于传出连接,这始终必须是“-o”。
- -p tcp :表示这是针对 TCP 协议的。
- –dport 22 :这是指传出连接的目标端口。
- -m state :这表示使用“状态”匹配模块。
- --state NEW, ESTABLISHED :“状态”匹配模块的选项。 在此示例中,仅允许 NEW 和 ESTABLISHED 状态。 第一次从服务器向外部发起 SSH 连接请求时,使用 NEW 状态。 ESTABLISHED 状态用于从服务器到外部的所有进一步请求。
接下来,允许传出(仅限 ESTABLISHED)SSH 连接响应(针对相应的传入 SSH 连接请求)。
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
在上面的例子中:
- iptables -A INPUT:将新规则附加到 INPUT 链。 由于这是针对从外部到服务器的响应规则(针对相应的传出请求),因此应该是 INPUT。
- -i eth0:这是指输入接口。 对于传入连接,这始终必须是“-i”。
- -p tcp:表示这是针对 TCP 协议的。
- --sport 22:这是指传入连接的源端口。 由于传出请求(来自上一条规则)到达“目标”端口,传入响应将来自“源”端口。
- -m state:这表示使用“状态”匹配模块。
- --state ESTABLISHED:因为这是一个响应规则,我们只允许 ESTABLISHED 连接(而不是任何 NEW 连接)。
把它们放在一起
创建执行以下操作的 rules.sh shell 脚本:
- 删除所有现有规则
- 设置默认链策略
- 允许入站 SSH
- 允许入站 HTTP
- 允许出站 SSH
首先,创建 rules.sh
rules.sh# 1. Delete all existing rules iptables -F # 2. Set default chain policies iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # 3. Allow incoming SSH iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT # 4. Allow incoming HTTP iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT # 5. Allow outgoing SSH iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
接下来,执行 rules.sh 并查看规则。
$ chmod u+x rules.sh
$ ./rules.sh
$ iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:http state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
以此为基础,我们应该能够编写自己的传入和传出 iptables 防火墙规则。 iptables 中还有很多内容需要介绍。 敬请关注!
For reprinting, please send an email to 1244347461@qq.com for approval. After obtaining the author's consent, kindly include the source as a link.
Related Articles
Restart PostgreSQL in Ubuntu 18.04
Publish Date:2025/04/09 Views:72 Category:PostgreSQL
-
This short article shows how to restart PostgreSQL in Ubuntu. Restart PostgreSQL Server in Ubuntu You can restart Postgres server in Ubuntu using the following command. Order: sudo service postgres restart Sometimes the above command does n
Issues to note when installing Apache on Linux
Publish Date:2025/04/08 Views:78 Category:OPERATING SYSTEM
-
As the most commonly used web server, Apache can be used in most computer operating systems. As a free and open source Unix-like operating system, Linux and Apache are a golden pair. This article will introduce the installation and use of A
How to decompress x.tar.xz format files under Linux
Publish Date:2025/04/08 Views:186 Category:OPERATING SYSTEM
-
A lot of software found today is in the tar.xz format, which is a lossless data compression file format that uses the LZMA compression algorithm. Like gzip and bzip2, it supports multiple file compression, but the convention is not to compr
Summary of vim common commands
Publish Date:2025/04/08 Views:116 Category:OPERATING SYSTEM
-
In Linux, the best editor should be vim. However, the complex commands behind vim's powerful functions also make us daunted. Of course, these commands do not need to be memorized by rote. As long as you practice using vim more, you can reme
Detailed explanation of command return value $? in Linux
Publish Date:2025/04/08 Views:58 Category:OPERATING SYSTEM
-
? is a special variable. This variable represents the return value of the previous command. That is to say, when we run certain commands, these commands will return a code after running. Generally, if the command is successfully run, the re
Common judgment formulas for Linux script shell
Publish Date:2025/04/08 Views:159 Category:OPERATING SYSTEM
-
In shell script programming, predicates are often used. There are two ways to use predicates, one is to use test, and the other is to use []. Let's take a look at how to use these two methods through two simple examples. Example 1 # test –
Shell script programming practice - specify a directory to delete files
Publish Date:2025/04/08 Views:98 Category:OPERATING SYSTEM
-
Usually, in Linux system we need to frequently delete some temporary files or junk files. If we delete them one by one manually, it will be quite troublesome. I have also been learning shell script programming recently, so I tried to write
Use of Linux command at - set time to execute command only once
Publish Date:2025/04/08 Views:158 Category:OPERATING SYSTEM
-
This article mainly involves a knowledge point, which is the atd service. Similar to this service is the crond service. The functions of these two services can be similar to the two functional functions of javascript. Those who have learned
Use of Linux command crontab - loop execution of set commands
Publish Date:2025/04/08 Views:170 Category:OPERATING SYSTEM
-
Compared with at , which executes a command only once, crontab, which we are going to talk about in this article, executes the set commands in a loop. Similarly, the use of crontab requires the support of the crond service. The service is s
