It probably goes without saying that you’ll need to be logged in as root to work with iptables, but I’ll say it anyway. After logging in as root, you may want to look at what’s already loaded, if anything. To look at the tables that are currently in effect, run iptables –L or iptables – – list if you like being verbose.
With no chains loaded, the output should look something like the image to the right:
By default, you have an INPUT, OUTPUT, and FORWARD chain — all with a policy of accepting packets. In other words, until you configure some of these chains, everything is wide open.
If you’re going to be using this computer as a firewall,you’ll want to enable IP forwarding.
Issue the command: echo “1” > /proc/sys/net/ipv4/ip_forward.
Without any rules, iptables isn’t going to do much, so let’s add some rules to the existing chains. If you don’t want your machine to respond to pings, for instance, add the following rule to the INPUT chain:
iptables –A INPUT –p icmp – j DROP
The –A INPUT argument tells iptables to append to the INPUT chain. The –p icmp argument indicates that this rule applies to the icmp protocol, and the –j DROP argument indicates that packets matching this rule should be dropped.If you send a ping to that host,it will simply drop the packets and not reply. Note that you could use either ICMP or icmp to specify the protocol; it’s not case-sensitive.
To reverse this rule and allow the host to respond to pings again,issue this command:
iptables –D INPUT 1
This tells iptables to drop (-D) the first rule from the INPUT chain. If you have multiple rules, you may drop any one of them without affecting the others. At some point, you may want to start over from scratch. To clear out all rules from a chain, use this syntax:
iptables –F INPUT
This tells iptables to flush (-F) all rules from the chain.
Blocking telnet connections
Now for a slightly more complicated configuration. Let’s say, a firewall that automatically blocks ssh connections from outside your internal network, but allows ssh within the network. To preclude users from revealing username and password combinations to the outside world, this firewall will also block anyone inside the network from trying to use telnet outside the network.
First set a rule that allows ssh within the network on the INPUT chain.
Iptables –A INPUT –s 18.104.22.168 -p top – – destination –port ssh –j ACCEPT
The source (-s) argument tells iptables which network or hosts from which you’re willing to accept connections, while – – destination –port specifies the type of TCP connection you’re willing to accept. Next, block any connections from outside your internal network:
iptables –A INPUT –s ! 22.214.171.124 -p top – – destination –port ssh –j DROP
This is almost the same command, except that it blocks all ssh connections from outside networks. You may not want to do this if you plan to connect to internal machine with iptables being the gateway computer for your network. It doesn’t work if the computer with iptables never sees the packets! Also, note the space between the “!” and the network. I got some very odd errors before I realized there needed to be a space between the network and “!” character.
Finally, to block outgoing telnet connections ,apply this rule to the OUTPUT chain:
iptables -A OUTPUT -p tcp – – destination – port telnet – j DROP
Instead of appending (-A) a rule to the INPUT chain, we’ve added the rule to the OUTPUT chain. If users try to telnet out, they’ll be unable to get a connection. However, this might frustrate users who wait indefinitely for the telnet connection to finish. So, let’s reject the packets instead of just dropping them.
iptables -F OUTPUT
iptables -A OUTPUT -p tcp – – destination – port telnet – j REJECT
After flushing the OUTPUT chain, we use almost the same command as the one used to block outgoing telnet connections, and jump (-j) to rejecting the packets. this will give users a connection refused’ error if they try to telnet out.
If you want to allow telnet connections within the internal network, flush the previous rules and the use these commands to
Set rules that allow telnet inside the network, but not outside:
iptables -A OUTPUT -p tcp – – destination – port telnet – d 126.96.36.199 –j ACCEPT
iptables -A OUTPUT -p tcp – – destination – port telnet – d ! 188.8.131.52 –j REJECT
You may want to run iptables –L again to see what rules you’ve got going and make sure they’ve all been entered correctly .Your output should look something like the image to the right:
The ability to match TCP or UDP packets based on a series of source or destination ports is also now available. Previously, a rule could apply the match a single range if ports. This might be used to set up a filter to block telnet, ftp, and finger, for example:
iptables -A input -t DENY -p top – – destport telnet,ftp,finger