Hostwinds Tutorials
Search results for:
Table of Contents
Tags: CentOS Web Panel, Firewall, Linux
IPTables is an extremely flexible command-line-based firewall utility built specifically for Linux distros. IPTables uses policy chains to allow or block traffic. When a connection is being established on your server, IPTables will identify a rule in its list to determine what action needs to be taken. If no rule is present for the connection, it'll resort to the default action defined for your system.
Generally, IPTables is installed by default on most Linux systems. To update or install it, you can retrieve the IPTables package by issuing the following commands:
Note: IPTables should be pre-installed on CentOS 6.
Ubuntu
apt-get install iptables-persistent
CentOS 7
systemctl stop firewalld
systemctl mask firewalld
yum install iptables-services
systemctl enable iptables
systemctl start iptables
IPTables will now be installed on your system. Let's take a look at how to use IPTables.
This section will cover some basic IPTables specific commands and uses, such as listing your current ruleset and blocking an IP address from establishing a connection.
To list the currently active ruleset by specification, you'd issue the following command:
iptables -S
To display the rules currently being applied to a specific chain, you can use the following command. This example will show all of the rule specifications for the UDP chain:
iptables -S UDP
You can list all of the current IPTables rules that are in place in a table view by using the following command that invokes the -L option. This will list all current rulesets sorted by chain type.
iptables -L
You can delete rules in IPTables by using the -D option. You can remove rulesets in a few different ways. We will cover removing rules by the specification. For example, if you wanted to remove the rule that allows all incoming traffic on port 443, you'd use the following command:
iptables -D INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
With IPTables, you can flush rules. This can be done by flushing a single chain or by flushing all chains. We will cover both methods below.
To flush a single chain you can use the -F option, or the equivalent –flush option, combined with the chain's name that you'd like to flush. For example, you can delete all of the rules in the INPUT chain by utilizing the following command:
iptables -F INPUT
To flush all chains, you'd again use the -F or equivalent –flush option without any additional parameters. This will effectively remove ALL of the firewall rules that are currently active on the server. The command is as follows:
iptables -F
IPTables provide the ability to block network connections from a specific IP address. For example, to block all incoming connections from 10.10.10.10, you'd run the following command:
iptables -A INPUT -s 10.10.10.10 -j DROP
You can also reject the connection, which will respond with a "connection refused" error. Replace DROP with REJECT.
iptables -A INPUT -s 10.10.10.10 -j REJECT
You can also block connections from a specific IP to a specific network device, such as eth1, using the -i option.
iptables -A INPUT -i eth1 -s 10.10.10.10 -j DROP
To allow ALL incoming SSH connections on the default SSH port (22), use the following commands:
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
You can also limit SSH connections to only be allowed from a specific IP address or subnet. For example, if you only wanted to allow the IP address 10.10.10.10 to connect to the server via SSH, you'd use the following command:
iptables -A INPUT -p tcp -s 10.10.10.10 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
This can also be done for an entire subnet by adding the subnet to the command, such as /27 as the following command illustrates:
iptables -A INPUT -p tcp -s 10.10.10.10/27 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
Your firewall may not have the OUTPUT policy set to ACCEPT. If this is the case, you may need to allow outgoing SSH connections if you wish to connect to an external server from your server directly. You can run the following commands to achieve this on the default SSH port (22). If you're using a different SSH port, replace "22" in the following example with the port number that you're using:
iptables -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
By default, HTTP traffic is generally served up on port 80, and HTTPS traffic is typically served up on port 443. You can allow both types of connections to your web server by using the following commands.
Note: If you only want to allow one and not the other, remove the port number from the command that correlates to the protocol you'd like to allow.
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
IPTables allows you to block specific ports, such as the default SMTP port (25). For example, you may not want to allow outgoing mail on your server. To stop this using IPTables, you can issue the following command:
iptables -A OUTPUT -p tcp --dport 25 -j REJECT
This will configure IPTables to reject all outgoing traffic on port 25. If you'd like to reject traffic on a different port, you can replace "25" with the port number in question.
You can allow your server to respond to all SMTP connections on port 25 by running the following commands:
iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Written by Hostwinds Team / December 13, 2016