Easy Setup Of Iptables On Your New Linux Server

This is going to be the first of a series of articles about Linux server security and best practices. Every good systems administrator wants their servers to be secure, and I’m sure that you are no exception. I assume that you already know about having a good root password, and your servers always have latest security updates installed. Let’s begin with a Linux firewall called ‘iptables’. In CentOS you can see the current iptables config in a readable format running this command:


[root@ServerSuit ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source      destination
ACCEPT     all  --  anywhere    anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere    anywhere
ACCEPT     all  --  anywhere    anywhere
ACCEPT     tcp  --  anywhere    anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere    anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source      destination
REJECT     all  --  anywhere    anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source      destination

So, let me explain the basics of what we're looking at here. Every network packet went through one of iptables ‘chains’, where it will be checked against every rule from the top, down. All packets sent from other devices and addressed to our server will go straight to chain “INPUT”. Every packet created on our server and sent outside will go through chain “OUTPUT” rules, and if server receives a packet addressed to different IP address than its own, that packet will go to chain “FORWARD”. In most cases, forward iptables rules will be applied if our server is acting as a router. So, the default ipconfig will do the following: 1. Allow all packets for previously established connections, as permitted by other rules. 2. Allow all incoming ICMP packets (i.e. ping) 3. Allow all traffic to local loopback interface (127.0.0.1) 4. Allow incoming SSH connections to the server 5. Restrict all other incoming connections 6. Restrict all forward connections 7. Allow all outgoing connections from the server. In other words, you can setup any connection that begins at the server itself, but only be able to ping and connect through SSH externally! This is how these rules look if you had to write out the commands:


[root@ServerSuit ~]# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

Anyway, that's the basic theory. Let’s look at a few examples! In most cases, you just want your new installation to work remotely. Right now if you installed Apache you’ll need to allow HTTP and HTTPS ports open for incoming connections, first. Here's how we do it:


[root@ServerSuit ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
[root@ServerSuit ~]# iptables -I INPUT 2 -p tcp --dport 443 -j ACCEPT
[root@ServerSuit ~]# iptables-save > /etc/sysconfig/iptables

We inserted 2 rules at the top of INPUT chain to allow incoming connections to TCP ports 80 and 443. Make sure you save that config, or your changes will only work until server reboot. Notice: if you add this rules with –A tag, they’ll be added after the REJECT rule at INPUT chain and won't actually work. That’s why we insert them at the 1 and 2 lines of firewall rules. You can change the ‘-p’ and ‘—dport’ tags for your application. For example, if you install exim and dovecot servers you’ll need to allow incoming connections to TCP 25 and 110 ports. That's one of the more frequently asked questions with iptables for beginning systems administrators. Ok, now let's check this out: you might've looked at /var/log/messages and seen something like this:


Apr 03 18:45:09 ServerSuit sshd[1927]: Failed password for root from 1.1.1.1 port 52279 ssh2
Apr 03 18:45:10 ServerSuit unix_chkpwd[1932]: password check failed for user (root)
Apr 03 18:45:11 ServerSuit sshd[1927]: Failed password for root from 1.1.1.1 port 52279 ssh2
Apr 03 18:45:12 ServerSuit unix_chkpwd[1933]: password check failed for user (root)
Apr 03 18:45:15 ServerSuit sshd[1927]: Failed password for root from 1.1.1.1 port 52279 ssh2
Apr 03 18:45:16 ServerSuit unix_chkpwd[1934]: password check failed for user (root)
Apr 03 18:45:17 ServerSuit sshd[1927]: Failed password for root from 1.1.1.1 port 52279 ssh2
Apr 03 18:45:17 ServerSuit sshd[1928]: Disconnecting: Too many authentication failures for root

Seems like somebody was trying to pick your ‘root’ account password and its IP address is ‘1.1.1.1’. You can restrict this IP address from connecting to your server:


[root@ServerSuit ~]# iptables -nL INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source       destination
1    ACCEPT     tcp  --  0.0.0.0/0    0.0.0.0/0           tcp dpt:80
2    ACCEPT     tcp  --  0.0.0.0/0    0.0.0.0/0           tcp dpt:443
3    ACCEPT     all  --  0.0.0.0/0    0.0.0.0/0           state RELATED,ESTABLISHED
4    ACCEPT     icmp --  0.0.0.0/0    0.0.0.0/0
5    ACCEPT     all  --  0.0.0.0/0    0.0.0.0/0
6    ACCEPT     tcp  --  0.0.0.0/0    0.0.0.0/0           state NEW tcp dpt:22
7    REJECT     all  --  0.0.0.0/0    0.0.0.0/0           reject-with icmp-host-prohibited

[root@ServerSuit ~]# iptables -I INPUT 6 -s 1.1.1.1 -p tcp --dport 22 -j REJECT
[root@ServerSuit ~]# iptables -nL INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source       destination
1    ACCEPT     tcp  --  0.0.0.0/0    0.0.0.0/0           tcp dpt:80
2    ACCEPT     tcp  --  0.0.0.0/0    0.0.0.0/0           tcp dpt:443
3    ACCEPT     all  --  0.0.0.0/0    0.0.0.0/0           state RELATED,ESTABLISHED
4    ACCEPT     icmp --  0.0.0.0/0    0.0.0.0/0
5    ACCEPT     all  --  0.0.0.0/0    0.0.0.0/0
6    REJECT     tcp  --  1.1.1.1      0.0.0.0/0           tcp dpt:22 reject-with icmp-port-unreachable
7    ACCEPT     tcp  --  0.0.0.0/0    0.0.0.0/0           state NEW tcp dpt:22
8    REJECT     all  --  0.0.0.0/0    0.0.0.0/0           reject-with icmp-host-prohibited

You can find this useful but extremely time consuming, but I'm running out of time, so I'll have to come back to this in our next article. What I think this illustrates most clearly, though, is how our web-based Linux server manager ServerSuit will actually create all required iptables rules automatically! Nice right? Try it free for 30 days when you first register! Otherwise, we'll see you in the next one.

April 15 2016

Add or review comments

Please leave your comment

Existing comments

Comments 0


Get notified about new publications and product updates.
Please note we do not share information to anyone.