How to Use the iptables Firewall on an Ubuntu 16.04 Cloud Server?

10-01-2024 05:49:33

Iptables is a firewall software integrated into the Linux operating system, and most Ubuntu distributions come pre-installed with iptables. In some non-default installations of Ubuntu or container environments, iptables may not be pre-installed, and we can install it using the following command.

sudo apt-get install iptables iptables-persistent

After installing iptables, the system will prompt us whether to save the current firewall rules. If we want to set our own firewall rules, we can choose not to save at this point.

Port Testing Tools

We can use the following tools to detect whether ports are open or closed, to test the effectiveness of iptables.

Client Testing Tool (Windows environment):

telnet [Server IP] [Port Number]

Server Testing Tool (Linux system):

sudo netstat -tulpn

Syntax Rules of iptables

sudo iptables -A INPUT -p tcp -m tcp --dport 22 --m geoip --src-cc PE -j ACCEPT

-A INPUT: Adds an INPUT type rule. The most common rule types are INPUT, OUTPUT, and PREROUTING.
-p tcp: Sets the protocol of this rule to TCP. Other supported protocols include udp, icmp, and all.
-m tcp: Uses the tcp module. iptables extends its functionality through modules, and some commonly used modules come pre-installed, like the geoip module.
--dport 22: Double dashes -- indicate more options for the module used previously. In this example, we set the tcp module to apply only to port 22.
-m geoip: Uses the geoip module. This module can control network requests from specific countries.
--src-cc PE: This option restricts network requests from Peru using the geoip module. PE is the country code for Peru, which can be replaced with other country codes.
-j ACCEPT: Tells iptables how to handle requests that meet the above conditions. ACCEPT, REJECT, and DROP are three common methods of handling.

Basic Commands of iptables

View current rules:

sudo iptables -L

Delete a specific rule (-D indicates delete):

sudo iptables -D INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Clear current rules:

sudo iptables -F

Clear only OUTPUT type rules:

sudo iptables -F OUTPUT

Creating iptables Rules

Allow SSH connections on the eth0 interface:

sudo iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

Note: To apply to all network interfaces, delete the -i eth0 instruction.

Allow SSH connections from a specific IP (for example, 10.0.3.1):

sudo iptables -A INPUT -s 10.0.3.1/32 -p tcp -m tcp --dport 22 -j ACCEPT

Set default rules:

sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP 
sudo iptables -P OUTPUT ACCEPT

Explanation:

-P INPUT DROP: Drops all incoming requests, meaning no access to any services on the cloud server, such as Apache, SQL, etc.
-P FORWARD DROP: Drops all forwarding requests.
-P OUTPUT ACCEPT: Accepts all outgoing requests.

Accept all loopback traffic (recommended setting):

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT

Saving iptables Rules

Use the following command to save and load iptables rules:

sudo netfilter-persistent save
sudo netfilter-persistent reload

In container environments, the above netfilter-persistent might not work, and it may be necessary to reset iptables. Please execute the following command to reconfigure the iptables package:

sudo dpkg-reconfigure iptables-persistent

Setting Outgoing Requests

Allow DNS queries:

sudo iptables -A OUTPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT
sudo iptables -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT

Use the state module to accept related and established requests:

sudo iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Accept port requests (such as port 80):

sudo iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT

Other common services and ports:

Service	Protocol	Port
FTP	TCP	20 & 21
HTTPS	TCP	443
DHCP	TCP	67
NTP	TCP	123

More Useful Rules

Allow Ping:

sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
sudo iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

Port forwarding (forward requests from port 2200 to 10.0.3.21:22, often used in container scenarios):

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2200 -j DNAT --to-destination 10.0.3.21:22

Create permanent SSH connections, blocking unauthorized SSH login requests:

sudo iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
sudo iptables -I INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 3600 --hitcount 4 -j DROP

That concludes the introduction on how to use the iptables firewall in an Ubuntu 16.04 environment. Have you all learned it?

Search

Latest

What are the differences between cloud servers and dedicated servers?
23-02-2024 02:02:07
How to Test the Bandwidth and Speed of Your Cloud Server?
22-02-2024 03:19:32
Regarding IP Address Allocation, Changing IP Addresses, and Testing IPs in Cloud Server IP Address Management
22-02-2024 03:16:03
How to Change the DNS Server on a Linux Cloud Server?
22-02-2024 03:14:03
How to Install cURL on a Linux Cloud Server?
22-02-2024 03:11:58