Abstract: This article describes how to add iptables firewall rules using the “iptables -a” command.

This document is shared by Tiamo_T from Linux IPTables: How to Add Firewall Rules (Using The Example of Allowed SSH).

This article describes how to add iptables firewall rules using the “iptables -a” command.

-A is used to add data. If it makes it easier for you to remember “-a” as an added rule (as opposed to an additional rule), that’s fine. However, remember that “-a” adds rules at the end of the chain.

Also, it is important to remember that -a adds the rule at the end. Usually, the last rule is to discard all packets. If you already have A rule to discard all packets, and if you try to create A new rule using “-a” on the command line, you end up adding A new rule after the current “discard all packets” rule, which makes your new rule almost useless.

Once you have mastered iptables, and when you implement it in production, you should use A shell script where you can add all the rules using the -a command. In that shell script, your last line should always be the “discard all packets” rule. When you want to add any new rules, modify the shell script and add your new rules to the discard all packets rule.

Syntax:

iptables -A chain firewall-rule
Copy the code
  • -A chain – Specifies the chain to which rules should be attached. For example, use the INPUT chain for incoming packets and OUTPUT for outgoing packets.

  • Firewall-rule – Various parameters constitute firewall rules.

If you don’t know what chains mean, it’s a good idea to read iptables basics first.

Firewall Rule Parameters

The following parameters are available for all types of firewall rules.

-p Indicates the protocol

  • An agreement indicating rules.

  • The possible values are TCP, UDP, and ICMP

  • Use “all” to allow all protocols. When you do not specify -p, all protocols are used by default. It is not a good habit to use “all” and always specify the protocol.

  • Use a name (for example, TCP) or a number (for example, 6 for TCP) as the protocol.

  • The /etc/protocols file contains all allowed protocol names and numbers.

  • You can also use –protocol

S is the source

  • Indicates the source of the packet.

  • This can be an IP address, network address, or host name

  • For example, -s 192.168.1.101 indicates an IP address

  • For netmasks, use /mask. For example, -s 192.168.1.0/24 indicates that the network mask is 255.255.255.0. This matches the 192.168.1.x network.

  • When you do not specify a source, it matches all sources.

  • You can also use -src or -source

-d is the destination

  • Indicates the destination of the packet.

  • This is the same as “-s” (except that it represents the destination host, IP address, or network)

  • You can also use -dst or -destination

– j’s goal

  • J stands for jump to target

  • This specifies what needs to happen to packets that match this firewall rule.

  • The possible values are ACCEPT, DROP, QUEUE, or RETURN

  • You can also specify other user-defined chains as target values.

-i Indicates the interface

  • I stands for input interface

  • You might ignore this and assume that “-i” is used for interfaces. Note that both -i and -o are used for interfaces. However, -i is used for the input interface and -o for the output interface.

  • Indicates the interface that incoming packets enter through the INPUT, FORWARD, and PREROUTING chains.

  • For example, -i eth0 indicates that the rule takes into account the packets that are passed through eth0.

  • If you do not specify the -i option, all available interfaces on the system will be considered for input packets.

  • You can also use the -in-interface

-o Indicates the output interface

  • O stands for output interface

  • Indicates the interface for sending outgoing packets through the INPUT, FORWARD, and PREROUTING chains.

  • If you do not specify the -o option, all available interfaces on the system will be treated as output packets.

  • You can also use — out-of-interface

Additional options for firewall parameters

Some of the firewall parameters above, in turn, have their own options that can be passed along with them. Here are some of the most common options.

To use these parameter options, you should specify the corresponding parameters in the firewall rules. For example, to use the “-sport” option, you should specify the “-p TCP” (or “-pudp”) parameter in your firewall rules.

Note: All of these options are preceded by two dashes. For example, sport is preceded by two hyphens.

– sport Indicates the source port (for -p TCP or -p UDP).

  • By default, all source ports match.

  • You can specify a port number or name. For example, to use SSH ports in firewall rules, use -sport 22 or -sport SSH.

  • The /etc/services file contains all the allowed port names and numbers.

  • It is better to use port numbers in rules than port names (for performance).

  • To match the port range, use a colon. For example, 22:100 matches port numbers from 22 to 100.

  • You can also use -source-port

– dport for the destination port (for -p TCP or -p UDP)

  • Everything is the same as — sport, except that this is for the target port.

  • You can also use – destination-port

– tcp-flags indicates the TCP flag (for -p TCP).

  • This can contain multiple values separated by commas.

  • Possible values are SYN, ACK, FIN, RST, URG, and PSH. You can also use ALL or NONE

– ICmp-type Indicates the ICMP type (for -p ICMP).

  • When you use icmp -p icmp, you can also specify the ICMP type by using -icmp-type.

  • For example, -icmp-type 0 is used for Echo Reply and -icmp-type 8 is used for Echo.

Sample firewall rules that allow incoming SSH connections

Now that you know the various parameters of a firewall rule (and its options), let’s build a sample firewall rule.

In this example, let’s only allow incoming SSH connections to the server. All other connections will be blocked (including ping).

Warning: Using firewall rules may cause your system to become inaccessible. If you don’t know what you’re doing, you can lock yourself (and everyone else) out of the system. Therefore, all learning is only done on the test system that no one is using, and if you are locked, you can access the console to restart iptables.

1. Delete existing rules

If you already have some iptables rules, back them up before deleting the existing rules.

Remove all existing rules and allow the firewall to accept everything. Use the IPtablesFlush we discussed earlier to clean up all existing rules and start from scratch.

Test to ensure that you can SSH and ping this server from outside.

After completing this example, you will only be able to connect to this server through SSH. You will not be able to ping this server externally.

2. Only SSH is allowed

Only incoming SSH connections to this server are allowed. You can connect to this server via SSH from anywhere.

iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
Copy the code

The iptables command above has the following four components.

  • “-a INPUT” — This indicates that we are appending (or adding) A new rule to the INPUT chain. Therefore, this rule applies to incoming traffic.

  • “-i eth0” – Incoming packets through interface eth0 are checked according to this rule.

  • -p TCP – dport 22 – This rule applies to TCP packets. There is a TCP option called “-dport22”, which indicates that port22 (SSH) is the target port for this rule on the server.

  • “-j ACCEPT” — Jumps to ACCEPT, which simply accepts packets.

In a nutshell, the above rule can be expressed as: All incoming packets through eth0 for SSH are accepted.

3. Discard all other data packets

Once you specify a custom rule to accept packets, you should also have a default rule to discard any other packets.

This should be your last rule in the INPUT chain.

To discard all incoming packets, do the following.

iptables -A INPUT -j DROP
Copy the code

4. View SSH rules and tests

To view the current iptables firewall rules, run the “iptables -l” command.

# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh  DROP all -- anywhere anywhereCopy the code

As you can see from the output above, it has the following two rules in turn.

  • Accept all incoming SSH connections

  • Discard all other packets.

Instead of adding firewall rules from the command line, create a shell script that contains the rules, as shown below.

# vi iptables.sh
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -j DROP

# sh -x iptables.sh
+ iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
+ iptables -A INPUT -j DROP

# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
DROP       all  --  anywhere             anywhere
Copy the code

Similar to the iptables append/add commands, few other commands are available for iptables.

Click to follow, the first time to learn about Huawei cloud fresh technology ~