Contents
1. Introduction
In this post, I will give you how to install minikube on Ubuntu 18.04, first let’s start with an introduction before diving to the installation steps.
2. What is iptables/netfilter ?
netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack.
iptables is the userspace command line program used to configure the Linux 2.4.x and later packet filtering ruleset. It is targeted towards system administrators.
The iptables package also includes ip6tables. ip6tables is used for configuring the IPv6 packet filte
3. Adience
This article intended for people who want to secure their environment and control network traffic using iptables tool
4. What can I do with netfilter/iptables?
- build internet firewalls based on stateless and stateful packet filtering
- deploy highly available stateless and stateful firewall clusters
- use NAT and masquerading for sharing internet access if you don’t have enough public IP addresses
- use NAT to implement transparent proxies
- aid the tc and iproute2 systems used to build sophisticated QoS and policy routers
- do further packet manipulation (mangling) like altering the TOS/DSCP/ECN bits of the IP header
5. Prerequisites
- An SSH key pair on your local Linux/Mac OS/BSD machine.
- linux environment khnowledge
6. Basic iptables Parameters and Syntax
Before we begin creating rules, let’s review the syntax of an iptables rule.
For example, the following :
1 |
iptables -I INPUT -s 198.192.100.0 -j DROP |
This command adds a rule to the beginning of the chain that will drop all packets from the address 198.192.100.0
The sample command above:
- Calls the
iptables
program - Uses the
-I
option for insertion. Using a rule with the insertion option will add it to the beginning of a chain and will be applied first. To indicate a specific placement in the chain, you may also use a number with the-I
option. - The
-s
parameter, along with the IP address (198.192.100.0), indicates the source. - The
-j
parameter stands for jump. It specifies the target of the rule and what action will be performed if the packet is a match.
Parameter | Description |
-p, –protocol | The protocol, such as TCP, UDP, etc. |
-s, –source | Can be an address, network name, hostname, etc. |
-d, –destination | An address, hostname, network name, etc. |
-j, –jump | Specifies the target of the rule; i.e. what to do if the packet matches. |
7. Installing Iptables
Iptables is pre-installed in most Linux distributions. However, if you don’t have it in Ubuntu/Debian system by default, follow the steps below:
- Connect to your server via SSH.
- Execute the following command one by one
1 |
sudo apt-get update sudo apt-get install iptables |
- Check the status of your current iptables configuration by running
1 |
sudo iptables -L -v |
the -L option is used to list all the rules, and -v is for showing the info in a more detailed format.
8. Defining Chain Rules
Defining a rule means appending it to the chain. To do this, you need to insert the -A option (Append) right after the iptables command, like so:
1 |
sudo iptables -A |
It will alert iptables that you are adding new rules to a chain. Then, you can combine the command with other options, such as:
- -i (interface) — the network interface whose traffic you want to filter, such as eth0, lo, ppp0, etc.
- -p (protocol) — the network protocol where your filtering process takes place. It can be either tcp, udp, udplite, icmp, sctp, icmpv6, and so on. Alternatively, you can type all to choose every protocol.
- -s (source) — the address from which traffic comes from. You can add a hostname or IP address.
- –dport (destination port) — the destination port number of a protocol, such as 22 (SSH), 443 (https), etc.
- -j (target) — the target name (ACCEPT, DROP, RETURN). You need to insert this every time you make a new rule.
If you want to use all of them, you must write the command in this order:
1 |
sudo iptables -A <chain> -i <interface> -p <protocol (tcp/udp) > -s <source> --dport <po |
Enabling Traffic on Localhost
To allow traffic on localhost, type this command:
1 |
sudo iptables -A INPUT -i lo -j ACCEPT |
Enabling Connections on HTTP, SSH, and SSL Port
Next, we want http (port 80), https (port 443), and ssh (port 22) connections to work as usual. To do this, we need to specify the protocol (-p) and the corresponding port (–dport). You can execute these commands one by one:
1 2 3 |
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT |
It’s time to check if the rules have been appended in iptables:
1 |
sudo iptables -L -v |
Filtering Packets Based on Source
Iptables allows you to filter packets based on an IP address or a range of IP addresses. You need to specify it after the -s option. For example, to accept packets from 192.168.1.3, the command would be:
1 |
sudo iptables -A INPUT -s 192.168.1.3 -j ACCEPT |
You can also reject packets from a specific IP address by replacing the ACCEPT target with DROP.
1 |
sudo iptables -A INPUT -s 192.168.1.3 -j DROP |
If you want to drop packets from a range of IP addresses, you have to use the -m option and iprange module. Then, specify the IP address range with –src-range. Remember, a hyphen should separate the range of ip addresses without space, like this:
1 |
sudo iptables -A INPUT -m iprange --src-range 192.168.1.100-192.168.1.200 -j DROP |
Dropping all Other Traffic
It is crucial to use the DROP target for all other traffic after defining –dport rules. This will prevent an unauthorized connection from accessing the server via other open ports. To achieve this, simply type:
1 |
sudo iptables -A INPUT -j DROP |
Now, the connection outside the specified port will be dropped.
Deleting Rules
If you want to remove all rules and start with a clean slate, you can use the -F option (flush):
1 |
sudo iptables -F |
This command erases all current rules. However, to delete a specific rule, you must use the -D option. First, you need to see all the available rules by entering the following command:
1 |
sudo iptables -L --line-numbers |
You will get a list of rules with numbers:
Chain INPUT (policy ACCEPT) |
num target prot opt source destination |
1 ACCEPT all — 192.168.0.4 anywhere |
2 ACCEPT tcp — anywhere anywhere tcp dpt:https |
3 ACCEPT tcp — anywhere anywhere tcp dpt:http |
4 ACCEPT tcp — anywhere anywhere tcp dpt:ssh |
To delete a rule, insert the corresponding chain and the number from the list. Let’s say for this iptables tutorial, we want to get rid of rule number three of the INPUT chain. The command should be:
1 |
sudo iptables -D INPUT 3 |
9. Persisting Changes
The iptables rules that we have created are saved in memory. That means we have to redefine them on reboot. To make these changes persistent after restarting the server, you can use this command:
1 |
sudo /sbin/iptables-save |
It will save the current rules on the system configuration file, which will be used to reconfigure the tables every time the server reboots.
Note that you should always run this command every time you make changes to the rules. For example, if you want to disable iptables, you need to execute these two lines:
1 2 |
sudo iptables -F sudo /sbin/iptables-save |
10. Conclusion
In this post, i have explained how to install and use the iptable tool
If you have any questions or feedback, feel free to leave a comment.
As always, if you found this post useful, then click like and share it 🙂