Jump to content


Photo

IPTABLES

iptables firewall ufw ports

  • Please log in to reply
No replies to this topic

#1 brent

brent

    Administrator

  • Administrators
  • 65 posts

Posted 12 February 2013 - 11:49 PM

Iptables is a firewall, installed by default on all official Ubuntu distributions (Ubuntu, Kubuntu, Xubuntu). among other distributions as well. When you install Ubuntu, iptables is there, but itallows all traffic by default.
There is a wealth of information available about iptables, but much of it is fairly complex, and designed for network admins. This walk through is simple for setting up the basic server. In this tutorial we will go over how to set up iptables for the first time, also how to add and remove tables as needed.

 

The first part is assuming you have a good running set of rules and just want to modify add/remove some tables. Scroll down to read about initial setting up your iptables.

 

To edit your tables


 

sudo nano /etc/iptables.rules
 

 

Once you have made the proper changes needed you will need to save the tables for them to take effect with

 

sudo iptables-apply /etc/iptables.rules
 

 

Now you need to verify that the tables have taken place.

 

sudo iptables -L
 

 

 

Setting up IPTABLES for the first time

 

We need to create the iptables.rules file. Here is how to do that


 

sudo sh -c "iptables-save >  /etc/iptables.rules"
 

 

We want the iptables to start up when we have to reboot the server. To do this we need to modify
/etc/network/interfaces and add the following to the bottom of the file.

 

 

 

pre-up iptables-restore < /etc/iptables.rules
post-down iptables-save > /etc/iptables.rules
 

 

It will look like this


 

auto lo
iface lo inet loopback


# The primary network interface
auto eth0
iface eth0 inet static


                address 192.168.2.105
                netmask 255.255.255.0
                network 192.168.2.0
                gateway 192.168.2.1
                broadcast 192.168.2.255


 dns-nameservers 192.168.2.105
 dns-search linux.local
dns-domain linux-master


pre-up iptables-restore < /etc/iptables.rules
post-down iptables-save > /etc/iptables.rules

 

 

Save and close

 

Now we need to modify the iptables.rules file




sudo nano /etc/iptables.rules
 

 


by default your file will look similar to this one.

 

# Generated by iptables-save v1.4.12 on Sat Feb 16 22:25:15 2013
*filter
:INPUT ACCEPT [98238:127265495]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [69623:10561242]
COMMIT
# Completed on Sat Feb 16 22:25:15 2013
You will want to start editing this file right about the COMMIT line. Here is an example:
# Generated by iptables-save v1.4.12 on Sat Feb 16 22:25:15 2013
*filter
:INPUT ACCEPT [98238:127265495]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [69623:10561242]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sat Feb 16 22:25:15 2013

 

 

Allowing Incoming Traffic on Specific Ports



You could start by blocking traffic, but you might be working over SSH, where you would need to allow SSH before blocking everything else.
To allow incoming traffic on the default SSH port (22), you could tell iptables to allow all TCP traffic on that port to come in.

 

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
 

 


Here is a copy of my iptables.rules

 

 

-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4444 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 137:139 -j ACCEPT
-A INPUT -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m udp --dport 9987 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10011 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 30033 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 49152 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4040 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5555 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5001 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -j DROP
COMMIT

 

 

Once you have added the ports that you need open make sure that you have the drop line.

 

A INPUT -j DROP
 

This tells us that anything out side of the following ports will be dropped and not allowed.

save and close.

 

 

Now we need to apply the changes to take effect with.



sudo iptables-apply /etc/iptables.rules
 

 

Now check your tables to make sure they have taken effect

 

sudo iptables -L
 

 

If you see your changes have taken effect reboot the server and check again.
If all is well you have successfully set up iptables. 
For more advanced information please visit

https://help.ubuntu....y/IptablesHowTo







Also tagged with one or more of these keywords: iptables, firewall, ufw, ports

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users