Learn configuration of iptables policies in Linux. Know how to add, delete, save Linux native firewall rules in iptables.
In our last article about of iptables, we have seen basics of iptables, iptables chains and chain policy strategy. In this article we will walk through how to define iptables policies.
Defining iptables policies means allowing or blocking connections based on their direction of travel (incoming, outgoing or forward), IP address, range of IP addresses and ports. Rules are scanned in order for all connections until iptables gets a match. Hence you need to decide and accordingly define rule numerically so that its gets match first or later than other rules.
In newer version like RHEL7, firewall is still powered by iptables only management part is being handled by new daemon called firewalld.
iptables is the command you need to use to define policies. With below switches –
- -A : To append rule in existing chain
- -s : Source
- -p : Protocol
- –dport : service port
- -j : action to be taken
Lets start with examples with commands.
Block/Allow single IP address
To block or allow single IP address follow below command where we are adding rule (-A) to input chain (INPUT) for blocking (-j REJECT).
1 2 3 4 5 6 7 8 9 10 | # iptables -A INPUT -s 172.31.1.122 -j REJECT # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination REJECT all -- ip-172-31-1-122 anywhere reject-with icmp-port-unreachable ----- output clipped ----- |
In above command we are blocking incoming connections from IP 172.31.1.122. If you see output of rules listing, you can see our rule is defined properly in iptables. Sine we havnt mentioned protocol, all protocols are rejected in rule.
Here chain can be any of the three : input (incoming connection), output (outgoing connection) or forward (forwarding connection). Also, action can be accept, reject or drop.
Block/Allow single IP address range
Same as single IP address, whole address range can be defined in rule too. Above command can be used only instead of IP address you need to define range there.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | # iptables -A INPUT -s 172.31.1.122/22 -j REJECT # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination REJECT all -- 172.31.0.0/22 anywhere reject-with icmp-port-unreachable # iptables -A INPUT -s 172.31.1.122/255.255.254.0 -j REJECT # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination REJECT all -- 172.31.0.0/22 anywhere reject-with icmp-port-unreachable REJECT all -- 172.31.0.0/23 anywhere reject-with icmp-port-unreachable |
I have shown two different notation types to define IP address range/subnet. But if you observe while displaying rules iptables shows you in /X notation only.
Again action and chain can be any of the three of their types as explained in previous part.
Block/Allow specific port
Now, if you want to allow/block specific port then you need to specify protocol and port as shown below :
1 2 3 4 5 6 7 8 | # iptables -A INPUT -p tcp --dport telnet -s 172.31.1.122 -j DROP # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 172.31.1.122 anywhere tcp dpt:telnet |
Here in this example we blocked telnet port using tcp protocol from specified source ip. You can choose chain and action of your choice depending on which rule you want to configure.
Saving iptables policies
All the configuration done above is not permanent and will be washed away when iptable services restarted or server reboots. To make all these configured rules permanent you need to write these rules. This can be done by supplying save argument to iptables service (not command!)
1 2 3 4 | # /sbin/service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ] |
If you open up /etc/sysconfig/iptables file you will see all your rules saved there.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | # cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Tue Jun 13 01:06:01 2017 *filter :INPUT ACCEPT [32:2576] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [48:6358] -A INPUT -s 172.31.1.122/32 -j REJECT --reject-with icmp-port-unreachable -A INPUT -s 172.31.0.0/22 -j REJECT --reject-with icmp-port-unreachable -A INPUT -s 172.31.0.0/23 -j REJECT --reject-with icmp-port-unreachable -A INPUT -s 172.31.1.122/32 -p tcp -m tcp --dport 23 -j DROP COMMIT # Completed on Tue Jun 13 01:06:01 2017 |
Deleting rule in iptables
We have seen how to add rule, now here learn how to delete existing rule. You can use same commands used above only change is to add -D switch instead of -A!
1 2 3 | # iptables -D INPUT -s 172.31.1.122 -j REJECT |
Above command will remove the very first rule we added in iptables in this post.
Also, if you havnt saved your iptables you can flush all currently configured rules by using -F.
1 2 3 | # iptables -F |
Share Your Comments & Feedback: