Secure Linux the easy way with iptables

Written by Ian on 20/08/08

Did you know most linux machines are wide open by default after installation? Well it has to be said that a 'wide open' Linux box is probably about as secure as a windows machine with the microsoft firewall.

But why define ourselves in terms of microsoft solutions? Actually we can do a lot better and, with little effot, create an almost impregnable machine!!

This article explains how.
• If you want to skip the intro and just get up and running, scroll straight down to A SIMPLE BUT SECURE FIREWALL.


Your Linux machine received IP traffic typically on an ethernet interface named eth0.
• You can find out which one by typing


Or you could type the following to see if you have any wireless devices:


Normally, when these devices
• receive a valid network packet they will inform the main CPU which launches a software routine to handle them.
• Packets are, in the first instance classified by propocol, of which IP (Internet Protocol) is just one.
• Since this forms the majority of internet traffic, this is what we will consider here.

IP packets have various items of information such as
source and desination address and port.
• There are up to 65535 different ports, each identifying a particular type of service.
• For example the wildly popular HTTP traffic - webpages - normally use port 80.
• However many programs, including web browsers and servers, can be configured to use ports that differ from their natural choices.

To find out more about which ports are used, you can refer to the file /etc/services contains a list identifying protocol abbreviation, port number and traffic type (generally either UDP or TCP.

So packets are sorted by protocol and port, and the Linux kernel uses this information to decide which program should receive the incoming packets.
• Outgoing packets, originating from various programs, get pushed into the kernel anyway which decides which interface to output them on (based on its internal routing tables).


What a firewall does is come between the outside world and those programs that the kernel might call. In fact, if set up properly, it should allow only the expected traffic to go to the expected programs -it should not allow anything unexpected.

A 'wide open' system with no firewall can receive any type of packet, and the kernel will go about looking for a recipient for these packets - whether they are genuine or not.

So a firewall can we set up to block unexpected traffic. Or more commonly, to block everything except known wanted traffic!

It can also block
• traffic from specific IP addresses or ranges (or block everything except traffic from known addresses or ranges).
• But beware that the IP address can be 'spoofed' by senders - i.e. they create packets which deliberately pretend to originate from somewhere else.

Firewalls can be set to act on different interfaces in different ways: if you have two ethernet ports, or eth0 plus wireless, you can handle each differently.

You can
• see an example of that in my own system setup years ago as a combination gateway and webserver at the bottom of this page:

However, don't read that - it's too complicated!!
• I promised a SIMPLE solution, and here it is!


First of all, make sure you have iptables installed:

sudo iptables -L

This should list all the rules... actually it will tell you about three chains, INPUT, FORWARD and OUTPUT and there will probably be no rules for each.

• If this command exits with "command not found" then you need to install the software first (and look elsewhere for details on that!

Before we start, also we should delete (or flush) any existing rules:

sudo iptables -FLUSH

Next, we will build a step-by-step firewall configuration at the command line. Then you will save this, and finally set up your system to load it automatically at boot time.

1. First things first. Allow the loopback interface (used internally by your Linux system for many things) to operate normally:

sudo iptables -A INPUT -i lo -j ACCEPT

This says "any inputs on the interface called lo or loopback, we should just accept them".

2. Next, any program within the system that initiates a contact with the outside world should be allowed (i.e. this firewall is one-way, it blocks attacks from outside only).
• An already started contact is called established or related:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

• Now apart from these rules, everything else will be blocked (later). So we need to specifically unblock what we need (if anything).
• On my systems, I often install a webserver (this is where I create webpages - if you are just surving the net, you don't need this);

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

I also tend to enable secure login and secure copying of files using SSH (secure shell):

iptables -A INPUT -p tcp --dport ssh -j ACCEPT

And I also allow people to ftp into some of my machines:

iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp --dport 20 -j ACCEPT
iptables -A INPUT -p udp --dport 21 -j ACCEPT
iptables -A INPUT -p udp --dport 21 -j ACCEPT

4. I like to log the things that I drop:

iptables -A INPUT -m --limit 1/second -j LOG --log-prefix "iptables dropped: " --log-level 7

This will log, to the syslog, any dropped packets from the INPUT chain, and will prefix each dropped packet. I will log at most one per second (could result in a big logfile in a few years time...)

5. Finally we drop everything else, apart from those we have specified above that we want, automatically:

iptables -A INPUT -j DROP

6. The next step is to automate everything.
• Because we entered it all by hand, its stored in the machine.
• We will extract that in a format that will allow it to be read in later:

sudo sh -c "iptables-save > /etc/iptables.rules"

Then we edit (as sudo) /etc/networ/interfaces.
• Somewhere in there will be the lines that specify what happens when your network interfaces get turned on or off.
• Just find, from the top, the name of your main interface (the one you want the firewall to help block), and insert the following after the "iface eth0 inet dhcp" or "iface eth0 inet static":

pre-up iptables-restore < /etc/iptables.rules

iptables-save -c > /etc/iptables.rules

Finally, you are all done!!


Reboot the system and do the following to just check it all worked:

sudo iptables -L -v

It should list out all the firewall chains you have.


iptables is really great.
• Actually a lot more powerful than my introduction here would suggest - you can do a lot with this to secure your system and we've barely touched the surface.

For more information, try looking here: