Ubuntu has a nice utility known as iptables that eases the process of configuring firewall on the Linux Kernel. Ubuntu 16.04 image provided on Alibaba Cloud ships with iptables and hence it is a good bet for running mission critical applications and websites.
A firewall protects the server from unauthorized access. A tool like iptables simply scans incoming and outgoing traffic from the server. Then, based on the defined set of rules, it decides on whether to allow or block the traffic.
When configured with rules, Linux iptables utility acts as the first line of defence by creating a powerful barrier to defend your server against external intrusion. Only traffic from trusted networks is allowed. Since the firewall administration tool is very versatile, it is a must-have tool for novice and advanced administrators.
In this tutorial, we will show you how to use and configure iptables on your Ubuntu 16.04 server running on Alibaba Cloud in order to secure your Elastic Compute Service (ECS) instance from the outside world.
In order to follow along with this guide, make sure you have:
First, we are going to examine the status of the current iptables rules on the server. To do this, run the command below:
$ sudo iptables -L -n
You should see an output similar to the one below:
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
The policy on each chain indicated above is the default behaviour. You can see, it defaults to ACCEPT for all chains(input, forward and output). Also, right now there are no rules defined under each chain and that is why there are no records under the target, prot(protocol), opt(option), source and destination headers. If there were existing rules, they would be listed there under each chain. For your information, a chain is a group of rules.
Basically there are 3 types of traffic on the server that are controlled by iptables inbuilt filter table. These include input, output and forward traffic.
Input traffic: This is the traffic addressed to your server. Input data packets are checked against the rules in this chain.
Output traffic: This means data packets going from your server to another host. If the data packets are destined to the same server, they do so via the loopback interface.
Forward traffic: This is traffic passing through your servers but destined to other hosts. This kind of traffic is never meant for your server. In simple terms, these are data packets that are relayed by your server to their destination. In this case, your server is acting like a router.
By default, iptables policy allows traffic to move in all these 3 directions. This behaviour is undesirable. However before we see how to create rules, let's see the different policies that are used on the firewall filter table.
Accept policy: This behaviour permits data traffic to go through the firewall. This is the default behaviour exhibited by the server even when the firewall is not installed.
Reject policy: A reject policy informs the source that packets have been prohibited by the server by sending a destination-unreachable response.
Drop policy: This policy blocks a packet from passing to the server. However, it does not send any response to the requesting server.
Depending on how you want the traffic to flow on your server, you can use any of the 3 policies defined above to safeguard your server.
Before we start creating rules, let's go over the most common iptables commands and options:
The next step is determining the ports and services that you want to open on your server. If you are running a web server, these ports must be opened:
Additionally, you should enable port 22 to avoid locking yourself from the system because this is the default port used by the SSH service.
You should also consider opening the following ports if you are running an email service on your Ubuntu 16.04 server:
Before we start creating the new rules based on the service that we want to run on the server, we need to flush all existing rules using the commands below:
$ sudo iptables -F $ sudo iptables -X $ sudo iptables -Z
-F option flushes rules from all chains while the
-X deletes all user-defined chains. The
-Z option is used here to reset packet and byte counters in each chain.
Next, we can start creating our rules. The basic syntax for common rules is shown below;
$ sudo iptables -A INPUT -p [PROTOCOL] --dport [PORT NUMBER] -j [TARGET POLICY]
This syntax tells the utility to append(-A) a new rule for the defined protocol. The rule should match the port defined using the --dport option and it should be treated with the policy specified by the -j option(ACCEPT, REJECT OR DROP).
So, to open port 22 or SSH port, run the command below:
$ sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Likewise, HTTP and HTTPS port should be opened with the below commands:
$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT $ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
The following commands can be used to open email ports:
$ sudo iptables -A INPUT -p tcp --dport 25 -j ACCEPT $ sudo iptables -A INPUT -p tcp --dport 587 -j ACCEPT $ sudo iptables -A INPUT -p tcp --dport 465 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 110 -j ACCEPT $ sudo iptables -A INPUT -p tcp --dport 995 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 143 -j ACCEPT $ sudo iptables -A INPUT -p tcp --dport 993 -j ACCEPT
We should treat our loopback interface in a special way. Therefore we should allow all traffic on this interface using the commands below::
$ sudo iptables -A INPUT -i lo -j ACCEPT $ sudo iptables -A OUTPUT -o lo -j ACCEPT
We can then set the default policies for packets that don't match any of our rules using the syntax below:
$ sudo iptables -P [CHAIN] [TARGET POLICY]
To drop all incoming traffic, we should run the command below:
$ sudo iptables -P INPUT DROP
Similarly to allow all outgoing traffic, the command below should be used:
$ sudo iptables -P OUTPUT ACCEPT
Also, since we don't want to use our server as a router, we should drop any forward traffic routed to our server:
$ sudo iptables -P FORWARD DROP
You should also run the commands below to allow established and related trafic:
$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
You can confirm if the new rules were accepted by iptables by listing them one more time using the command below:
$ sudo iptables -L -n
You should see an output similar to the one below if the rules were accepted on your server:
Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
If you have made a mistake or you no longer want an iptables rule to remain applied on your server, you can delete it.
First, you have to list the rules in a numbered style using the command below:
$ sudo iptables -L [CHAIN NAME]--line-numbers
$ sudo iptables -L INPUT --line-numbers
Chain INPUT (policy DROP) num target prot opt source destination 1 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh 2 ACCEPT tcp -- anywhere anywhere tcp dpt:http 3 ACCEPT tcp -- anywhere anywhere tcp dpt:https 4 ACCEPT tcp -- anywhere anywhere tcp dpt:smtp 5 ACCEPT tcp -- anywhere anywhere tcp dpt:submission 6 ACCEPT tcp -- anywhere anywhere tcp dpt:urd 7 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 8 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s 9 ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 10 ACCEPT all -- anywhere anywhere 11 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Determine the rule number and then delete the rule using the syntax below:
$ sudo iptables -D INPUT [RULE NUMBER]
$ sudo iptables -D INPUT 5
To save iptables rules permanently to disk, we must install some packages by running the command below:
$ sudo apt-get update $ sudo apt-get install iptables-persistent netfilter-persistent
Press Y and hit Enter when prompted to confirm the installation.
You can then save the rules, by executing the command below:
$ sudo netfilter-persistent save $ sudo netfilter-persistent reload
netfilter-persistent tool will gracefully save the rules and make them persistent across server reboots.
In this guide, we have showed you the basic syntax of configuring and applying iptables rules on your Ubuntu 16.04 server hosted on Alibaba Cloud. We have taken you through the different chains, options and commands that ship with iptables.
Towards the end of the guide, we have listed commands for executing common filter rules and showed you how to only allow the necessary traffic on your server. You should always consider configuring a form of firewall in your server to secure it from the outside world when running mission critical applications.
Alibaba Clouder - December 21, 2018
Alibaba Clouder - July 15, 2019
Alibaba Clouder - September 21, 2018
Alibaba Clouder - November 30, 2018
francisndungu - May 29, 2019
Alibaba Clouder - June 19, 2019
Easy-to-use high-performance virtual machines with data transfer plan starting from $2.50 a monthLearn More
Identify vulnerabilities and improve security management of Alibaba Cloud WAF and Anti-DDoS and with a fully managed security serviceLearn More
Cloud Firewall is one of the first SaaS firewall deployed on the public cloud.Learn More
A cloud firewall service utilizing big data capabilities to protect against web-based attacksLearn More
More Posts by francisndungu