×
Community Blog How to Configure Iptables on ECS Ubuntu 16.04

How to Configure Iptables on ECS Ubuntu 16.04

In this tutorial, we will show you how to use and configure iptables to secure your Alibaba Cloud ECS Ubuntu 16.04 server.

By Francis Ndungu, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud's incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

Ubuntu has a nice utility known as iptables that eases the process of configuring firewall on the Linux Kernel. Ubuntu 16.04 image provided on Alibaba Cloud ships with iptables and hence it is a good bet for running mission critical applications and websites.

A firewall protects the server from unauthorized access. A tool like iptables simply scans incoming and outgoing traffic from the server. Then, based on the defined set of rules, it decides on whether to allow or block the traffic.

When configured with rules, Linux iptables utility acts as the first line of defence by creating a powerful barrier to defend your server against external intrusion. Only traffic from trusted networks is allowed. Since the firewall administration tool is very versatile, it is a must-have tool for novice and advanced administrators.

In this tutorial, we will show you how to use and configure iptables on your Ubuntu 16.04 server running on Alibaba Cloud in order to secure your Elastic Compute Service (ECS) instance from the outside world.

Prerequisites

In order to follow along with this guide, make sure you have:

  1. Created an Alibaba Cloud account. If you are new to Alibaba Cloud, you can sign up now to get free credit to test over 40 cloud products.
  2. Provisioned an ECS instance on Alibaba Cloud running Ubuntu 16.04 as the operating system.
  3. Non-root user login credentials with sudo privileges.

Step 1: Listing the Current iptables Rules

First, we are going to examine the status of the current iptables rules on the server. To do this, run the command below:

$ sudo iptables -L -n

You should see an output similar to the one below:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

The policy on each chain indicated above is the default behaviour. You can see, it defaults to ACCEPT for all chains(input, forward and output). Also, right now there are no rules defined under each chain and that is why there are no records under the target, prot(protocol), opt(option), source and destination headers. If there were existing rules, they would be listed there under each chain. For your information, a chain is a group of rules.

iptables Inbuilt Filter Table Chains

Basically there are 3 types of traffic on the server that are controlled by iptables inbuilt filter table. These include input, output and forward traffic.

Input traffic: This is the traffic addressed to your server. Input data packets are checked against the rules in this chain.

Output traffic: This means data packets going from your server to another host. If the data packets are destined to the same server, they do so via the loopback interface.

Forward traffic: This is traffic passing through your servers but destined to other hosts. This kind of traffic is never meant for your server. In simple terms, these are data packets that are relayed by your server to their destination. In this case, your server is acting like a router.

Available iptables Policies

By default, iptables policy allows traffic to move in all these 3 directions. This behaviour is undesirable. However before we see how to create rules, let's see the different policies that are used on the firewall filter table.

Accept policy: This behaviour permits data traffic to go through the firewall. This is the default behaviour exhibited by the server even when the firewall is not installed.

Reject policy: A reject policy informs the source that packets have been prohibited by the server by sending a destination-unreachable response.

Drop policy: This policy blocks a packet from passing to the server. However, it does not send any response to the requesting server.

Depending on how you want the traffic to flow on your server, you can use any of the 3 policies defined above to safeguard your server.

Step 2: Understanding Different Options Used in iptables

Before we start creating rules, let's go over the most common iptables commands and options:

  • -A: Used to add/append a rule to the end of a chain.
  • -D chain [rulenum]: Deletes a matching rule from a chain based on a rule number.
  • -I chain [rulenum]: This inserts a new rule to a chain.
  • -R chain [rulenum]: Replaces a rule in a chain
  • -L [chain [rulenum]]; Lists all rules from a chain or all chains
  • -S [chain [rulenum]]: Prints rules from a chain.
  • -F [chain]: This option deletes all rules in chain or from all chains
  • -Z [chain [rulenum]]: Clears counters in a chain or all chains.
  • -P [chain] [target]: Changes the default policy of a chain
  • -t table: used to specify the table that is being manipulated. Three tables are available: filter, nat and mangle. By default, the filter table is selected and hence there is no need to use this option unless you are creating rules on the different tables.
  • -i: Specifies the interface for incoming and forward packets. For example -i lo signifies the loopback interface.
  • -o: Specifies the interface name that the output and forward rules applies to.
  • -p: This specifies the IP protocol where the rule will be applied. Built in protocols include: tcp, udp, icmp, and all
  • -s: This option specifies the source of the packet e.g. -s 192.168.0.1
  • -d: Specifies the destination of the packet.
  • -j: This option specifies the target policy of a packet matching a rule. The built-in targets can be ACCEPT, REJECT OR DROP.
  • --dport: Use this command to specify the destination port for the packet.
  • -m: This is the match option. It simply exposes TCP, UDP and ICMP headers fields and other features that maintain the current state of connection and list of ports.The filter table match extensions provide access to the fields in the TCP, UDP, and ICMP headers, as well as the match features available in iptables, such as maintaining connection state, port lists, access to the hardware MAC source address, and access to the IP TOS field.

Step 3: Determining Running Services and Ports

The next step is determining the ports and services that you want to open on your server. If you are running a web server, these ports must be opened:

  • HTTP Port 80:
  • HTTPS Port 443:

Additionally, you should enable port 22 to avoid locking yourself from the system because this is the default port used by the SSH service.

You should also consider opening the following ports if you are running an email service on your Ubuntu 16.04 server:

  • Port 25: Unencrypted SMTP server. Outbound traffic for this port is not allowed on Alibaba Cloud but you can open inbound traffic in order to get emails to your server.
  • Port 587: Encrypted SMTP service
  • If you are using Alibaba Cloud DirectMail service, open port 465 as well.
  • Port 110 : Unencrypted POP3 service
  • Port 995 : Secure POP3 service
  • Port 143 : Non-secure IMAP service
  • Port 993 : Secure IMAP service

Flushing Existing iptables Rules

Before we start creating the new rules based on the service that we want to run on the server, we need to flush all existing rules using the commands below:

$ sudo iptables -F
$ sudo iptables -X
$ sudo iptables -Z

The -F option flushes rules from all chains while the -X deletes all user-defined chains. The -Z option is used here to reset packet and byte counters in each chain.

Creating New Rule Set for the Chains

Next, we can start creating our rules. The basic syntax for common rules is shown below;

$ sudo iptables -A INPUT -p [PROTOCOL] --dport [PORT NUMBER] -j [TARGET POLICY]

This syntax tells the utility to append(-A) a new rule for the defined protocol. The rule should match the port defined using the --dport option and it should be treated with the policy specified by the -j option(ACCEPT, REJECT OR DROP).

So, to open port 22 or SSH port, run the command below:

$ sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Likewise, HTTP and HTTPS port should be opened with the below commands:

$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

The following commands can be used to open email ports:

SMTP Server:

$ sudo iptables -A INPUT -p tcp --dport 25 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 587 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 465 -j ACCEPT

POP3 Server:

$ sudo iptables -A INPUT -p tcp --dport 110 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 995 -j ACCEPT

IMAP Server:

$ sudo iptables -A INPUT -p tcp --dport 143 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 993 -j ACCEPT

We should treat our loopback interface in a special way. Therefore we should allow all traffic on this interface using the commands below::

$ sudo iptables -A INPUT -i lo -j ACCEPT 
$ sudo iptables -A OUTPUT -o lo -j ACCEPT

We can then set the default policies for packets that don't match any of our rules using the syntax below:

$ sudo iptables -P [CHAIN] [TARGET POLICY]

To drop all incoming traffic, we should run the command below:

$ sudo iptables -P INPUT DROP

Similarly to allow all outgoing traffic, the command below should be used:

$ sudo iptables -P OUTPUT ACCEPT

Also, since we don't want to use our server as a router, we should drop any forward traffic routed to our server:

$ sudo iptables -P FORWARD DROP

You should also run the commands below to allow established and related trafic:

$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

You can confirm if the new rules were accepted by iptables by listing them one more time using the command below:

$ sudo iptables -L -n

You should see an output similar to the one below if the rules were accepted on your server:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:587
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:465
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:110
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:995
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:143
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Step 4: Deleting iptables Rules

If you have made a mistake or you no longer want an iptables rule to remain applied on your server, you can delete it.

First, you have to list the rules in a numbered style using the command below:

$ sudo iptables -L [CHAIN NAME]--line-numbers

Example:

$ sudo iptables -L INPUT --line-numbers

Sample Output:

Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
3    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
4    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:smtp
5    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:submission
6    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:urd
7    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3
8    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:pop3s
9    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:imap2
10   ACCEPT     all  --  anywhere             anywhere
11   ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Determine the rule number and then delete the rule using the syntax below:

$ sudo iptables -D INPUT [RULE NUMBER]

Example:

$ sudo iptables -D INPUT 5

Step 5: Saving and Testing the New iptables Rules

To save iptables rules permanently to disk, we must install some packages by running the command below:

$ sudo apt-get update
$ sudo apt-get install iptables-persistent netfilter-persistent

Press Y and hit Enter when prompted to confirm the installation.

You can then save the rules, by executing the command below:

$ sudo netfilter-persistent save
$ sudo netfilter-persistent reload

The netfilter-persistent tool will gracefully save the rules and make them persistent across server reboots.

Conclusion

In this guide, we have showed you the basic syntax of configuring and applying iptables rules on your Ubuntu 16.04 server hosted on Alibaba Cloud. We have taken you through the different chains, options and commands that ship with iptables.

Towards the end of the guide, we have listed commands for executing common filter rules and showed you how to only allow the necessary traffic on your server. You should always consider configuring a form of firewall in your server to secure it from the outside world when running mission critical applications.

1 0 0
Share on

francisndungu

25 posts | 2 followers

You may also like

Comments

5891459631076801 June 28, 2019 at 6:46 am

There seems to be an 'allow all' rule in the INPUT policy?

francisndungu

25 posts | 2 followers

Related Products