Iptables is the default admin tool used to manage a firewall for most linux servers, enabling you to allow and disallow traffic to and from certain ports or IP addresses while restricting all others. These are my notes for some basic iptables rules, most recently used to open port 9092 to enable external network access to a Kafka cluster.
Step 1 - Flush existing rules
The first thing to do is to flush any existing rules, so we can start with a clean slate:
$: sudo /sbin/iptables -F
Step 2 - Create your iptables rules
I normally like to keep my iptables rules in a simple text file, which makes it an easy reference whenever they need to be updated.
$: sudo nano /etc/iptables.up.rules
Here's a sample rules file:
*filter # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT # Accepts all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allows all outbound traffic # You can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allows HTTP and HTTPS connections from anywhere (the normal ports for websites) -A INPUT -p tcp --dport 80 -j ACCEPT -A INPUT -p tcp --dport 443 -j ACCEPT -A INPUT -p tcp --dport 9092 -j ACCEPT # Allow all input traffic from another server in private network -A INPUT -s 103.4.999.999 -j ACCEPT # Allows SSH connections # THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE -A INPUT -p tcp -m state --state NEW --dport 9999 -j ACCEPT # Allow ping -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT # log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT
Step 3 - Save and restart
Finally save the rules and configure iptables to start automatically on system startup.
$: sudo /sbin/iptables-restore < /etc/iptables.up.rules $: sudo /sbin/service iptables save $: sudo /etc/init.d/sshd reload $: chkconfig --level 345 iptables on