Iptables is the default admin tool used to manage a firewall for most linux servers, enabling you to allow and disallow traffic to and from certain ports or IP addresses while restricting all others.
These are my notes for some basic iptables rules, most recently used to open port 9092 to enable external network access to a Kafka cluster.
The first thing to do is to flush any existing rules, so we can start with a clean slate:
$: sudo /sbin/iptables -F
I normally like to keep my iptables rules in a simple text file, which makes it an easy reference whenever they need to be updated.
$: sudo nano /etc/iptables.up.rules
Here's a sample rules file:
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
-A INPUT -p tcp --dport 9092 -j ACCEPT
# Allow all input traffic from another server in private network
-A INPUT -s 103.4.999.999 -j ACCEPT
# Allows SSH connections
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
-A INPUT -p tcp -m state --state NEW --dport 9999 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
You may have noticed the key line which I added, which was to allow inbound traffic on port 9092.
That's this line which is opening the port:
-A INPUT -p tcp --dport 9092 -j ACCEPT
Of course, you may not want to blindly expose port 9092 to global traffic. If so, you may want to combine that line with this other line to only allow port 9092 from specific IP addresses:
-A INPUT -s 103.4.999.999 -j ACCEPT
Finally save the rules and configure iptables to start automatically on system startup.
$: sudo /sbin/iptables-restore < /etc/iptables.up.rules
$: sudo /sbin/service iptables save
$: sudo /etc/init.d/sshd reload
$: chkconfig --level 345 iptables on
In this article, I've shown you how to use iptables to open specific ports for your server.
In case it's not obvious, I must repeat that blindly allowing traffic through ports can be a security risk. I recommend reading about the security risks of open ports before you make these changes to your system.