What is iptables? How to manage iptables?
You should take security very important if you own a web application. Customers will not like to continue with a service where they can’t get good security. If you have a shared hosting account, there are limitations to the options you can customize for security. If you are owner of a server like a VPS, quick server, dedicated server, you can customize the server according to your needs as the server is yours and you have full control over your website. There are many ways to configure a server from web attacks. There are many tools used to protect a server, but the basic and primary security measure you can take is configuring the firewall. The iptables is an inevitable topic when dealing with the firewalls. In this documentation, we are going to discuss iptables in detail.
What is iptables?
Iptables is an application program. It is mostly written in “C” language. It is released under the GNU General Public License. You can manage iptables with the command line. There are also front-end applications where you can manage iptables. Please be aware that in the RHEL/Centos 7, the iptables is replaced with the firewalld which is the latest implementation of filtering rules.
Structure of iptables
Iptables can be managed with the console quite easily. There are certain commands to perform various actions and you need to use the commands with the required options. Before viewing the commands, we are going to discuss tables and chains associated with iptables.
Tables and chains in iptables
Normally, the iptables has four built-in tables. They are listed below.
1) Filter Table
2) NAT Table
3) Mangle Table
4) Raw Table
Let’s see each one in detail.
1) Filter Table
The filter table is the default table of iptables. There are three built-in chains on this table. This will be the table used when no other table is defined custom.
1) The INPUT chain
2) The OUTPUT chain
3) The FORWARD chain
The INPUT chain
This chain represents the incoming traffic to the firewall. This chain deals with the data packets that would be coming into the server.
The OUTPUT chain
The output chain represents the outgoing traffic from the firewall. This chain deals with the packets that will go out from the server.
The FORWARD chain
This chain is for packets that are for another NIC in the same server. These packets will be routed through the server itself.
2) NAT Table
The next table is NAT table. The NAT stands for Network Address Translation. The Network Address Translation is the process of remapping IP address from one IP address into another one. It is achieved by modifying network address information in the IP datagram headers. The NAT table contains the following chains.
1) PREROUTING chain
2) POSTROUTING chain
3) OUTPUT chain
3) Mangle Table
The Mangle table also is for packet alteration. It is for specialized packet alteration. This table alters QOS bits in the TCP header. The chains in the Mangle table are the following.
1) PREROUTING chain
2) OUTPUT chain
3) FORWARD chain
4) INPUT chain
5) POSTROUTING chain
4) RAW Table
In iptables, RAW tables is used for configuration exceptions. The two chains in the RAW table are listed below.
1) PREROUTING chain
2) OUTPUT chain
Managing iptables
Here we are going to see some commands used to manage the IP tables.
1) Command to Flush iptables.
# iptables -F
2) We can Open ports for selected services with the following command.
# iptables -A INPUT -i lo -j ACCEPT
This tells the iptables to add the rule to incoming table to accept any traffic that comes to local host.
3) Suppose, we are going to open a port 587. We have to enter in the following command.
# iptables -A INPUT -p tcp -m tcp –dport 587 -j ACCEPT
4) To block all connections from a single IP address.
iptables -A INPUT -s 1.1.1.1 -j DROP, where 1.1.1.1 is the IP address which we are blocking.
5) To block SSH connections for all.
# iptables -A INPUT -p tcp –dport ssh -j DROP
To save the iptables rules
# /sbin/service iptables save
6) To list the iptables rules, please use the following command.
# iptables -L
If you need any further assistance please contact our support department.