How To Setup an Iptables Firewall to Enable Remote Access to Services in Linux

A system administrator can modify the IP packet filter rules of the Linux kernel firewall, which are implemented as various Netfilter modules, using the user-space utility application iptables. The filters are arranged in several tables, each of which has a set of rules on how to handle packets of network data. Using a set of programmable table rules, the Linux command line firewall Iptables enables system administrators to control both incoming and outgoing traffic. Iptables employ a collection of tables with chains that each contain a set of pre-configured or user-defined rules. A command-line firewall tool called iptables uses policy chains to allow or deny traffic. Iptables searches through its list of rules to find one that matches a connection that tries to establish itself on your system. In the absence of one, it falls back on the default course of action.

Rules of IPTables Firewall

Rule 1: Since portable rules are ephemeral, they must be explicitly stored in order for them to remain in effect after a reboot. The iptables-persistent package is one approach to storing iptables rules on Ubuntu. Install it using apt as follows:

sudo apt install iptables-persistent

It will give the target Port Source.

 Output:

Rule 2: You will be prompted to decide whether to save your current firewall rules before beginning the installation. Run the following command after updating your firewall rules if you wish to preserve the changes:

sudo netfilter-persistent save

The netstat utility may be used to determine this. We will add the -4 argument because our application can only communicate over IPv4, but if you are also using IPv6, you can remove it. The additional arguments required to locate our running services are  -plunt.

Output:

Setup an Iptables Firewall 

Step 1: The iptables command to add a rule to the firewall as shown below:

iptables -A chain_name criteria -j target

 Input protocol ICMP 

Output:

Step 2: In order to define a DROP policy for input pings to our firewall, we must first compare the DROP and REJECT policies. In other words, ICMP packets will be silently dropped.

ping -c 3 192.168.0.15

We must permit access to port 3306 on our database server’s private IP address. That address in our instance was 192.168.0.15 We can restrict access by matching against the interface that has been given that address, or we can restrict access specifically for this address.

Output:

Step 3: To ensure that our packets will be tested by this new rule before moving on to the REJECT part, we will flush all rules from the INPUT chain

iptables -A OUTPUT --protocol tcp --destination-port 22 --out-interface eth0 --jump REJECT

Allowing incoming SSH connections (port 22) will likely be necessary if you’re using a server without a local console so that you can connect to and manage your server. The configuration of your firewall with various SSH-related rules is covered in this section.

Output:

Step 4: SSH logins from dev2 to dev1 must be turned on and off. While we’re handling outgoing traffic, we’ll be dealing with the OUTPUT chain

iptables -F 
iptables -A INPUT -i eth0 -s 0/0 -p TCP --dport 2049 -j REJECT
iptables -A INPUT -i eth0 -s 0/0 -p TCP --dport 111-j REJECT

For HTTP and HTTPS connections, respectively, web servers like Apache and Nginx normally listen for requests on ports 80 and 443. Create rules that will enable your server to reply to requests if the default policy for incoming traffic is set to drop or reject.

Output:

Step 5: Allowing or denying NFS clients (from 192.168.0.0/24) the ability to mount NFS4 shares to block all traffic on ports 2049 and 111 on an NFSv4 server or firewall, issue the following commands

iptables -D INPUT 1
iptables -nL -v --line-numbers
iptables -R INPUT 2 -i eth0 -s 0/0 -p TCP --dport 2049 -j REJECT
iptables -R INPUT 1 -p tcp --dport 80 -j REJECT

You will be prompted to decide whether to save your current firewall rules before beginning the installation. Run the following command after updating your firewall rules if you want to save the changes:

Output:

Step 6: To load the rules saved in the /etc/iptables/rules.v4 file, install the iptables-persistent package

apt-get install iptables-persistent

Output:

Examples of IPTables

Example 1: Disabling/re-enabling ssh logins from dev2 to dev1

vi /etc/ssh/sshd_config

Output:

Example 2: Allowing / preventing NFS clients (from 192.168.0.0/24) to mount NFS4 shares iptables and other port-filtering firewalls cannot protect dynamic ports. You must first set up NFS services to use fixed ports. Access /etc/sysconfig/nfs and type:

vi /etc/sysconfig/nfs

Output:

Inserting and Deleting Rules

1. Inserting rules:

Run the iptables command with the -S option to list all of the active iptables rules by specification:

sudo iptables -S

In order to create an exception for the connection between our web server and database server, we will once more be adding a rule to our TCP chain.You would add the rule in the following way if you wanted to restrict access based on the specific address in question:

Output:

2. Deleting Rules:

Run the following command to remove the rule that drops incoming invalid packets:

sudo iptables -L --line-numbers

We must include port 80 in our list of permitted traffic on the web server. We won’t limit the rule by interface or destination address because the server is listening on all possible addresses.

Output: