Linux iptables


I am a bit of a newbie to Linux security.

I want to configure my Ubtunu 12.04LTS with IPTABLES so that the only access to the server is on port 80 (http) from anywhere and then allow access on port 22 (SSH) from Everything else should be denied.

How do I do this? I am sure it is simple, however I am new to it so please be patient :)


Who is Participating?
Daniel McAllisterConnect With a Mentor President, IT4SOHO, LLCCommented:
I'm going to pipe in here, even though richrumble & _jesper_ have largely provided you with the basics of what you need.

The problem is that you're a self-described "newbie", and so I feel more should be said.

Firstly, you should note that, by default, Ubuntu comes with Network Manager enabled and auto-started. This is important because, essentially, Network ManagerIPTables do diametrically opposed tasks:
 - Network Manager is designed to make it easy to connect to/from your system
 - IPtables is designed to make it HARD to connect to/from your system!
As a result, if you have a server with a static IP address, I suggest that you manually configure your network interface & disable Network Manager.

So, with Network Manager out of the way, you'll want to configure your IPTables firewall.
 - First of all, realize that you can easily firewall your system to the point of it becoming a high-priced ROCK. This is because a LOT of inter-process communication in Linux is accomplished with network sockets.
 - So your FIRST firewall rule should be to allow all LOCAL network traffic unabated
   iptables -A INPUT -i lo -j ACCEPT
 - Next, you'll need to make sure that outbound connections are not interfered with (so, for example, you can open your own web browser). Unlike what was said in another post, you can't just pick your ports -- the client side port assignment is random! So, instead you simply allow responses back from any already established connection.
 - AFTER that, you can add rules to allow certain connections:
   iptables -A INPUT -m tcp -p tcp --dport 80 -j ACCEPT
   iptables -A INPUT -m tcp -p tcp --dport 22 -s -j ACCEPT
 - FINALLY, when all is said and done, you have to tell it what to do with unwanted connections... you can choose from:
   iptables -A INPUT  -j REJECT
   iptables -A INPUT  -j DROP

The difference is that a REJECT sends a message back saying "not allowed", where a DROP does nothing -- it just throws away the connection attempt.

So, if you suspect your server is likely to be scanned or attacked on specific ports (like 25 for a non-mail server, or 53 for a non-DNS server), you might be a pain in their side (as I do) and create special rules for them:
   iptables -A INPUT -m tcp -p tcp --dport 25 -j DROP  # No mail server here!

One last point about IPTables -- the order of the rules matters... A LOT!
The first match made is the only match taken! Thus, the DENY or DROP rules should come last.

The page richrumble referred you to is a good one -- at least good enough to help you save the rules when you figure out what they should all be!

Good Luck!

Jan SpringerConnect With a Mentor Commented:
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j LOG
iptables -A INPUT -s -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

Rich RumbleConnect With a Mentor Security SamuraiCommented:
Is your computer directly accessing the internet? is there a router/wifi/modem it connects to? You might need to put you access list(s) on that device rather than you're computer.

Internet <--->Cable|Dsl/Modem <---->Linux
If your linux box has one NIC then it likely only has one IP (it can have more btw even on a single nic). You can still setup an acl using iptables that only allows port 80 in from the modem to the linux host, and the linux host only accepts ssh from other host's on your network.
If that's not your setup let me know, I'm assuming it is for now, and that your Modem is by default blocking all inbound traffic from reaching the internal network unless it's been requested first from the internal network (a stateful connection).
Take the GRC Shields up test to see if there are any open ports.
Now if you have a modem that gives out non-rfc 1918 IP's, then you can dual home the computer in a few ways, the easiest is by using 2 nic's. One is for the public ip, and the other for the internal ip (rfc 1918)

The commands to allow port 80 traffic in, and ssh in are:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s -p tcp --dport 80 -j ACCEPT    (replace with your pub ip)
iptables -A INPUT -s -p tcp --dport 22 -j ACCEPT
Duncan RoeSoftware DeveloperCommented:
You will need to allow access to DNS (port 53). If you have a dynamic IP address, you also need DHCP (port 68 client, 67 server). These rules achieve that
# Allow bootps->bootpc udp
iptables -A INPUT -p udp --source-port 67 --destination-port 68 -j ACCEPT
# Allow DNS replies
iptables -A INPUT -p udp --source-port 53 -j ACCEPT

Open in new window

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.