Adding a rule to iptables
Ever since the early days of the internet, securing a server against outside threats from malicious persons has been a necessity. As time has gone by, the variety and complexity of the methods used to do so has increased exponentially, and solutions range from free software to server clusters whose total cost in hardware and software can run into the millions of dollars.
Fortunately for users of Linux and Unix, these operating systems are already fairly secure, but even an out of the box installation has a number of weaknesses. Once again, fortunately for *nix users, there is a software solution known as “iptables” that is both free, very robust, highly configurable, well supported, and often installed by default as a basic portion ot the operating system. Installing iptables (if it wasn’t installed by default) and enabling it with even a fairly basic configuration is fairly easy, and in and of itself will make it many times more difficult for an attacker to gain access to or take control of your server, as well as making it more difficult for people such as spammers and website hijackers to exploit website or mail server weaknesses. Iptables is also an indredibly powerful tool with a vast array of options which will not be addressed here – instead we shall stick with the basics as regards how to add a rule to iptables in order to allow traffic on a specifc port.
First let’s find out if iptables is installed and running with “iptables -L” (please note that Unix-like environments are case sensitive, and the difference between “-l” and “-L” is that one works while the other does not):
[root@sls-example ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all — anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all — anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all — anywhere anywhere
ACCEPT all — anywhere anywhere
ACCEPT icmp — anywhere anywhere icmp any
ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp — anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp — anywhere anywhere state NEW tcp dpt:telnet
ACCEPT tcp — anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp — anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp — anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp — anywhere anywhere state NEW tcp dpt:https
REJECT all — anywhere anywhere reject-with icmp-host-prohibited
A properly installed and running copy of iptables should produce results that look something like the above, although with a default and completely unconfigured installation of iptables, you will not see anything in the final sections where the ACCEPT and REJECT rules are. Once again, we will not be going into detail in this article on the proper way to configure iptables, as this can be a very complex and involved equation. Our purpose here is simply to famliarize you with the task of adding a rule to iptables so as to allow a newly installed application to run. This guide will use port 80 for apache/http/www services as an example.
You will need to add the appropriate port to the iptables ruleset and then reload iptables before your application will work, as your current ruleset is blocking all ports that are not specifically allowed as defined in the last line of the rules. While rulesets vary widely depending on need, the vast majority of iptables configurations will end with a “REJECT all” statement, denying all traffic that is not preestablished or specifically allowed.
Adding a new rule is fairly easy – let’s say you are adding a rule for WWW services and you want to be able to send data both in and out of TCP port 80. From the root login do the following:
[root@sls-example ~]# iptables -A INPUT -p tcp -m tcp –sport 80 -j ACCEPT
[root@sls-example ~]# iptables -A OUTPUT -p tcp -m tcp –dport 80 -j ACCEPT
“iptables” invokes iptables itself.
“-A” informs iptables that it is to append the data in this statement to the pre-existing chain of rules, as opposed to replacing and/or overwriting any rules that might already be in place – this is basically always used when adding a new rule.
“INPUT” means just that: accept incoming data and “OUTPUT” means allow outgoing data.
“-p tcp” defines the protocol to be used, either “tcp” or “udp”.
“–sport” defines the source port the data is coming in, and “–dport” defines the destination port the data will go out, followed by the numeric value of the port your particular application uses. Once again, in this example we use port 80 for http/www/apache web services, however this could be any number from 1 – 65535, the total range of TCP and UDP ports.
Finally, ACCEPT or REJECT, tells iptables explicitly what it should be doing with the variables that came before the accept or reject statement.
By using the above example you should be able to get your service working as expected: just copy and paste everything after the “#” in the above examples to allow web services, for example, or change the protocol and port number to suit your needs. When you’ve finished adding/changing rules, restart iptables:
[root@sls-example ~]# service iptables restart
Once you’ve restarted the iptables service, your changes to it should take effect immediately and if everything else is configured properly, your application should now work as expected!