How to Configure Iptables on ECS Ubuntu 16.04

Prerequisites

  1. Created an Alibaba Cloud account. If you are new to Alibaba Cloud, you can sign up now to get free credit to test over 40 cloud products.
  2. Provisioned an ECS instance on Alibaba Cloud running Ubuntu 16.04 as the operating system.
  3. Non-root user login credentials with sudo privileges.

Step 1: Listing the Current iptables Rules

$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

iptables Inbuilt Filter Table Chains

Available iptables Policies

Step 2: Understanding Different Options Used in iptables

  • -A: Used to add/append a rule to the end of a chain.
  • -D chain [rulenum]: Deletes a matching rule from a chain based on a rule number.
  • -I chain [rulenum]: This inserts a new rule to a chain.
  • -R chain [rulenum]: Replaces a rule in a chain
  • -L [chain [rulenum]]; Lists all rules from a chain or all chains
  • -S [chain [rulenum]]: Prints rules from a chain.
  • -F [chain]: This option deletes all rules in chain or from all chains
  • -Z [chain [rulenum]]: Clears counters in a chain or all chains.
  • -P [chain] [target]: Changes the default policy of a chain
  • -t table: used to specify the table that is being manipulated. Three tables are available: filter, nat and mangle. By default, the filter table is selected and hence there is no need to use this option unless you are creating rules on the different tables.
  • -i: Specifies the interface for incoming and forward packets. For example -i lo signifies the loopback interface.
  • -o: Specifies the interface name that the output and forward rules applies to.
  • -p: This specifies the IP protocol where the rule will be applied. Built in protocols include: tcp, udp, icmp, and all
  • -s: This option specifies the source of the packet e.g. -s 192.168.0.1
  • -d: Specifies the destination of the packet.
  • -j: This option specifies the target policy of a packet matching a rule. The built-in targets can be ACCEPT, REJECT OR DROP.
  • — dport: Use this command to specify the destination port for the packet.
  • -m: This is the match option. It simply exposes TCP, UDP and ICMP headers fields and other features that maintain the current state of connection and list of ports.The filter table match extensions provide access to the fields in the TCP, UDP, and ICMP headers, as well as the match features available in iptables, such as maintaining connection state, port lists, access to the hardware MAC source address, and access to the IP TOS field.

Step 3: Determining Running Services and Ports

  • HTTP Port 80:
  • HTTPS Port 443:
  • Port 25: Unencrypted SMTP server. Outbound traffic for this port is not allowed on Alibaba Cloud but you can open inbound traffic in order to get emails to your server.
  • Port 587: Encrypted SMTP service
  • If you are using Alibaba Cloud DirectMail service, open port 465 as well.
  • Port 110 : Unencrypted POP3 service
  • Port 995 : Secure POP3 service
  • Port 143 : Non-secure IMAP service
  • Port 993 : Secure IMAP service

Flushing Existing iptables Rules

$ sudo iptables -F
$ sudo iptables -X
$ sudo iptables -Z

Creating New Rule Set for the Chains

$ sudo iptables -A INPUT -p [PROTOCOL] --dport [PORT NUMBER] -j [TARGET POLICY]
$ sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 25 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 587 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 465 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 110 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 995 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 143 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 993 -j ACCEPT
$ sudo iptables -A INPUT -i lo -j ACCEPT 
$ sudo iptables -A OUTPUT -o lo -j ACCEPT
$ sudo iptables -P [CHAIN] [TARGET POLICY]
$ sudo iptables -P INPUT DROP
$ sudo iptables -P OUTPUT ACCEPT
$ sudo iptables -P FORWARD DROP
$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$ sudo iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Step 4: Deleting iptables Rules

$ sudo iptables -L [CHAIN NAME]--line-numbers
$ sudo iptables -L INPUT --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
2 ACCEPT tcp -- anywhere anywhere tcp dpt:http
3 ACCEPT tcp -- anywhere anywhere tcp dpt:https
4 ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
5 ACCEPT tcp -- anywhere anywhere tcp dpt:submission
6 ACCEPT tcp -- anywhere anywhere tcp dpt:urd
7 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
8 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
9 ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
10 ACCEPT all -- anywhere anywhere
11 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
$ sudo iptables -D INPUT [RULE NUMBER]
$ sudo iptables -D INPUT 5

Step 5: Saving and Testing the New iptables Rules

$ sudo apt-get update
$ sudo apt-get install iptables-persistent netfilter-persistent
$ sudo netfilter-persistent save
$ sudo netfilter-persistent reload

Conclusion

--

--

--

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Introducing Solanium Tiers

Template: Add scheduled tweets to a SharePoint list with AtBot

Setting up Covid-19 mutual aid response system

How indiagold rolled out more than 365 releases in less than a year using feature flags?

PROMETHEUS AND GRAFANA ON KUBERNETES !!

Think first, test later

CXL Scholarship — 7th Week Review

Leecode 217 Contains Duplicate ( C++,C#,Java,Javascript,Ruby)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

More from Medium

How to configure Security Headers in Nginx

Using containerd without docker 😛

Generation and installation of SSL certificates for dependencies

Running Docker Bench for Security to hardened your docker host and improve security