How to Configure Iptables on ECS Ubuntu 16.04

Prerequisites

In order to follow along with this guide, make sure you have:

  1. Created an Alibaba Cloud account. If you are new to Alibaba Cloud, you can sign up now to get free credit to test over 40 cloud products.
  2. Provisioned an ECS instance on Alibaba Cloud running Ubuntu 16.04 as the operating system.
  3. Non-root user login credentials with sudo privileges.

Step 1: Listing the Current iptables Rules

First, we are going to examine the status of the current iptables rules on the server. To do this, run the command below:

$ sudo iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

iptables Inbuilt Filter Table Chains

Basically there are 3 types of traffic on the server that are controlled by iptables inbuilt filter table. These include input, output and forward traffic.

Available iptables Policies

By default, iptables policy allows traffic to move in all these 3 directions. This behaviour is undesirable. However before we see how to create rules, let’s see the different policies that are used on the firewall filter table.

Step 2: Understanding Different Options Used in iptables

Before we start creating rules, let’s go over the most common iptables commands and options:

  • -A: Used to add/append a rule to the end of a chain.
  • -D chain [rulenum]: Deletes a matching rule from a chain based on a rule number.
  • -I chain [rulenum]: This inserts a new rule to a chain.
  • -R chain [rulenum]: Replaces a rule in a chain
  • -L [chain [rulenum]]; Lists all rules from a chain or all chains
  • -S [chain [rulenum]]: Prints rules from a chain.
  • -F [chain]: This option deletes all rules in chain or from all chains
  • -Z [chain [rulenum]]: Clears counters in a chain or all chains.
  • -P [chain] [target]: Changes the default policy of a chain
  • -t table: used to specify the table that is being manipulated. Three tables are available: filter, nat and mangle. By default, the filter table is selected and hence there is no need to use this option unless you are creating rules on the different tables.
  • -i: Specifies the interface for incoming and forward packets. For example -i lo signifies the loopback interface.
  • -o: Specifies the interface name that the output and forward rules applies to.
  • -p: This specifies the IP protocol where the rule will be applied. Built in protocols include: tcp, udp, icmp, and all
  • -s: This option specifies the source of the packet e.g. -s 192.168.0.1
  • -d: Specifies the destination of the packet.
  • -j: This option specifies the target policy of a packet matching a rule. The built-in targets can be ACCEPT, REJECT OR DROP.
  • — dport: Use this command to specify the destination port for the packet.
  • -m: This is the match option. It simply exposes TCP, UDP and ICMP headers fields and other features that maintain the current state of connection and list of ports.The filter table match extensions provide access to the fields in the TCP, UDP, and ICMP headers, as well as the match features available in iptables, such as maintaining connection state, port lists, access to the hardware MAC source address, and access to the IP TOS field.

Step 3: Determining Running Services and Ports

The next step is determining the ports and services that you want to open on your server. If you are running a web server, these ports must be opened:

  • HTTP Port 80:
  • HTTPS Port 443:
  • Port 25: Unencrypted SMTP server. Outbound traffic for this port is not allowed on Alibaba Cloud but you can open inbound traffic in order to get emails to your server.
  • Port 587: Encrypted SMTP service
  • If you are using Alibaba Cloud DirectMail service, open port 465 as well.
  • Port 110 : Unencrypted POP3 service
  • Port 995 : Secure POP3 service
  • Port 143 : Non-secure IMAP service
  • Port 993 : Secure IMAP service

Flushing Existing iptables Rules

Before we start creating the new rules based on the service that we want to run on the server, we need to flush all existing rules using the commands below:

$ sudo iptables -F
$ sudo iptables -X
$ sudo iptables -Z

Creating New Rule Set for the Chains

Next, we can start creating our rules. The basic syntax for common rules is shown below;

$ sudo iptables -A INPUT -p [PROTOCOL] --dport [PORT NUMBER] -j [TARGET POLICY]
$ sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 25 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 587 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 465 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 110 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 995 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 143 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 993 -j ACCEPT
$ sudo iptables -A INPUT -i lo -j ACCEPT 
$ sudo iptables -A OUTPUT -o lo -j ACCEPT
$ sudo iptables -P [CHAIN] [TARGET POLICY]
$ sudo iptables -P INPUT DROP
$ sudo iptables -P OUTPUT ACCEPT
$ sudo iptables -P FORWARD DROP
$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$ sudo iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:587
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:465
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:995
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:993
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0

Step 4: Deleting iptables Rules

If you have made a mistake or you no longer want an iptables rule to remain applied on your server, you can delete it.

$ sudo iptables -L [CHAIN NAME]--line-numbers
$ sudo iptables -L INPUT --line-numbers
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
2 ACCEPT tcp -- anywhere anywhere tcp dpt:http
3 ACCEPT tcp -- anywhere anywhere tcp dpt:https
4 ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
5 ACCEPT tcp -- anywhere anywhere tcp dpt:submission
6 ACCEPT tcp -- anywhere anywhere tcp dpt:urd
7 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
8 ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s
9 ACCEPT tcp -- anywhere anywhere tcp dpt:imap2
10 ACCEPT all -- anywhere anywhere
11 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
$ sudo iptables -D INPUT [RULE NUMBER]
$ sudo iptables -D INPUT 5

Step 5: Saving and Testing the New iptables Rules

To save iptables rules permanently to disk, we must install some packages by running the command below:

$ sudo apt-get update
$ sudo apt-get install iptables-persistent netfilter-persistent
$ sudo netfilter-persistent save
$ sudo netfilter-persistent reload

Conclusion

In this guide, we have showed you the basic syntax of configuring and applying iptables rules on your Ubuntu 16.04 server hosted on Alibaba Cloud. We have taken you through the different chains, options and commands that ship with iptables.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com