Welcome back once again to this the final article in which I explain the basics of IPtables. This post will be focused on filtering like the last article. But this time I will explain how to filter using TCP/IP protocols as well as ports. Before we dive into examples, it’s important to understand how protocols and port numbers work together. As well as some standard protocol/ports some common services use. Note: I will cover just a very basic overview.
To review definitions from article one:
Protocol: When computers communicate with each other, there needs to be a common set of rules and instructions that each computer follows. A specific set of communication rules is called a protocol. In plain English: you can think of them as different languages. Two computers must be able to speak the same “language” to be able to communicate properly.
Port Numbers: This is a number that indicates what kind of protocol a server on the Internet is using. For example, Web servers typically are listed on port 80. Web browsers use this port by default when accessing Web pages, but you can also specify what port you would like to use in the URL like this: http://www.gbservers.co.uk:80
For example, lets say that you wanted to allow users to access FTP. FTP uses the TCP protocol on port 21. In this case we will need to allow all TCP packets on a destination port of 21. The syntax we’d need to type would be:
iptables –A INPUT –p tcp –dport 21 –j ACCEPT
Note: To be able to filter using ports. You must specify the protocol i.e icmp,tcp,udp,all
It is also possible to use port ranges as well. For example we can allow FTP traffic to both ports 20 and 21:
iptables –A INPUT –p tcp –dport 20:21 –j ACCEPT
A useful tip: you may not always require the firewall to examine every single packet that passes through. It may be that only the first packet needs to be examined. Since our existing script already allows established and related connections. In that instance we only need to the rule to allow “new” connections on a specific port. The syntax would be:
iptables –A INPUT –p tcp –dport 21 –m state –state NEW –j ACCEPT
A very useful service especially for use with VPS is secure shell (or SSH). Which uses the reliable protocol TCP on port 22. To allow encrypted remote logins. You could use the following rule:
iptables –A INPUT –p tcp –dport 22 –j ACCEPT
This technically opens up SSH for access. But the trouble is it allows any connection, which causes somewhat of a security risk. In the example of a VPN the IP address is typical static. So you can create a better rule, which only allows access via certain computers. For example if you wanted to allow SSH access to the computers on your local LAN (192.168.1.x). You would include the source range as well:
iptables –A INPUT –p tcp –s 192.168.1.0/24 –dport 22 –j ACCEPT
This rule is useful to allow only certain trusted computers to connect in. If any others attempted to connect which were listed in the rule. Then SSH would appear closed and the connection would be refused.
As mentioned above, if you didn’t want the firewall to review every single packet that passes through. Which does use up slightly more resources and CPU cycles. You could set the rule to only filter new connections. So using the SSH example the syntax could be something like:
iptables –A INPUT –p tcp –s 192.168.1.0/24 –dport 22 –m state –state NEW –j ACCEPT
That concludes the final article on the basic use of iptables. These articles are just the tip of the iceberg. iptables is quite in-depth and very powerful. For example some more advanced things you could do with it are: packet logging, prevent DDoS, NAT (network address translation). Those concepts really require good knowledge of TCP/IP. If you have enjoyed the basics, and would like to read more. I would highly recommend learning TCP/IP and basic networking. Not only can it help with a home network. It’s a very good career option as well. There are also many sites with excellent material for advanced uses of iptables.
I hope that you have enjoyed these articles, as much as I have enjoyed writing them.