IP Tables

Firewalls are very important to any server as it allows you to define rules on who make connection to the servers services. A single server may provide web services such as websites. Typically websites are served under port 80 for HTTP and port 443 for HTTPS.

There may be occasions where by you would want to limit the access to those who access your services or for security purposes. Through he use of an firewall, we can do this by filtering access to our website. The firewall which we will be exploring will be iptables. This is an powerful firewall which comes built in on most Linux based operating systems, by utilising this we can secure the access to our website.

By default we would want to see our current firewall state, most operating systems will have the default value of ACCEPT as it will allow all connections to the server. We can check this by using the following command.

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

There are 3 ways in which the firewall can work, INPUT, FORWARD AND OUTPUT, depending on how you use these rules, the firewall can work in different ways:

INPUT = Rules which define on the connections which can be made to the server.
FORWARD = What comes to the server and then forwarded to somewhere else.
OUTPUT= Rules which says things that can leave the server.

The default behaviour for all 3 iptables categories is to accept ALL connections. This is why the server works by default. This is also the reason why your able to access the server without any issues. As the firewall default behaviour literally says I will allow anyone to make any connection to me.

As mentioned our server has a website currently running on the default port of 80 for HTTP. Our website is working normally with the default firewall rules, however we wish to block the services of port 80. Here is the default ports for our server:

PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
80/tcp   open  http

If we was to run the following command it will be interpreted as this way:

iptables -A INPUT -p tcp --dport 80 -j DROP

I will use the firewall of iptables
I will append this rule because it says -A
I will add this rule for any incoming connections as it list INPUT
I will check for any incoming connections which use the protocol of TCP because of -p tcp
If these incoming connections are coming in and they is trying to access the server destination port of 80 HTTP --dport 80
I will look to stop this connection by dropping the connection to it can’t be connected. -j DROP

Our server will now list the following ports instead on a network scan.

PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   open     ssh
80/tcp   filtered http

Our command works very well, however it does render all services on port 80 to be unavailable. This means that no one can access our website not even ourselves as our rule said to apply this to anyone who fits the rule criteria and this rule criteria applies to everyone trying to connect to our website on port 80.

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  anywhere             anywhere             tcp dpt:http

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

In our case we have made a mistake, we can look to flush and remove the rules and start over, we can issue a easy command for this.

iptables -F

Now we can look to try again and set the correct iptables rules to block the services to our website on port 80 for HTTP but only for specific IP and not to block ourselves. We can actually specify an “-s” flag as this specifies the source of the connection. This will allow us to block an particular IP and not everyone else.

iptables -A INPUT -s 192.168.0.1 -p tcp --dport 80 -j DROP

By specifying the -s 192.168.0.1, we can enable our website to load for everyone else but those who try to connect with 192.168.0.1 won’t be able to access our website.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       tcp  --  192.168.0.1          anywhere             tcp dpt:http

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination