Jul 152013
 

Iptables

The firewall configuration, especially if you’re a beginner in Linux, may seem tricky and difficult to understand. But once you’ve grasped the basics of commands, you can write your own script instead of using ready ones, which not always may be correct for your needs. If any of the commands I’ve provided here work, iptables might not be installed on your system. To install them, type:

sudo apt-get update && apt-get install iptables

sudo /etc/init.d/iptables start

The first command will install iptables, the second will enable them on your system.

NOTE: Be extremely careful when configuring iptables, as you might block yourself from accessing your Pi! 

If, for any reason, you’re unable to access your Pi through ssh or your website stopped working, connect your Pi to a monitor/TV or open your SD Card on a computer running Linux and re-edit the iptables rules in /etc/network/iptables.

I’ve covered the iptables in general here, but I’ve abandoned sshblack and made use of a better and more flexible tool – fail2ban.

The Tables

To make a basic configuration of your iptables to allow yourself ssh access without the risk of being hacked you should:

1. Check your router’s IP address, as we will be blocking any access from there apart from http and https ports (80 and 443 respectively):

sudo grep gateway /etc/network/interfaces

You will get something like this:

gateway 192.168.1.1

2. We will now set up iptables rules to allow external visitors to see our website without the  ability to log into our Pi. First, we need to run:

sudo bash -c 'iptables-save > /etc/network/iptables'

This will write a file to /etc/network/iptables which will initiate iptables on system boot.

3. Let’s now setup the file so a reboot keeps the iptables configuration. To do so, we need to edit the /etc/network/interfaces file:

sudo nano /etc/network/interfaces

At the end of the file we’ll add the following line:

This will tell our Pi to start iptables before network starts. Save the file with [Ctrl]+[X] > Y > [Enter] and move on.

4. Next we’ll edit the /etc/network/iptables file to set firewall  rules

sudo nano /etc/network/iptables

Add the following lines to the file, changing the bold ones to be accurate with your network:

Save the file with [Ctrl]+[X] > Y > [Enter]. Before we’ll move on, few words of explanation:

:INPUT DROP 
– don’t accept any incoming network traffic unless a following rule overrides it.
:FORWARD ACCEPT 
– accept any forwarding requests
:OUTPUT ACCEPT 
– allow any outbound network traffic
-A INPUT -i lo -j ACCEPT 
– allow any connections from the local host
-A INPUT -i eth0 -p tcp -m tcp –dport 80 -j ACCEPT 
– allow all traffic via port 80 (the port used for http)
-A INPUT -i eth0 -p tcp -m tcp –dport 443 -j ACCEPT 
– allow all traffic via port 443 (the port used for https)
-A INPUT -s YOUR NETWORK ADDRESS/24 -j ACCEPT 
– allow all traffic from the internal network
-A INPUT -s YOUR ROUTER ADDRESS/32 -i tcp -p tcp -m tcp –dport 22 -j DROP 
– block any traffic to port 22 (ssh) coming from your firewall
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT 
– allow inbound access to any internally generated requests
COMMIT
– finally, commit the entries to the firewall

Now we need to load the rules  into our iptables:

sudo iptables-restore /etc/network/iptables

You can check if it worked by typing:

sudo iptables-save

This should show you the existing iptables rules. And if you want to see iptables in action, head to my Github for an example, chmod +x the file and run it on your Pi.

If you wish to open ssh(or any other) access from outside your local network, for example to admin your Pi from any location in the world, to enable ftp file transfer, install wordpress, or any other reason, it’s a must to install fail2ban – an intrusion prevention daemon to ban unwanted visitors from peeking into your server. In the next part, I’m going to cover the use and configuration of fail2ban.

  • Vincent Vega

    iptables are a nightmare for me, always blocking myself. but thanks to this tutorial i’ve managed to stay out of trouble. thanks! :)

  • Globber

    That’s a decent basics tutorial for the firewall. thanks

  • Pingback: Bog standard R-Pi Setup | I am the BFG()

  • dude

    Nice and simple. Worked first time for me.

  • http://www.manipal.net vijay

    Hai
    I have configured nat for rpi after that i had one ip camera in my home i have typed that ip address.I am able to streame only some 10sec not more that 10sec.what is the problem i am not able to understand the problem.

    • http://www.bartbania.com/ Bart Bania

      i’m not sure that’s iptables issue. if the camera is attached to rpi, just allow it using iptables. if it’s external camera, not connected to rpi in any way, i don’t know what the issue might be.

  • http://scriptwritercentral.com/ M. Schiller

    Good web site. A good amount of practical info listed here. I am just submitting this to a couple of associates ans as well spreading inside tasty. And definitely, cheers inside your perspire!

  • http://www.samhobbs.co.uk Sam Hobbs

    Hi,

    Just wanted to say thanks for this tutorial and part 3 (fail2ban), I’ve found them really useful – just what I was looking for.

    Cheers,

    Sam

    • http://www.bartbania.com/ Bart Bania

      appreciate it Sam! thanks

      all the best,

      Bart

  • Anders

    Please don’t recommend the use of iptables direct for beginners. They will use as naïve table like the one here and think that is enough.
    It is a lot more into the proper use and seeing of a proper firewall, like it should work with IPv4 and IPv6.
    Please recommend the use of a proper iptables (and ip6tables) frontend like ufw or shorewall / shorewall6. Much easier to use and understand and it take care of all the small important details so often forgotten writing your own tables. And they set up the firewall for IPv6 too.

    Yes, it is good to know iptables too, but then you can use iptables -L command.

    • http://www.bartbania.com/ Bart Bania

      agree with you. this is my approach – the learn the hard way. frontends are fine, easy to use, but sometimes you might find yourself without access to frontend. and still, things like shorewall or ufw need some backend configuration. this post was written long time ago, is not perfect, I might consider updating it soon..

    • Rick

      Andres this is not acceptable a response. It is a good article that helps others learn the origin of the work. Such over emphasis on short cuts leaves people unaware of the roots. It is a terrible way to learn and I am not willing to simply tell someone, don’t touch that, you won’t understand it. “Use this so you don’t make any mistakes.” means you know nothing about how it works. Say instead “You can use this too, to help ensure you get it right.”. That is better wording.

  • Terion

    I don’t understand these lines:
    -A INPUT -s YOUR NETWORK ADDRESS/24 -j ACCEPT

    – allow all traffic from the internal network

    -A INPUT -s YOUR ROUTER ADDRESS/32 -i tcp -p tcp -m tcp –dport 22 -j DROP

    – block any traffic to port 22 (ssh) coming from your firewall

    I thought iptables rules were read sequentially top to bottom, until one matched.
    In this case, the more specific line should be on top to exclude router access shouldn’t it?
    Since the gateway is on the local network, it’s address will match YOUR_NETWORK_ADDRESS/NETMASK_BITS and it will be accepted before it can be dropped.
    I have a similar configuration, but I have the more specific DROP rule on top.

    • http://www.bartbania.com/ Bart Bania

      yes, you’re right. more specific rules should go to the top.
      my excuse is that I wrote the tutorial quite a time age when I was myself learning the iptables usage and I haven’t updated it since…

      thanks for pointing that out!

  • raspi2807

    Need some help.
    sudo apt-get update && sudo apt-get install iptables gives me error
    E: Could not open lock file /var/lib/dpkg/lock – open (13: Permission denied)
    E: Unable to lock the administration directory (/var/lib/dpkg/), are you root?

    sudo apt-get update && sudo apt-get install iptables. Then i get

    Reading package lists… Done
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    iptables is already the newest version.
    0 upgraded, 0 newly installed, 0 to remove and 79 not upgraded.

    May be the raspbian version I have already have iptables. But then when I try second command sudo /etc/init.d/iptables start, I got command not found. No iptables under /etc/init.d.

    • http://www.bartbania.com/ Bart Bania

      it’s not present in /etc/init.d/ directory.
      It present in /sbin/iptables most probably

      try running

      sudo service iptables start

      instead

      and upgrade your system with sudo apt-get update && sudo apt-get upgrade to get the latest software versions.

      • raspi2807

        Yes i have /sbin/iptables. But sudo service iptables start gives me unrecognized service.

        sudo iptables -L gives me the following

        Chain INPUT (policy ACCEPT)

        target prot opt source destination

        Chain FORWARD (policy ACCEPT)

        target prot opt source destination

        Chain OUTPUT (policy ACCEPT)

        target prot opt source destination

        • http://www.bartbania.com/ Bart Bania

          ah. Redhat, Fedora, CentOS do have a script in /etc/init.d which allows you to {save|stop} iptables. Debian doesn’t. Use iptables like a command, ommit the service/init.d part.