"Iptables " is a command line utility that is the standard management interface of the Netfilter firewall for Linux kernels. It can be used to create and modify rules that control filtering and redirection of packets. Iptables requires superuser (root)* privileges.
The key concepts of iptables are:
Rules - consists of a criterion, an action, and a counter. If a packet meets the criterion, the action is applied to it and it is counted by the counter. There can be no criterion - then "all packets" criterion is implicitly assumed. You don't have to specify an action, either - if there is no action, the rule will only act as a counter. The rules for each chain are triggered in order, so the order is important.
-
Criterion is a logical expression which analyzes the properties of a packet and/or connection, and determines whether the given packet is covered by the current rule. Criteria are joined by a logical "AND".
-
Action - A description of the action to be performed on a packet and/or connection if they are matched by this rule. The actions are described in more detail below.
-
Counter - A component of a rule which counts the number of packets matching the criteria of this rule. It also counts the total volume of such packets in bytes.
A Chain** is an ordered sequence of rules. Chains can be divided into user chains and basic chains.
-
A basic chain is a chain created by default during table initialization. Every packet, depending on whether it is destined to the host itself, generated by it or is a transit packet, has to go through a set of base chains of different tables. Furthermore, the base chain differs from the user chain in having a "default policy". This action is applied to packets that have not been processed by other rules in this chain or in chains called from it. Base chain names are always written in upper case (PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING).
-
A user-defined chain is a chain created by the user. It may only be used within its own table. It is recommended not to use uppercase names for such chains to avoid confusion with basic chains and built-in actions.
Table - a set of base and user chains united by a common functional purpose. The names of tables (as well as criterion modules) are written in lower case, as in principle they cannot conflict with the names of user chains. When calling the iptables command, the table is specified in the format -t table_name. If there is no explicit indication, filter table is used.
Depending on the services running on the servers the set of ports will be different. First, let's create our chain, where we will add the list of IP addresses, which are allowed/forbidden to have access to the ports list.
# iptables -N antiscan
# iptables -A antiscan -s 111.111.111.111 -j ACCEPT
# iptables -A antiscan -s 00.00.00.00 -j ACCEPT
# iptables -A antiscan -j DROP
In this case, only two IP addresses are allowed access. Now we need to add to the INPUT chain a list of ports to which access is restricted. Let's start by adding the TCP ports.
# iptables -I INPUT -m tcp -p tcp --dport 25 -j antiscan
# iptables -I INPUT -m tcp -p tcp --dport 82 -j antiscan
# iptables -I INPUT -m tcp -p tcp --dport 3306 -j antiscan
# iptables -I INPUT -m tcp -p tcp --dport 8083 -j antiscan
Next we add the UDP ports.
# iptables -I INPUT -m udp -p udp --dport 111 -j antiscan
# iptables -I INPUT -m udp -p udp --dport 161 -j antiscan
Now you can add the rules to the autoloader.
# iptables-save > /etc/iptables.rules
# cat > /etc/network/if-pre-up.d/iptablesup << EOF
#!/bin/bash
iptables-restore </etc/iptables.rulesexit 0 EOF
# chmod +x /etc/network/if-pre-up.d/iptablesup