A Step-by-Step Guide to Configuring Linux Firewall (iptables)

Why Linux Firewalls Are Needed?¶

Imagine your Linux server as a castle, and the firewall as its gates and guards. It helps you block “visitors” with unknown identities and only allows those you explicitly permit. Without a firewall, hackers could scan your server, attempt to exploit unopened ports, or even attack your services. Thus, configuring a firewall is the first step in securing your server.

What is iptables?¶

iptables is the most basic packet-filtering firewall tool in Linux systems. It acts like a “gatekeeper,” examining network packet information (e.g., source IP, target port, protocol type) to decide whether to “allow” (permit passage) or “block” (reject entry).

In simple terms, it manages traffic through a series of rules, which execute in order—earlier-matching rules take precedence.

Core Concepts of iptables¶

1. Tables¶

iptables has 4 main tables. The most commonly used for beginners is the filter table (for filtering traffic); other tables like nat (for Network Address Translation) can be ignored for now.

2. Chains¶

Chains are “queues” for rules. iptables categorizes chains based on traffic direction into 3 default chains:
- INPUT: Handles traffic entering the local machine (e.g., someone accessing your web service).
- OUTPUT: Handles traffic originating from the local machine (e.g., you visiting external websites).
- FORWARD: Handles traffic that needs forwarding (if the server acts as a router).

3. Rules¶

Each rule consists of a matching condition and an action:
- Matching Condition: Defines what traffic matches (e.g., target port 80, TCP protocol).
- Action: The operation to take after matching (e.g., ACCEPT to allow, DROP to silently discard, REJECT to deny with a response).

Pre-Configuration Preparation¶

1. Check Current iptables Rules¶

First, review existing rules to avoid conflicts or redundant configurations:

iptables -L -n  # -L lists rules, -n shows IPs/ports (no DNS resolution)

2. Flush Existing Rules (If Needed)¶

If previous rules exist, clear them (proceed with caution!):

iptables -F  # Flush all rules
iptables -X  # Delete all custom chains

Step-by-Step Firewall Rule Configuration¶

1. Allow Local Loopback Interface (lo) Traffic¶

The local loopback interface (lo) is the internal communication channel for the server. It must be allowed; otherwise, local services (e.g., databases, web services) cannot communicate properly:

iptables -A INPUT -i lo -j ACCEPT  # Allow inbound traffic from lo
iptables -A OUTPUT -o lo -j ACCEPT  # Allow outbound traffic to lo

2. Set Default Policies (Critical!)¶

Default policies determine how unmatched traffic is handled. It is recommended to set defaults to “deny” first, then gradually open necessary ports (principle of least privilege):

iptables -P INPUT DROP   # Default: Deny all inbound traffic
iptables -P OUTPUT ACCEPT # Default: Allow all outbound traffic (usually safe)
iptables -P FORWARD DROP # Default: Deny all forwarded traffic (ignore if not a router)

3. Allow SSH Remote Access (Mandatory!)¶

Servers typically require remote management. First, open SSH (default port 22). In production, restrict to specific IP ranges (e.g., only your company’s IP) or use key-based authentication:

# Allow SSH from 192.168.1.0/24 subnet (replace with your actual IP range)
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT

# OR allow all IPs (only for testing, insecure!)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

4. Allow Web Services (80/443, as needed)¶

If your server runs web services (e.g., Nginx/Apache), open ports 80 (HTTP) and 443 (HTTPS):

# Allow HTTP (port 80)
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Allow HTTPS (port 443)
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

5. Deny All Unmatched Traffic¶

Since the default INPUT policy is DROP, all unmatched traffic is already denied—no additional configuration needed.

6. Save Rules (Avoid Losing After Reboot)¶

Save rules to persist across reboots:

For CentOS/RHEL:¶

service iptables save  # Save rules
systemctl enable iptables  # Enable on boot
systemctl start iptables   # Start firewall

For Ubuntu/Debian:¶

# Install iptables-persistent if not installed
apt-get install iptables-persistent
# Save rules
dpkg-reconfigure iptables-persistent

Common Operations¶

1. View Rules¶

iptables -L -n --line-numbers  # Show rule numbers for easy deletion

2. Delete Rules (by Number)¶

To delete the 3rd rule:

iptables -D INPUT 3  # Delete the 3rd rule in the INPUT chain

3. Flush All Rules¶

iptables -F  # Flush rule chains
iptables -X  # Delete custom chains
iptables -Z  # Reset counters

Security Tips¶

Rule Order Matters: Rules execute top-to-bottom; earlier rules take precedence. For example, place deny rules at the end to avoid overriding earlier allow rules.
Principle of Least Privilege: Only open necessary ports. For example, a web server only needs 80/443; other ports (e.g., 21 FTP, 3306 MySQL) should be opened only when required.
Avoid Directly Exposing Port 22 to the Internet: Restrict SSH access via VPN or IP whitelisting, or use key-based authentication (disable password login).
Regularly Audit Rules: If your server is compromised, check for abnormal rules with iptables -L and clean them promptly.

Summary¶

By following the steps above, you’ve completed basic firewall configuration for a Linux server. The core idea is: First allow local and necessary service traffic, then deny all unmatched traffic. Remember, firewall rules should be adjusted based on actual business needs—do not blindly open all ports!

For more advanced configurations (e.g., port forwarding, IP limiting), explore the nat table or tools like ipset. However, basic rule configuration suffices for most server security needs.