Open in app

Sign in

Write

Sign in

Creating Host-Based Firewall Rules w/ IPtables

Austin Newton
5 min readJul 30, 2023

Prerequisites:

  • Linux Host
  • Another device to test firewall rules with
  • Internet Connection

Intro

Security policies and equipment shouldn't stop at the edge of your network. Neglecting host based mitigations goes against a key pillar to cyber security, Defense in Depth. What does this term mean? Defense in Depth is the idea of having multiple security elements in place to protect against a negative event.

Example of Defense in Depth: Having a network-based firewall on the edge of your network, host-based firewalls on your hosts, a network-based IDS, and antimalware software on your hosts.

In this post we will be using the Linux utility IPtables to create packet filtering rules with the Linux kernel firewall. Of course, using the Linux command line. Although if you would like to use a GUI there is a program called Firestarter.

Installing IPtables

IPtables comes included with the latest version of Ubuntu, so if you are using an up-to-date version you can skip this step. To install IPtables, run the command:

sudo apt install iptables

What Is A Policy Chain?

A Policy Chain is a list/chain of policies/rules. There are three main chains within IPtables:

  • INPUT — The INPUT chain is a chain of rules for INCOMING connections. Ex: If you allow ICMP Pings ONLY from 10.10.10.10 the rule would go in this chain.
  • OUTPUT — The OUTPUT chain is a chain of rules for OUTGOING connections. Ex: If you want to ping google.com IPtables would check for any rules that would disallow it.
  • FORWARD — The FORWARD chain is a chain of rules for when the host needs to FORWARD traffic. Only used in certain environments.

Note: Most protocols need two way communication to work correctly. Meaning, If you allow Pings outgoing to a certain host, there needs to be rule permitting ICMP traffic from that host as well.

Default Configuration

The first thing to check is how our firewall will react when there are no rules matching the traffic that is coming in or going out.

To do this enter the following:

sudo iptables -L

As you can see, all three chains ALLOW traffic by default. Convenient, but not very secure. If you would like to change the default response you can do so with the following commands:

iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --policy OUTPUT DROP

or 

iptables --policy INPUT REJECT
iptables --policy FORWARD REJECT
iptables --policy OUTPUT REJECT

What is the difference? Both REJECT and DROP will not allow the traffic continue. The main difference is the response the host receives either trying to make a connection in or out.

If you have the policy set to DROP, then the connection is just simply dropped. As if there was no host there to begin with. If you use the REJECT policy, then the connection will be rejected. The response will be something like ‘Host unreachable’.

Notice how the rejection acknowledges that the host is there, but unreachable. Where as just dropping the packet gives no information.

The Anatomy Of The IPtables Command

Now that we have our default response configured, we need to start making specific policies for our environment. Here is the command we will be using to add new policies to our policy chains:

iptables -A <PolicyChain> -s <HostAddress/NetworkAddress> -j <Action>

This looks like a lot, but lets look at a real world example and then break it down:

iptables -A INPUT -s 192.168.0.100 -j DROP

This command DROPS all traffic coming from 192.168.0.100.

Breakdown:

  • iptables: This is the Linux kernel firewall utility.
  • -A: This parameter allows us to add our new policy to the end of our policy chain. In other words, it allows us to append our policy chain.
  • INPUT: This is the policy chain we are going to append.
  • -s: This parameter stands for source, so we need to add where the source of the traffic is coming from.
  • 192.168.0.100: This is the source address. AKA where the traffic is coming from.
  • -j: This parameter specifies, “If the traffic matches this policy, what should I do?”.
  • DROP: This is the action taken when the traffic matches the policy. If the traffic matches, we will DROP the packet.

Note: Remember, Linux is case sensitive. So the parameters need to match exactly.

Lets look at a more specific example.

iptables -A OUTPUT -p tcp --dport 3389 -j DROP

This command will block ALL outgoing connections on port 3389. The default RDP port.

Lets breakdown the two new parameters:

  • -p: This stands for protocol. The example above we are blocking all TCP connections destined for port 3389.
  • — dport: This stands for destination port.

We can do the same thing, but by protocol:

iptables -A OUTPUT -p tcp --dport ICMP -j DROP

Policy Hierarchy

When our firewall scans traffic going in or out, it checks each policy we have created to make sure it doesn’t match. It does this in the order we created each rule. This means we can put ourselves into a situation where traffic is getting allowed/blocked by a rule we weren’t intending it to be. In situations like these we need to insert a policy in a specific spot. We do this by entering the following command:

iptables -I <PolicyChain> <ListNumber> -s <HostAddress/NetworkAddress> -j <Action>

The only new portion to this command is the <ListNumber> this is the spot your new policy will be in relative to your policy chain. Example: If you place 1 in this spot, your policy will be the first one in the list. Note: If you leave the <ListNumber> field blank, it will default to 1.

Clearing Your Policy Chains

If you would like to completely erase all of your policies, you can do so with this command:

iptables -F

This will flush all of your policies.

Saving Your Work

The rules you have applied will go away once the IPtables service is restarted. To make sure these rules remain active, we need to save our work. To do this we will enter the following:

sudo /sbin/iptables-save

The Linux kernel firewall IPtables can be intimidating to first work with, but once you understand the structure of the commands you will get it soon enough. If you need additional help, check out the man pages for the command. This is where I learned the information to write this post.

Hopefully you found this helpful.

Linux
Linux Tutorial
Cybersecurity
Technology
Learning

--

--

Austin Newton

Written by Austin Newton

11 Followers

IT Professional with a passion for Cybersecurity & Infrastructure.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams