yego.me
yego.me
💡 Stop wasting time. Read Youtube instead of watch. Download Chrome Extension

Using `iptables` on Linux

6m read
·Nov 3, 2024

Hey guys, this is Matt from Kids 101, and today I'm going to be showing you something that's more to do with Linux and servers than it is to do with Mac.

But this will be really useful if you host your own website, or you have a home server, or even if you're looking to just secure your own Linux machine.

So in this video, I'm going to be using SSH, which means connecting remotely through terminal to my server. This is the server that's hosting MacHeads101.com. It's hosting my personal website and all of that, and it's running Linux.

So this stuff I'm going to show you in this video doesn't actually work on Mac out of the box, but it's very useful for Linux, and I figured I might as well show you guys how to use it.

The tool we're going to be talking about is called iptables, and it's spelled like that. Iptables essentially filters all incoming and outgoing network traffic; it's a firewall.

So when someone tries to connect to you, it looks at the rules you've set up for it, and if there is a rule that allows that data, it'll allow it; otherwise, it'll block the connection, basically.

So this is super useful for a server if you have stuff running and listening on ports that you don't want people to get access to, or anything like that.

So let's go ahead, and I'm going to show you how to show all the current rules that you have set up with iptables, which by default will be none.

You can use iptables -L (capital L) to list rules, and I suggest also using -n (lowercase) because that will prevent it from doing reverse DNS lookups, which can make it a lot faster if you have a lot of rules, and it looks prettier.

Right here, you see it says "Chain Input," and then here are some table headings: "Chain Forward," "Table Headings," "Chain Output," "Table Headings," but there's no actual entries here. These are just table headings.

This is because I don't have iptables configured with anything right now.

Now, the way iptables works is there are different chains that traffic goes through, and what happens is it gets a packet from a remote host, and if it gets a packet, it'll throw it to the input chain.

It'll do the first rule you have set, and if that doesn't match anything, it'll do the second rule, etc. Then it'll go all the way down, and if it doesn't match any rules, it'll just do the policy, which is right now set to accept because it's set up to just let all traffic through right now.

So right now, I'm going to add a rule which allows any incoming traffic from localhost. Obviously, you want this machine to be able to talk to itself over the network, once we set up the policy to be drop. That'll be very important.

So I'm going to go ahead and type iptables -A INPUT -i lo -j ACCEPT.

So -A means append; it means add the rule to the end of the current chain, or the chain that you specify. Input is the chain, then we're adding this rule to. -i specifies the interface, which is lo, because we want the local interface only to be affected by this rule, and -j is the target of this rule, and we want it to accept all traffic.

So I'll hit enter, and now I'll do our list again, and you see here's our one rule that we've added. It says accept and it says all. It doesn't say the interface that we set this for, but that's just because it's not showing that in the list. But it does know that the interface is localhost.

So now that we've set up this pretty much useless rule right now because it's already set up to accept all traffic, let's go ahead and add one more rule to accept all traffic from, let's say, SSH.

So, iptables -A INPUT -p tcp --dport 22 -j ACCEPT.

And what will this do? Well, it'll append a rule just like our last command to the input chain.

-p specifies the protocol we want to allow, we want to allow TCP connections, which is what SSH uses. --dport is the destination port of the connection, which, if it's an incoming connection, the destination port will be the port on the server that we allow it on, which is 22. That's the SSH port, and -j ACCEPT is once again our action to accept.

If I list again, you see here's our new acceptable TCP, and it will allow TCP destination port 22 from any host. Now that's important, and if you forget to add this, you'll be screwed over because if you're doing this on an external server that you don't have physical access to, your only way of connecting to it is through SSH.

If you suddenly block SSH, you're basically in a lot of trouble. Now luckily, my VPS actually has an online web console where you can connect to it without any network. You know, even if you set a firewall, you can still use a console with my provider, but with a lot of providers, that probably isn't an option.

So anyway, I'm going to go ahead and add a couple more rules just to show you how I actually set up my firewall. I'm going to accept port 80, which is HTTP; 443, which is HTTPS; and I'll also throw in 13370 because that's the port for our last MacHeads101 contest.

Let me see if there's anything else I'm forgetting. I don't think there is, probably.

So I'm going to go ahead and do iptables -P INPUT DROP. This sets the policy for input to be dropped.

And we go ahead, and now if I do the list, you can see here we go: accept, accept, accept, accept, accept, and then the policy is dropped. So if none of these rules are met, which they very well might not be, it'll just drop all the traffic, which means now I can't connect to my site if I have some server running on some different port.

I won't be able to connect to that server, which is very, very useful.

Now, let's say I want to delete a rule. Let's say I want to delete this last one because I don't actually want to allow the MacHeads contest.

Actually, I'll show this in action. I'll open up Chrome and I'll go to MacHeads101.com, pull in 13370, and I'll open it up there.

And now, I'm going to go ahead and do iptables -D INPUT 5, and then the index. So this is 1, this is 2, this is 3, this is 4, this is 5. Indexes start at 1, by the way.

And now if I do a list again, you see it's gone. I refresh the page, and what do you know? It's not loading. If I go back and I reopen this rule, it'll load immediately.

So that is just a taste of iptables. It is really neat, really useful. One last thing I'm going to mention, which you should probably be well aware of, is iptables --flush will delete all the rules.

Now I'm not going to hit enter, and there's a very good reason I'm not going to hit enter there. It's that that will delete all the rules, but it won't change the policy.

So if I did that, which I did right before making this video, I screwed myself over and locked myself out of my VPS. If you do that, it will delete all these accept rules we have, so it won't allow any connections anymore and it'll keep the policy as dropped.

So all the traffic will suddenly be dropped, and I'll get disconnected from SSH and all that good stuff. So iptables --flush is a very dangerous thing in general.

It's dangerous to have your policies drop if your only way of connecting is SSH, so I'd be pretty careful with that.

But iptables is a very important skill set to kind of get a grip on; at least have very fundamental knowledge like what I've showed you here.

Otherwise, you might end up having your database open for external connections or something really dumb like that, and someone might mess with you.

So anyway, thanks for watching MacHeads101. Subscribe, and goodbye!

Giant Underwater Cave Was Hiding Oldest Human Skeleton in the Americas | Expedition Raw
The World Machine | Think Like A Coder, Ep 10

More Articles

View All
Fishing Tips: How to Rig a Harpoon | Wicked Tuna: Outer Banks
[Applause] [Music] Captain TJ out of the Hot Tuna, and today I’m going to show you how we like to rig our harpoons and board the Hot Tuna. So what we have here is an 8ft scourge of the sea harpoon, our Lily dart on the end here. What I like to do is tak…
Prosperity in Song China (960-1279) | World History | Khan Academy
In other videos, when we talked about the various Chinese empires, we talked about the Song Dynasty in particular as a time of significant technological innovation. Here are just some of the examples that we talk about. Most notably, gunpowder, movable bl…
Crazy BABY Eyes ... and More: IMG! #44
This cow has an illusion face. See the people about to kiss? And oh my gosh, what’s this? Nice. It’s episode 44 of IMG! If you eat too many Pringles you’ll feel like this. And if you look like this, your kids will too. Now, if you look at this right in t…
Why do we launch rockets from Florida?
Why do we launch rockets in Florida? I remember as a kid just not getting it as I watched these rocket launches get scrubbed due to bad weather. I was like, you guys know that’s Florida, right? That’s where they get the hurricanes and the thunderstorms. A…
Founders of Science Exchange, Goldbely, and The Flex Company Discuss Fundraising
Hi! I’m Cat, and I’m really excited to introduce you to three YC alumni founders. This is actually going to dovetail really nicely with what Christy and Aileen were just talking about because we’re going to be talking a little bit about fundraising. We al…
Principles for Dealing with the Changing World Order (5-minute Version) by Ray Dalio
I studied the 10 most powerful Empires over the last 500 years and the last three Reserve currencies. It took me through the rise and decline of the Dutch Empire and the Guilder, the British Empire and the Pound, the rise and early decline in the United S…