yego.me
yego.me
💡 Stop wasting time. Read Youtube instead of watch. Download Chrome Extension

Using `iptables` on Linux

6m read
·Nov 3, 2024

Hey guys, this is Matt from Kids 101, and today I'm going to be showing you something that's more to do with Linux and servers than it is to do with Mac.

But this will be really useful if you host your own website, or you have a home server, or even if you're looking to just secure your own Linux machine.

So in this video, I'm going to be using SSH, which means connecting remotely through terminal to my server. This is the server that's hosting MacHeads101.com. It's hosting my personal website and all of that, and it's running Linux.

So this stuff I'm going to show you in this video doesn't actually work on Mac out of the box, but it's very useful for Linux, and I figured I might as well show you guys how to use it.

The tool we're going to be talking about is called iptables, and it's spelled like that. Iptables essentially filters all incoming and outgoing network traffic; it's a firewall.

So when someone tries to connect to you, it looks at the rules you've set up for it, and if there is a rule that allows that data, it'll allow it; otherwise, it'll block the connection, basically.

So this is super useful for a server if you have stuff running and listening on ports that you don't want people to get access to, or anything like that.

So let's go ahead, and I'm going to show you how to show all the current rules that you have set up with iptables, which by default will be none.

You can use iptables -L (capital L) to list rules, and I suggest also using -n (lowercase) because that will prevent it from doing reverse DNS lookups, which can make it a lot faster if you have a lot of rules, and it looks prettier.

Right here, you see it says "Chain Input," and then here are some table headings: "Chain Forward," "Table Headings," "Chain Output," "Table Headings," but there's no actual entries here. These are just table headings.

This is because I don't have iptables configured with anything right now.

Now, the way iptables works is there are different chains that traffic goes through, and what happens is it gets a packet from a remote host, and if it gets a packet, it'll throw it to the input chain.

It'll do the first rule you have set, and if that doesn't match anything, it'll do the second rule, etc. Then it'll go all the way down, and if it doesn't match any rules, it'll just do the policy, which is right now set to accept because it's set up to just let all traffic through right now.

So right now, I'm going to add a rule which allows any incoming traffic from localhost. Obviously, you want this machine to be able to talk to itself over the network, once we set up the policy to be drop. That'll be very important.

So I'm going to go ahead and type iptables -A INPUT -i lo -j ACCEPT.

So -A means append; it means add the rule to the end of the current chain, or the chain that you specify. Input is the chain, then we're adding this rule to. -i specifies the interface, which is lo, because we want the local interface only to be affected by this rule, and -j is the target of this rule, and we want it to accept all traffic.

So I'll hit enter, and now I'll do our list again, and you see here's our one rule that we've added. It says accept and it says all. It doesn't say the interface that we set this for, but that's just because it's not showing that in the list. But it does know that the interface is localhost.

So now that we've set up this pretty much useless rule right now because it's already set up to accept all traffic, let's go ahead and add one more rule to accept all traffic from, let's say, SSH.

So, iptables -A INPUT -p tcp --dport 22 -j ACCEPT.

And what will this do? Well, it'll append a rule just like our last command to the input chain.

-p specifies the protocol we want to allow, we want to allow TCP connections, which is what SSH uses. --dport is the destination port of the connection, which, if it's an incoming connection, the destination port will be the port on the server that we allow it on, which is 22. That's the SSH port, and -j ACCEPT is once again our action to accept.

If I list again, you see here's our new acceptable TCP, and it will allow TCP destination port 22 from any host. Now that's important, and if you forget to add this, you'll be screwed over because if you're doing this on an external server that you don't have physical access to, your only way of connecting to it is through SSH.

If you suddenly block SSH, you're basically in a lot of trouble. Now luckily, my VPS actually has an online web console where you can connect to it without any network. You know, even if you set a firewall, you can still use a console with my provider, but with a lot of providers, that probably isn't an option.

So anyway, I'm going to go ahead and add a couple more rules just to show you how I actually set up my firewall. I'm going to accept port 80, which is HTTP; 443, which is HTTPS; and I'll also throw in 13370 because that's the port for our last MacHeads101 contest.

Let me see if there's anything else I'm forgetting. I don't think there is, probably.

So I'm going to go ahead and do iptables -P INPUT DROP. This sets the policy for input to be dropped.

And we go ahead, and now if I do the list, you can see here we go: accept, accept, accept, accept, accept, and then the policy is dropped. So if none of these rules are met, which they very well might not be, it'll just drop all the traffic, which means now I can't connect to my site if I have some server running on some different port.

I won't be able to connect to that server, which is very, very useful.

Now, let's say I want to delete a rule. Let's say I want to delete this last one because I don't actually want to allow the MacHeads contest.

Actually, I'll show this in action. I'll open up Chrome and I'll go to MacHeads101.com, pull in 13370, and I'll open it up there.

And now, I'm going to go ahead and do iptables -D INPUT 5, and then the index. So this is 1, this is 2, this is 3, this is 4, this is 5. Indexes start at 1, by the way.

And now if I do a list again, you see it's gone. I refresh the page, and what do you know? It's not loading. If I go back and I reopen this rule, it'll load immediately.

So that is just a taste of iptables. It is really neat, really useful. One last thing I'm going to mention, which you should probably be well aware of, is iptables --flush will delete all the rules.

Now I'm not going to hit enter, and there's a very good reason I'm not going to hit enter there. It's that that will delete all the rules, but it won't change the policy.

So if I did that, which I did right before making this video, I screwed myself over and locked myself out of my VPS. If you do that, it will delete all these accept rules we have, so it won't allow any connections anymore and it'll keep the policy as dropped.

So all the traffic will suddenly be dropped, and I'll get disconnected from SSH and all that good stuff. So iptables --flush is a very dangerous thing in general.

It's dangerous to have your policies drop if your only way of connecting is SSH, so I'd be pretty careful with that.

But iptables is a very important skill set to kind of get a grip on; at least have very fundamental knowledge like what I've showed you here.

Otherwise, you might end up having your database open for external connections or something really dumb like that, and someone might mess with you.

So anyway, thanks for watching MacHeads101. Subscribe, and goodbye!

Emperors of Pax Romana | World History | Khan Academy
Bank Failures Are Coming (Do This ASAP)

More Articles

View All
Addition using groups of 10 and 100 | 2nd grade | Khan Academy
[Voiceover] So, let’s do some practice problems on Khan Academy exercises that make us rewrite an addition problem so that we can get them to rounder numbers. Numbers that might be multiples of 10, or multiples of 100. So, let’s see here, I have 63 plus…
Meet the Women of Brazzaville, Congo | National Geographic
What does it mean to be an African woman? Well, many things. For the Sapeuses of Brazzaville, Congo, it means dressing up in fabulous fashions, taking on an alter ego that challenges gender conventions and redefines their role in society. I’ve spent year…
15 Things You Can LEARN from LUXURY BRANDS
We all have our favorite luxury brands, brands that tug at our heartstrings when we see them in store windows, as we slow our pace down to absorb the beauty of the products on display. But it’s more than just the beautiful display, isn’t it? Everything ab…
Why Military Veterans Are Turning to Archaeology | National Geographic
Most people think of archaeology as telling us about the past. What we’re trying to do is actually use archaeology to improve people’s lives in the present. In this particular program, we’re aiming that specifically at military veterans and trying to use …
Warren Buffett: How to Stop Losing Money When Investing
The first role in investment is don’t lose, and the second rule of investment is don’t forget the first rule. And that’s all the rules there are. I mean that if you buy things for far below what they’re worth, and you buy a group of them, you basically do…
Radical functions differentiation | Derivative rules | AP Calculus AB | Khan Academy
Let’s see if we can take the derivative with respect to (x) of the fourth root of (x^3 + 4x^2 + 7). At first, you might say, “All right, how do I take the derivative of a fourth root of something?” It looks like I have a composite function; I’m taking the…