yego.me
yego.me
💡 Stop wasting time. Read Youtube instead of watch. Download Chrome Extension

Using `iptables` on Linux

6m read
·Nov 3, 2024

Hey guys, this is Matt from Kids 101, and today I'm going to be showing you something that's more to do with Linux and servers than it is to do with Mac.

But this will be really useful if you host your own website, or you have a home server, or even if you're looking to just secure your own Linux machine.

So in this video, I'm going to be using SSH, which means connecting remotely through terminal to my server. This is the server that's hosting MacHeads101.com. It's hosting my personal website and all of that, and it's running Linux.

So this stuff I'm going to show you in this video doesn't actually work on Mac out of the box, but it's very useful for Linux, and I figured I might as well show you guys how to use it.

The tool we're going to be talking about is called iptables, and it's spelled like that. Iptables essentially filters all incoming and outgoing network traffic; it's a firewall.

So when someone tries to connect to you, it looks at the rules you've set up for it, and if there is a rule that allows that data, it'll allow it; otherwise, it'll block the connection, basically.

So this is super useful for a server if you have stuff running and listening on ports that you don't want people to get access to, or anything like that.

So let's go ahead, and I'm going to show you how to show all the current rules that you have set up with iptables, which by default will be none.

You can use iptables -L (capital L) to list rules, and I suggest also using -n (lowercase) because that will prevent it from doing reverse DNS lookups, which can make it a lot faster if you have a lot of rules, and it looks prettier.

Right here, you see it says "Chain Input," and then here are some table headings: "Chain Forward," "Table Headings," "Chain Output," "Table Headings," but there's no actual entries here. These are just table headings.

This is because I don't have iptables configured with anything right now.

Now, the way iptables works is there are different chains that traffic goes through, and what happens is it gets a packet from a remote host, and if it gets a packet, it'll throw it to the input chain.

It'll do the first rule you have set, and if that doesn't match anything, it'll do the second rule, etc. Then it'll go all the way down, and if it doesn't match any rules, it'll just do the policy, which is right now set to accept because it's set up to just let all traffic through right now.

So right now, I'm going to add a rule which allows any incoming traffic from localhost. Obviously, you want this machine to be able to talk to itself over the network, once we set up the policy to be drop. That'll be very important.

So I'm going to go ahead and type iptables -A INPUT -i lo -j ACCEPT.

So -A means append; it means add the rule to the end of the current chain, or the chain that you specify. Input is the chain, then we're adding this rule to. -i specifies the interface, which is lo, because we want the local interface only to be affected by this rule, and -j is the target of this rule, and we want it to accept all traffic.

So I'll hit enter, and now I'll do our list again, and you see here's our one rule that we've added. It says accept and it says all. It doesn't say the interface that we set this for, but that's just because it's not showing that in the list. But it does know that the interface is localhost.

So now that we've set up this pretty much useless rule right now because it's already set up to accept all traffic, let's go ahead and add one more rule to accept all traffic from, let's say, SSH.

So, iptables -A INPUT -p tcp --dport 22 -j ACCEPT.

And what will this do? Well, it'll append a rule just like our last command to the input chain.

-p specifies the protocol we want to allow, we want to allow TCP connections, which is what SSH uses. --dport is the destination port of the connection, which, if it's an incoming connection, the destination port will be the port on the server that we allow it on, which is 22. That's the SSH port, and -j ACCEPT is once again our action to accept.

If I list again, you see here's our new acceptable TCP, and it will allow TCP destination port 22 from any host. Now that's important, and if you forget to add this, you'll be screwed over because if you're doing this on an external server that you don't have physical access to, your only way of connecting to it is through SSH.

If you suddenly block SSH, you're basically in a lot of trouble. Now luckily, my VPS actually has an online web console where you can connect to it without any network. You know, even if you set a firewall, you can still use a console with my provider, but with a lot of providers, that probably isn't an option.

So anyway, I'm going to go ahead and add a couple more rules just to show you how I actually set up my firewall. I'm going to accept port 80, which is HTTP; 443, which is HTTPS; and I'll also throw in 13370 because that's the port for our last MacHeads101 contest.

Let me see if there's anything else I'm forgetting. I don't think there is, probably.

So I'm going to go ahead and do iptables -P INPUT DROP. This sets the policy for input to be dropped.

And we go ahead, and now if I do the list, you can see here we go: accept, accept, accept, accept, accept, and then the policy is dropped. So if none of these rules are met, which they very well might not be, it'll just drop all the traffic, which means now I can't connect to my site if I have some server running on some different port.

I won't be able to connect to that server, which is very, very useful.

Now, let's say I want to delete a rule. Let's say I want to delete this last one because I don't actually want to allow the MacHeads contest.

Actually, I'll show this in action. I'll open up Chrome and I'll go to MacHeads101.com, pull in 13370, and I'll open it up there.

And now, I'm going to go ahead and do iptables -D INPUT 5, and then the index. So this is 1, this is 2, this is 3, this is 4, this is 5. Indexes start at 1, by the way.

And now if I do a list again, you see it's gone. I refresh the page, and what do you know? It's not loading. If I go back and I reopen this rule, it'll load immediately.

So that is just a taste of iptables. It is really neat, really useful. One last thing I'm going to mention, which you should probably be well aware of, is iptables --flush will delete all the rules.

Now I'm not going to hit enter, and there's a very good reason I'm not going to hit enter there. It's that that will delete all the rules, but it won't change the policy.

So if I did that, which I did right before making this video, I screwed myself over and locked myself out of my VPS. If you do that, it will delete all these accept rules we have, so it won't allow any connections anymore and it'll keep the policy as dropped.

So all the traffic will suddenly be dropped, and I'll get disconnected from SSH and all that good stuff. So iptables --flush is a very dangerous thing in general.

It's dangerous to have your policies drop if your only way of connecting is SSH, so I'd be pretty careful with that.

But iptables is a very important skill set to kind of get a grip on; at least have very fundamental knowledge like what I've showed you here.

Otherwise, you might end up having your database open for external connections or something really dumb like that, and someone might mess with you.

So anyway, thanks for watching MacHeads101. Subscribe, and goodbye!

2015 AP Chemistry free response 2f
Everything You Need to Know About Planet Earth

More Articles

View All
🇺🇸 DOES YOUR FLAG FAIL? Grey Grades State Flags!
[school bell rings] Hello, class. Your homework assignment as the U.S. states that you are was to make your state flag. A flag to stir pride in your citizens. A flag to stand proud on the American stage. A tough task, though not too tough with the guidel…
Earth Day Eve 2021 | National Geographic
(Uplifting music) - [Jane Goodall] We’re all part of one community. Hi everyone. I’m Jessica Nabongo coming to you from the National Geographic headquarters in Washington, D.C. For over 130 years, Nat Geo has used its groundbreaking storytelling to inspi…
2015 AP Calculus BC 2a | AP Calculus BC solved exams | AP Calculus BC | Khan Academy
At time ( T ) is greater than or equal to zero, a particle moving along a curve in the XY plane has position ( X(T) ) and ( Y(T) ). So, its x-coordinate is given by the parametric function ( X(T) ) and y-coordinate by the parametric function ( Y(T) ). Wi…
What Does Freedom Mean to You? | The Story of Us
Freedom is different things to different people. What do you think freedom is? [Music] Dear Slaw, Paul de Leeuw, betta em, but I feel of its own oxygen. Freedom, I don’t know who was attempting bullets. Na la libertad me is so I’ll see. Ali effective a …
15 Secrets Only Billionaires Know
As of 2023, there are 3,112 billionaires in the world. The billionaire perspective on life is quite different from anything you’ve ever experienced, and it’ll definitely go against many of the things you believe. Here are 15 secrets only billionaires know…
Graphical limit at point discontinuity
So here we have the graph ( y = G(x) ). We have a little point discontinuity right over here at ( x = 7 ), and what we want to do is figure out what is the limit of ( G(x) ) as ( x ) approaches 7. So essentially, we say, “Well, what is the function appro…