yego.me
yego.me
💡 Stop wasting time. Read Youtube instead of watch. Download Chrome Extension

Using `iptables` on Linux

6m read
·Nov 3, 2024

Hey guys, this is Matt from Kids 101, and today I'm going to be showing you something that's more to do with Linux and servers than it is to do with Mac.

But this will be really useful if you host your own website, or you have a home server, or even if you're looking to just secure your own Linux machine.

So in this video, I'm going to be using SSH, which means connecting remotely through terminal to my server. This is the server that's hosting MacHeads101.com. It's hosting my personal website and all of that, and it's running Linux.

So this stuff I'm going to show you in this video doesn't actually work on Mac out of the box, but it's very useful for Linux, and I figured I might as well show you guys how to use it.

The tool we're going to be talking about is called iptables, and it's spelled like that. Iptables essentially filters all incoming and outgoing network traffic; it's a firewall.

So when someone tries to connect to you, it looks at the rules you've set up for it, and if there is a rule that allows that data, it'll allow it; otherwise, it'll block the connection, basically.

So this is super useful for a server if you have stuff running and listening on ports that you don't want people to get access to, or anything like that.

So let's go ahead, and I'm going to show you how to show all the current rules that you have set up with iptables, which by default will be none.

You can use iptables -L (capital L) to list rules, and I suggest also using -n (lowercase) because that will prevent it from doing reverse DNS lookups, which can make it a lot faster if you have a lot of rules, and it looks prettier.

Right here, you see it says "Chain Input," and then here are some table headings: "Chain Forward," "Table Headings," "Chain Output," "Table Headings," but there's no actual entries here. These are just table headings.

This is because I don't have iptables configured with anything right now.

Now, the way iptables works is there are different chains that traffic goes through, and what happens is it gets a packet from a remote host, and if it gets a packet, it'll throw it to the input chain.

It'll do the first rule you have set, and if that doesn't match anything, it'll do the second rule, etc. Then it'll go all the way down, and if it doesn't match any rules, it'll just do the policy, which is right now set to accept because it's set up to just let all traffic through right now.

So right now, I'm going to add a rule which allows any incoming traffic from localhost. Obviously, you want this machine to be able to talk to itself over the network, once we set up the policy to be drop. That'll be very important.

So I'm going to go ahead and type iptables -A INPUT -i lo -j ACCEPT.

So -A means append; it means add the rule to the end of the current chain, or the chain that you specify. Input is the chain, then we're adding this rule to. -i specifies the interface, which is lo, because we want the local interface only to be affected by this rule, and -j is the target of this rule, and we want it to accept all traffic.

So I'll hit enter, and now I'll do our list again, and you see here's our one rule that we've added. It says accept and it says all. It doesn't say the interface that we set this for, but that's just because it's not showing that in the list. But it does know that the interface is localhost.

So now that we've set up this pretty much useless rule right now because it's already set up to accept all traffic, let's go ahead and add one more rule to accept all traffic from, let's say, SSH.

So, iptables -A INPUT -p tcp --dport 22 -j ACCEPT.

And what will this do? Well, it'll append a rule just like our last command to the input chain.

-p specifies the protocol we want to allow, we want to allow TCP connections, which is what SSH uses. --dport is the destination port of the connection, which, if it's an incoming connection, the destination port will be the port on the server that we allow it on, which is 22. That's the SSH port, and -j ACCEPT is once again our action to accept.

If I list again, you see here's our new acceptable TCP, and it will allow TCP destination port 22 from any host. Now that's important, and if you forget to add this, you'll be screwed over because if you're doing this on an external server that you don't have physical access to, your only way of connecting to it is through SSH.

If you suddenly block SSH, you're basically in a lot of trouble. Now luckily, my VPS actually has an online web console where you can connect to it without any network. You know, even if you set a firewall, you can still use a console with my provider, but with a lot of providers, that probably isn't an option.

So anyway, I'm going to go ahead and add a couple more rules just to show you how I actually set up my firewall. I'm going to accept port 80, which is HTTP; 443, which is HTTPS; and I'll also throw in 13370 because that's the port for our last MacHeads101 contest.

Let me see if there's anything else I'm forgetting. I don't think there is, probably.

So I'm going to go ahead and do iptables -P INPUT DROP. This sets the policy for input to be dropped.

And we go ahead, and now if I do the list, you can see here we go: accept, accept, accept, accept, accept, and then the policy is dropped. So if none of these rules are met, which they very well might not be, it'll just drop all the traffic, which means now I can't connect to my site if I have some server running on some different port.

I won't be able to connect to that server, which is very, very useful.

Now, let's say I want to delete a rule. Let's say I want to delete this last one because I don't actually want to allow the MacHeads contest.

Actually, I'll show this in action. I'll open up Chrome and I'll go to MacHeads101.com, pull in 13370, and I'll open it up there.

And now, I'm going to go ahead and do iptables -D INPUT 5, and then the index. So this is 1, this is 2, this is 3, this is 4, this is 5. Indexes start at 1, by the way.

And now if I do a list again, you see it's gone. I refresh the page, and what do you know? It's not loading. If I go back and I reopen this rule, it'll load immediately.

So that is just a taste of iptables. It is really neat, really useful. One last thing I'm going to mention, which you should probably be well aware of, is iptables --flush will delete all the rules.

Now I'm not going to hit enter, and there's a very good reason I'm not going to hit enter there. It's that that will delete all the rules, but it won't change the policy.

So if I did that, which I did right before making this video, I screwed myself over and locked myself out of my VPS. If you do that, it will delete all these accept rules we have, so it won't allow any connections anymore and it'll keep the policy as dropped.

So all the traffic will suddenly be dropped, and I'll get disconnected from SSH and all that good stuff. So iptables --flush is a very dangerous thing in general.

It's dangerous to have your policies drop if your only way of connecting is SSH, so I'd be pretty careful with that.

But iptables is a very important skill set to kind of get a grip on; at least have very fundamental knowledge like what I've showed you here.

Otherwise, you might end up having your database open for external connections or something really dumb like that, and someone might mess with you.

So anyway, thanks for watching MacHeads101. Subscribe, and goodbye!

The 7 BEST Side Hustles That Make $100+ Per day
Tech's Impact On Young Brains | America Inside Out with Katie Couric

More Articles

View All
Iron triangles and issue networks | US government and civics | Khan Academy
Now, a related idea to just what a bureaucracy is in our federal government: another question is how do they get influenced? Now, one idea that you might see in many American government courses is the idea of an iron triangle. So, an iron triangle describ…
Adventurers Jim & Tori Baird on their son’s FOXG1 diagnosis, life in the wild | National Geographic
Wesley, as challenging as some of our days might be with him, I wouldn’t want to change him for the world because he is just the happiest little thing. My name is Jim Baird and I am Tori Baird. We have two boys, Wesley and Hudson. Wesley is just a little…
Why Do Goat Eyes Rotate? | Explorer
To understand how some prey animals see differently than we do, let’s play a game. Tilt your head and body to the side. What happens? Everything looks, uh, sideways. Kind of obvious. Well, for one scientist, it turns out that this little problem of our e…
Why Do We Love Sports?
Imagine you’ve been living in the trenches for weeks, maybe months. Corpses of your allies, friends, brothers surround you. The smell of their rot, revolting; the pain of your loss, excruciating. Rain water has made the ground where you stand thick with m…
Mapping shapes example
So I’m here on the Khan Academy exercise for mapping shapes, and I’m asked to map the movable quadrilateral onto quadrilateral ABCD using rigid transformations. Here in blue, I have the movable quadrilateral, and I want to map it onto this quadrilateral …
Limit of (1-cos(x))/x as x approaches 0 | Derivative rules | AP Calculus AB | Khan Academy
What we want to do in this video is figure out what the limit as ( x ) approaches ( z ) of ( \frac{1 - \cos(x)}{x} ) is equal to. We’re going to assume we know one thing ahead of time: we’re going to assume we know that the limit as ( x ) approaches ( 0 )…