How to make iptable rules in Arch Linux?

This tutorial is for beginners who wants to learn iptable (the firewall system) in linux and use it on Arch. I am Shantanu Sharma. Welcome to my blog. Let’s start!

First of all, with Arch newly installed systems, iptables is available as System Service.

First of all let’s check whether it is active or not by running command: sudo systemctl status iptables.

you will see something like this as output:

[shansharma@no3 ~]$ sudo systemctl status iptables
● iptables.service – Packet Filtering Framework
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

Apr 22 18:44:42 no3 systemd[1]: Starting Packet Filtering Framework…
Apr 22 18:44:43 no3 systemd[1]: Started Packet Filtering Framework.
Apr 22 19:15:32 no3 systemd[1]: Stopping Packet Filtering Framework…
Apr 22 19:15:32 no3 iptables-flush[1300]: /usr/sbin/iptables
Apr 22 19:15:32 no3 systemd[1]: Stopped Packet Filtering Framework.

To start the iptables service, run: sudo systemctl start iptables, but it is enabled for only this session, to make it permanently run after rebooting, use another command too: sudo systemctl enable iptables. After running both the commands, to start and to enable iptables, you wil see something like this:

[shansharma@no3 ~]$ sudo systemctl status iptables
● iptables.service – Packet Filtering Framework
   Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
   Active: active (exited) since Sat 2017-04-22 19:18:56 IST; 1min 30s ago
 Main PID: 1366 (code=exited, status=0/SUCCESS)

Apr 22 19:18:56 no3 systemd[1]: Starting Packet Filtering Framework…
Apr 22 19:18:56 no3 systemd[1]: Started Packet Filtering Framework.

You will see an active status and enabled written in the same line, it means now your iptables is ready to work everytime you start your pc. Now, let’s learn some rules first:

To flush all rules, for example suppose you have already some rules, you can run:

sudo iptables –flush # this command will clear all rules.

now let’s make some default actions, firewall has 3 default actions for incoming packets, outgoing packets and forwarding packets (forwarding is used when we are using the system as router, will talk about this later), to make default action for all these packets, run

sudo iptables –policy INPUT DROP

sudo iptables –policy OUTPUT DROP

sudo iptables –policy FORWARD DROP

Now, as we have made some default rules, any packet that does not match our rules( which we are going to understand later) will go for default and drop. It provides a little bit of safety for the system.

now, let’s make some rules for input:

sudo iptables –append INPUT –in-interface lo –jump ACCEPT

The above command will append a rule to INPUT policy to allow/accept packets coming from local interface, so that the system can work easily. we have to also add a rule for outgoing packets on local interface:

sudo iptables –append OUTPUT –out-interface lo –jump ACCEPT

Now lets make some rules to talk with outside world.

sudo iptables –append OUTPUT –match state –state NEW,ESTABLISHED –jump ACCEPT

sudo iptables –append INPUT –match state –state ESTABLISHED, RELATED –jump ACCEPT

here first we have appended a rule for OUTPUT policy, to match packets that are new and/or established and let them out, so that we can send packets ( means initiate connection with outside world ).

The second rule tells the INPUT policy to let the packets in that are from established/related connection, not from New connection, it means we can initiate connection, but not someone from other side of the world. So, overall it’s a security measure.

Now last step we have to save our rules somewhere, so that we don’t have to write again and again. Save all your rules in a text file and save it as something like firewall.sh

Now let’s add a line at the end of file:

sudo iptables-save | sudo tee /etc/iptables/iptables.rules

The above line stats that, save iptable rules, then we are using pipe operator, and sending the result to tee command, this command reads from standard input and write to standard output and files. Here it is writing rules in /etc/iptables directory, with the name iptables.rules, it makes easy for the system to reload rules when we reboot the system.


Finally your script file ‘firewall.sh’ will look like this:

#! /bin/bash # dont’ forget this line at the top of script.

sudo iptables –flush

sudo iptables –policy INPUT DROP

sudo iptables –policy OUTPUT DROP

sudo iptables –policy FORWARD DROP

sudo iptables –append INPUT –in-interface lo –jump ACCEPT

sudo iptables –append OUTPUT –out-interface lo –jump ACCEPT

sudo iptables –append OUTPUT –match state –state NEW,ESTABLISHED –jump ACCEPT

sudo iptables –append INPUT –match state –state ESTABLISHED, RELATED –jump ACCEPT

sudo iptables-save | sudo tee /etc/iptables/iptables.rules

Now change permission, make it executable sudo chmod u+x firewall.sh

and run it: ./firewall.sh.


Suppose you want to check what are the rules currently in force? Run this command:

sudo iptables –list –verbose

you will get output like this:

# first of all rules for input

Chain INPUT (policy DROP 3 packets, 156 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   97  416K ACCEPT     all  —  lo     any     anywhere             anywhere            
 7488 5268K ACCEPT     all  —  any    any     anywhere             anywhere             state RELATED,ESTABLISHED

# then forward rules, it will be blank
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

# and then output rules
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   97  416K ACCEPT     all  —  any    lo      anywhere             anywhere            
 7257  867K ACCEPT     all  —  any    any     anywhere             anywhere             state NEW,ESTABLISHED

These were some little things. Next time, i will update this Post and add some more rules. keep it in touch!

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: