The most common operation when working with a firewall, in my opinion, is the operation for opening and closing ports on the network interface. The port is opened in order that it can be accessed from the outside. Close the port to prevent to establish a connection with the software on your device working on this port.
The port is, roughly speaking, the number of apartments in an apartment building, which was known to live (or not) residents. The IP address is the number of the apartment building in which many apartments. The tenant is a program that uses this port number. This example works in the case when the objective is the opening and closing of the access programs on the same computer, which is connected to the Internet.
How to close the port with iptables
Iptables to create a new rule or block of rules, use the command:
sudo iptables [-t table] -A [chain] specificatiile
sudo iptables-t filter-A INPUT-p tcp-s 184.108.40.206 --sport 53 -d 192.168.1.1 -j DROP
Let us consider in detail the case of closure of the port using iptables. It should be noted that the concept of port is used in tcp and udp protocols, so for different protocols use the same port numbers, but these numbers are speaking in the language of our example mean different apartments in different houses in different neighborhoods, where the neighborhood can make the name of the Protocol.
Note: There is a table of common port numbers for popular software and programs for their functional purpose. Other ports are freely used. Consideration of the tables of the ports is beyond the scope of this article. Back to a simple task to close a single port.
1. One port
To close one port, use the following command:
sudo iptables [-t table] -A [chain] -p Protocol [–sport portatronics] [–dport portmannatalie] -j [action]
sudo iptables-t filter-A INPUT-p tcp --dport 8081 -j DROP
In this case, we closed the filter table in the INPUT chain tcp destination port 8081, using rules to drop DROP. Thus for all external machines that are trying to establish a connection on this port, this port will be unavailable. If we want to close the port for a specific machine, use the following command:
sudo iptables-t filter-A INPUT-p tcp-s 10.0.0.1/32 --dport 8080 -j DROP
We’ve closed the port 8080 on our computer to the external machine 10.0.0.1
2. A range of ports
To close a range of ports, use the command:
sudo iptables [-t table] -A [chain] -p Protocol [–sport nachalnykov:chechnyatoday] [–dport nachalnitse:chechnyatoday] -j [action]
sudo iptables-t filter-A INPUT-p tcp --dport 18070:18081 -j DROP
This command we closed 18070-18081 ports for incoming packets directed to this computer, transmitted over tcp.
3. Incoming and outgoing connections
All packages can be divided into two types: packets arriving at the node and packets sent by this node. In its most common for outgoing and incoming packets will use the same network interface (physical or logical device that converts packets into signals and transmission of signals in the network).
So, incoming packets are to create incoming connections on specific rules for specific programs, and outgoing packets to create outgoing connections on specific rules for specific programs. In addition, for each program needing to establish a connection with Netfilters, often will operate two connections: incoming and outgoing, as the time required for work to send and receive data.
Inbound rules are in most cases located in chain PREROUTING policy, INPUT. Rules for outgoing connections will be in most cases located in chains, POSTROUTING, OUTPUT.
To block port iptables for incoming connections:
sudo iptables-t filter-A INPUT-p tcp --dport 8080 -j DROP
Example for outgoing connections:
sudo iptables-t filter -A OUTPUT-p tcp --dport 8080 -j DROP
Note: In this case, the rules look very similar, but the meaning they will have exactly the opposite. In the first case we are dealing with a package INCLUDED, which must be received at the destination port 8080 of OUR computer. In the second case we are dealing with package PROCEEDSwhich must be received at the destination port 8080 of the REMOTE computer. It should also be noted that the program does not use on our computer and the remote computer are the same port number for a single program. Ports will vary.
4. Connection status
There is a possibility to generate packet filtering rules matching a certain pattern additional specifications Netfilter rules. It is responsible for the options -m and -j. We consider using the-m option, which can use many different templates from which we will discuss one: –state state. This template can take the following values:
- NEW — package opened up a new connection or otherwise associated with the connection, in which there was no packets in both directions (incoming and outgoing);
- ESTABLISHED — the packet is associated with a connection which has seen packets in both directions;
- RELATED — the packet opens a new connection, but is associated with an existing connection, for example, an FTP data transfer or ICMP error;
- INVALID — a packet that is associated with the unknown compound.
The closure of the port of iptables for new connections:
sudo iptables-t filter-A INPUT-p tcp-s 192.168.1.0/24 --dport 445-m state --state NEW-j DROP
In this example, in the table filter chain INPUT Protocol tcp, from a computer from a subnet 192.168.1.0/24, destination port 445 (as chain member, the destination port is on this computer) for packets opening a new connection, to apply the action DROP (drop the packet).
A filter for an already established connection:
sudo iptables-t filter-A INPUT-p tcp-s 192.168.2.0/24 --dport 445-m state --state ESTABLISHED -j DROP
In this case, in the table filter chain INPUT Protocol tcp, from the computer in the network 192.168.2.0/24, destination port 445 (as chain member, the destination port is on this computer) for packets coming in through an open connection, to apply the action DROP (drop the packet).
How to open a port
If you shut down the port using the above rules, it is enough to delete that rule. If you have a default policy of DROP, then to open the port instead of the action DROP need to use the ACCEPT.
sudo iptables-t filter-A INPUT-p tcp-s 192.168.3.0/24 --dport 445-m state --state ESTABLISHED -j ACCEPT
This command in the filter table in the INPUT chain will write a rule for tcp, from the computer in the network 192.168.3.0/24, destination port 445 (as chain member, the destination port is on this computer) for packets coming in through an open connection to apply the effect of accept (Accept the packet).
For rules permitting the admission package, apply all of the above to close the port (single port, port range, incoming and outgoing connections to established connections and new connections)
Check if the port is open
When we set up all the rules, opening and closing ports, we need to verify the correctness of applied settings. You can use the telnet application. Telnet – an application that allows you to establish bidirectional connection between the two computers using the telnet Protocol. In our task, the attempt to establish the connection between the two machines in the network is used as a test of the rules of Netfilter. Execute the command in the following form:
$ telnet ip address port
telnet 192.168.1.5 443
The team will be checked port 443 at the machine with ip address 192.168.1.5. If on port 443 on the remote machine allowed incoming connection and the rules on the local machine to allow outgoing connection on port 443, we get the message:
Connection closed by foreign host.
Or may unexpectedly receive an invitation to access this machine, if this port is waiting for a connection the server part of telnet.
If the rules forbid an incoming connection on a remote machine, or the outgoing connection on our local machine on port 443, we get the message:
telnet: Unable to connect to remote host: Connection timed out
Note: to obtain results it is necessary to wait quite a long time to telnet the result of connection attempts on the specified port.
So today we reviewed how to close port iptables on the local machine. Now we know how close (or open) a specific port, port range, what is the difference between incoming and outgoing connections, how to work with new and already established connections.