The most common operation when working with a firewall, in my opinion, is the operation for opening and closing ports on the network interface. The port is opened in order that it can be accessed from the outside. Close the port to prevent to establish a connection with the software on your device working on this port. In this article we will discuss how to open a port example iptables on Debian Linux.
The port is, roughly speaking, the number of apartments in an apartment building, which was known to live (or not) residents. The IP address is the number of the apartment building in which many apartments. The tenant is a program that uses this port number. This example works in the case when the objective is the opening and closing of the access programs on the same computer, which is connected to the Internet.
How to open port using iptables
Iptables to create a new rule or block of rules, use the command:
sudo iptables [-t table] -A [chain] specificatiile
sudo iptables-t filter-A INPUT-p tcp-s 18.104.22.168 --sport 53 -d 192.168.1.1 -j ACCEPT
Let us consider in detail the case open a port using iptables. It should be noted that the concept of port is used in tcp and udp protocols, so for different protocols use the same port numbers, but these numbers are speaking in the language of our example mean different apartments in different houses in different neighborhoods, where the neighborhood can make the name of the Protocol.
Note: There is a table of common port numbers for popular software and programs for their functional purpose. Other ports are freely used. Consideration of the tables of the ports is beyond the scope of this article. Back to a simple task to close a single port.
Note: If you need to open the port, make sure that the iptables policy by default to block all connections to ports (DROP). If you are using the default policy is ACCEPT, then nothing do not need to open all the ports are already open, and you only need to close those that should not be accessible from the outside. Read more in the article how to use iptables.
1. One port
To open port iptables debian use the following command:
sudo iptables [-t table] -A [chain] -p Protocol [–sport portatronics] [–dport portmannatalie] -j [action]
sudo iptables-t filter-A INPUT-p tcp --dport 8081 -j ACCEPT
In this case, we opened the filter table in the INPUT chain tcp destination port 8081 through the action of accept (accept). Thus for all external machines that are trying to establish a connection on this port, this port is now available. If we want to open a port to a specific machine, use the following command:
sudo iptables-t filter-A INPUT-p tcp-s 10.0.0.1/32 --dport 8080 -j ACCEPT
We have opened port 8080 on our computer to the external machine with IP address 10.0.0.1.
2. A range of ports
To open the port range iptables, use the command:
sudo iptables [-t table] -A [chain] -p Protocol [–sport nachalnykov:chechnyatoday] [–dport nachalnitse:chechnyatoday] -j [action]
sudo iptables-t filter-A INPUT-p tcp --dport 18070:18081 -j ACCEPT
This command we have opened ports 18070-18081 for incoming packets directed to this computer, transmitted over TCP.
3. Incoming and outgoing connections
All packages can be divided into two types: packets arriving at the node and packets sent by this node. In its most common for outgoing and incoming packets will use the same network interface (physical or logical device that converts packets into signals and transmission of signals in the network).
So, incoming packets are to create incoming connections on specific rules for specific programs, and outgoing packets to create outgoing connections on specific rules for specific programs. In addition, for each program requiring communication through the network, often will operate two connections: incoming and outgoing, as the time required for work to send and receive data.
Inbound rules are in most cases located in chain PREROUTING policy, INPUT. Rules for outgoing connections will be in most cases located in chains, POSTROUTING, OUTPUT.
To allow iptables port for incoming connections:
sudo iptables-t filter-A INPUT-p tcp --dport 8080 -j ACCEPT
Example for outgoing connections:
sudo iptables-t filter -A OUTPUT-p tcp --dport 8080 -j ACCEPT
Note: In this case, the rules look very similar, but the meaning they will have exactly the opposite. In the first case we are dealing with a package INCLUDED, which must be received at the destination port 8080 of OUR computer. In the second case we are dealing with package PROCEEDSwhich must be received at the destination port 8080 of the REMOTE computer. It should also be noted that the program does not use on our computer and the remote computer are the same port number for a single program. Ports will vary.
4. Connection status
There is a possibility to generate packet filtering rules matching a certain pattern additional specifications Netfilter rules. It is responsible for the options -m and -j. We consider using the-m option, which can use many different templates from which we will discuss one: –state state. This template can take the following values:
- NEW — package opened up a new connection or otherwise associated with the connection, in which there was no packets in both directions (incoming and outgoing);
- ESTABLISHED — the packet is associated with a connection which has seen packets in both directions;
- RELATED — the packet opens a new connection, but is associated with an existing connection, for example, an FTP data transfer or ICMP error;
- INVALID — a packet that is associated with the unknown compound.
Opening ports in iptables for new connections:
sudo iptables-t filter-A INPUT-p tcp-s 192.168.1.0/24 --dport 445-m state --state NEW-j DROP
In this example, in the table filter chain INPUT Protocol tcp, from a computer from a subnet 192.168.1.0/24, destination port 445 (as chain member, the destination port is on this computer) for packets opening a new connection to apply the effect of accept (accept the packet).
And this command to add the port to iptables already installed ports:
sudo iptables-t filter-A INPUT-p tcp-s 192.168.2.0/24 --dport 445-m state --state ESTABLISHED -j ACCEPT
In this case, in the table filter chain INPUT Protocol tcp, from the computer in the network 192.168.2.0/24, destination port 445 (as chain member, the destination port is on this computer) for packets coming in through an open connection to apply the effect of accept (accept the packet).
How to close port iptables
If you have opened the port using the above rules and firewall policy by default DROP, it is enough to delete that rule. If you have a default policy of ACCEPT, to close the port we need to use the DROP.
sudo iptables-t filter-A INPUT-p tcp-s 192.168.3.0/24 --dport 445-m state --state ESTABLISHED -j DROP
This command in the filter table in the INPUT chain will write a rule for TCP, from the computer in the network 192.168.3.0/24, destination port 445 (as chain member, the destination port is on this computer) for packets coming in through an open connection, to apply the action DROP (drop the packet).
For rules prohibiting the admission package, apply all of the above to close the port (single port, port range, incoming and outgoing connections to established connections and new connections). About the closure of ports in iptables read in more detail in a separate article.
Check if the port is open
When we set up all the rules, opening and closing ports, we need to verify the correctness of applied settings. You can use the telnet application. Telnet – an application that allows you to establish bidirectional connection between the two computers using the telnet Protocol. In our task, the attempt to establish the connection between the two machines in the network is used as a test of the rules of Netfilter. Execute the command in the following form:
$ telnet ip address port
telnet 192.168.1.5 443
The team will be checked port 443 at the machine with ip address 192.168.1.5. If on port 443 on the remote machine allowed incoming connection and the rules on the local machine to allow outgoing connection on port 443, we get the message:
Connection closed by foreign host.
Or may unexpectedly receive an invitation to access this machine, if this port is waiting for a connection the server part of telnet.
If the rules forbid an incoming connection on a remote machine, or the outgoing connection on our local machine on port 443, we get the message:
telnet: Unable to connect to remote host: Connection timed out
Note: to obtain results it is necessary to wait quite a long time to telnet the result of connection attempts on the specified port.
So today we reviewed how to open port 80 iptables or any other on the local machine. Now we know how to open (or close) a specific port, port range, what is the difference between incoming and outgoing connections, how to work with new and already established connections.