1. Overview
In information security, it’s always a good idea to block traffic toward all the network ports by default and only open them up for very concrete reasons. This would largely reduce the surface we need to guard against when it comes to defending ourselves against malicious traffic. In this tutorial, we’ll learn how to allow traffic toward a specific port while blocking the rest using iptables and ufw.
2. iptables
The iptables tool is a network administration tool in Linux that manages the network packets going through our machine. Specifically, we can define policies that accept or deny incoming network packets.
2.1. Blocking Incoming Traffic by Default
To block all the incoming traffic regardless of which port they are targeting, we can apply a DROP policy on the INPUT chain:
$ sudo iptables -P INPUT DROP
The -P option configures a default policy on the chain. In our command, we set the default policy of the INPUT chain to drop all the network packets. Note that this policy will only take effect if a packet does not match any other rules in the chain.
2.2. Allowing Incoming Packets on Specific Ports
Once we have the default policy in place, we can now start appending rules into the chain. Specifically, we want to append ALLOW rules into the chain to allow network packets to ports we want to expose to the external connection. Let’s append an ALLOW rule on port 22 to allow SSH connection into our machine:
$ sudo iptables -A INPUT -p tcp -m tcp -dport 22 -j ACCEPT
Firstly, the -A INPUT option appends the rule specification into the INPUT chain. Then, the -p tcp option causes this rule to be evaluated on TCP packets only. The -m tcp option loads the iptables tcp extension, which provides the -dport operator to match TCP packets that are targeting port 22.
Finally, the -j option specifies the action to take when the packet matches the rule. In this case, we accept the packet.
In short, with the ruleset in place, we’ll only allow TCP packets that are targeting port 22 on our system. Any other packets that do not match this rule will be handled by the default policy, which is to drop the packets.
3. ufw
Although the iptables command is powerful, it can be daunting for people who are new to it. There are a lot of terminologies that one needs to be familiar with before the documentation makes sense.
The ufw is a command line tool that’s built upon iptables and aims to offer an easier interface for configuring the firewall.
3.1. Blocking All Ports Except for One Port
To block all the incoming packets by default, we run ufw default deny:
$ sudo ufw default deny
This would put in place a default rule on incoming traffic that drop all the packets.
To allow incoming traffic to a specific port, we can use the ufw allow command. Let’s unblock port 22 to allow incoming traffic into the host:
$ sudo ufw allow 22
Rule added
Rule added (v6)
Then, to verify the rules, we can run ufw status verbose:
$ sudo ufw status verbose
ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To Action From
-- ------ ----
22 ALLOW IN Anywhere
22 (v6) ALLOW IN Anywhere (v6)
From the output, we can see that by default, we are denying all the incoming and routing traffic. Then, we can see that we are allowing traffic to be coming into port 22.
If the ufw status verbose command returns a line saying Status: inactive, it means the firewall is disabled. To enable the firewall, we simply issue the enable subcommand:
$ sudo ufw enable
Firewall is active and enabled on system startup
4. Conclusion
In this tutorial, we’ve learned how we can apply a default policy to block all the ports using iptables. Then, we also showed how we can open up a few ports to allow incoming traffic. Finally, we’ve seen how ufw can achieve the same thing with a simpler interface.