Checking the Firewall Configuration and Your Network Settings (Linux)

This article lists the most important commands you need to check the network configuration and firewall configuration.

Performing a Port Scan

To perform a port scan, you can use the netcat program. Netcat (nc), is a universal command line tool. It can be used in the terminal or in scripts for communication via TCP and UDP network connections (Internet Protocol Version 4 and Version 6).

The program netcat is part of every Ubuntu installation, but can be installed via the package netcat-openbsd, if necessary.

To install netcat on a server running the CentOS distribution, type the following command:

CentOS 7

[root@localhost ~]# yum install nc.x86_64
CentOS 8

[root@localhost ~]# dnf install nmap

 

To perform a port scan with netcat, type the following command:

nc -v IP_ADDRESS_OF_THE_SERVER PORT_NUMBER
Example:

[root@localhost ~]# nc -v 192.168.1.1 22

Checking the Network Services

To get a list of listening network services, deamons, and programs, type the following command:

netstat –tulpen
Then you can check if the relevant network services, deamons and programs are active and listening on the correct port. After entering the command, you can also determine whether the required port needs to be unblocked.

Example:

[root@localhost ~]# netstat -tulpen
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
tcp        0      0 0.0.0.0:5355            0.0.0.0:*               LISTEN      193        27635      1368/systemd-resolv
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          29477      1582/sshd
tcp6       0      0 :::5355                 :::*                    LISTEN      193        27638      1368/systemd-resolv
tcp6       0      0 :::22                   :::*                    LISTEN      0          29479      1582/sshd
udp        0      0 0.0.0.0:5355            0.0.0.0:*                           193        27634      1368/systemd-resolv
udp        0      0 127.0.0.53:53           0.0.0.0:*                           193        27640      1368/systemd-resolv
udp        0      0 0.0.0.0:68              0.0.0.0:*                           0          27510      1314/dhclient
udp        0      0 127.0.0.1:323           0.0.0.0:*                           0          25505      1174/chronyd
udp6       0      0 :::5355                 :::*                                193        27637      1368/systemd-resolv
udp6       0      0 ::1:323                 :::*                                0          25506      1174/chronyd

Checking the Network Configuration

To display the configured interfaces, enter the command ip addr. After entering the command, the status of each interface is displayed:

Example:

root@localhost:~# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:00:f1:5b brd ff:ff:ff:ff:ff:ff
    inet 217.160.173.123/32 brd 217.160.173.123 scope global ens192
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fe00:f15b/64 scope link
       valid_lft forever preferred_lft forever


You can reactivate a deactivated interface with the following command:

sudo ifup NAME_OF_THE_INTERFACE


Example:

[root@localhost ~]# sudo ifup ens192
If this command fails, it is possible that the interface is in a state unknown to the command script. In this case, enter the same command with the --force parameter:

sudo ifup --force NAME_OF_THE_INTERFACE
Example:

[root@localhost ~]# sudo ifup --force ens192

Then check, if you can establish an encrypted network connection to your server. If this is not possible, check the network configuration of the server.

For this purpose, open the configuration files listed below with the vi editor. Check and edit the settings and then restart the network if necessary to apply the changes to the network configuration:

Ubuntu

/etc/network/interfaces

CentOS 7 and CentOS 8

/etc/sysconfig/network-scripts/


To reboot the network, type the following command(s):

Ubuntu

[root@localhost ~]# /etc/init.d/networking restart
CentOS 7

[root@localhost ~]# /etc/init.d/network restart
CentOS 8

[root@localhost ~]# nmcli networking off
[root@localhost ~]# nmcli networking on

 

Display and Configure IP Routing Table With Route

With the program route you can display and configure the IP routing table. To do so, enter the following command:

[root@localhost ~]# route

After entering the command, you will see results similar to the following example:

[root@localhost home]# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         gateway         0.0.0.0         UG    100    0        0 ens192
gateway         0.0.0.0         255.255.255.255 UH    100    0        0 ens192
169.254.169.254 gateway         255.255.255.255 UGH   100    0        0 ens192
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
localhost       0.0.0.0         255.255.255.255 UH    100    0        0 ens192

Checking the Firewall Configuration (CentOS 6, CentOS 7 and Ubuntu)

The Linux kernel has an integrated packet filter by default, which is provided by modules of the Netfilter software package. To configure this, an additional program is required.

As an administrator, you can use the software iptables to set up, modify or delete rules. iptables is a program for configuring the tables provided by the firewall in the Linux kernel.

The settings you make with iptables will be lost during system reboot. You can use the tools iptables-save and iptables-restore to save and restore the created rules.

Please Note

Whenever you make changes to iptables, make sure that the ports required to reach the server, such as port 22, are not blocked.

With an init script this is done automatically during the boot process. iptables is limited to the IPv4 protocol. For the other protocols there are corresponding variants such as ip6tables for IPv6 or ebtables for Ethernet packets, which are also included in the kernel module.

On Linux, iptables is usually pre-installed. iptables requires extended system privileges and can only be run as root or with administrator rights. 

The packet check and the filter rules to be created with iptables are structured in three stages. There are tables, chains and rules. 

The tables loaded with the software and previously created by the kernel contain chains of rules that define how incoming and outgoing data packets are to be handled. These packets are passed from rule to rule within a chain. Each rule can cause a jump or a goto another chain.

The following actions can be caused:

ACCEPT: The package is accepted.

DROP: The package is dropped.

QUEUE: Moves the package into the user processes; requires a queue handler that forwards the packages to an application.

RETURN: The packet is returned to the previous chain if it is a user-defined chain. In standard chains the policy of the chain is executed. Without configuration, the action ACCEPT is executed by default.

Tables

In the tables, filter rules are combined into groups. These are divided according to the basic task. There are four important tables in which you can store filter rules:

filter: This is the default table.

nat: Used to alter packets that establish a new connection and are used for Network Address Translation (NAT).

mangle: This table is usually used for certain types of packet alteration.

raw: This table is usually used to define connection tracking exceptions in combination with the NOTRACK Target.

Chains

Each table contains different chains. The chains determine when a package is checked. There are the following Chains:

Chain Table Description
INPUT filter, mangle Applies to all packets that are directed to a local process.
OUTPUT filter, nat, mangle, raw Applies to all packets originating from a local process.
FORWARD filter, mangle Applies to all packets that are routed.
PREROUTING nat, mangle, raw Applied to all packets before they are routed.
POSTROUTING nat, mangle Applied to all packets after they have been routed.

The filter rule sets are defined in the tables and chains. This is done by calling iptables in the terminal.

A detailed overview how the packet filter software works is provided in the man page. You can call it with the following command:

[root@localhost ~]# man iptables
Further information can be found on the following page:

http://www.netfilter.org

To change the standard behavior of iptables, enter the following command:

[root@localhost ~]# iptables -L

To check which filter rules are already defined, enter the following commands:

[root@localhost ~]# sudo iptables -t filter -L

[root@localhost ~]# sudo iptables -t nat -L

[root@localhost ~]# sudo iptables -t mangle -L

[root@localhost ~]# sudo iptables -t raw–L
To delete all rules, enter the following command:

[root@localhost ~]# iptables -F

Other important commands

Other important commands for iptables are listed below:


Creating a new chain:

sudo iptables -N NAME_OF_THE_CHAIN
Example:

[root@localhost ~]# sudo iptables -N test

 

Deletes a chain:

sudo iptables -X NAME_OF_THE_CHAIN
Example:

[root@localhost ~]# sudo iptables -X test

 

Listing rules in the chain named test:

sudo iptables -L NAME_OF_THE_CHAIN


Example:

[root@localhost ~]# sudo iptables -L test

 

Deleting the rules in the test chain:

sudo iptables -F NAME_OF_THE_CHAIN
Example:

[root@localhost ~]# sudo iptables -F test

 

Setting the policy for the chain:

In the example provided below, the packet is automatically accepted if the filter rules of the INPUT chain do not apply.

[root@localhost ~]# sudo iptables -P INPUT ACCEPT

 

Attaching a new rule to a selected chain:

sudo iptables -A NAME_OF_THE_CHAIN -s IP-ADRESS -j DROP
In the example below, the rule is added to the test chain to reject data packets from the IP address 217.160.172.48.

[root@localhost ~]# sudo iptables -A test -s 217.160.172.48 -j DROP

 

Deleting the specified rule in the selected chain:

sudo iptables -D NAME_OF_THE_CHAIN -s IP-ADRESS -j DROP
Example:

[root@localhost ~]# sudo iptables -D test -s 217.160.172.48 -j DROP

 

Inserting the new rule to the selected position in the chain:

sudo iptables -I NAME_OF_THE_CHAIN 1 -s IP-ADRESS -j DROP
In this example the chain is inserted to position 1.

Example:

[root@localhost ~]# sudo iptables -I test 1 -s 217.160.172.48 -j DROP

 

Deleting the rule of the selected chain by specifying the position:

sudo iptables -D NAME_OF_THE_CHAIN 1 
Example:

[root@localhost ~]# sudo iptables -D test 1

Save results

To permanently save your settings to a file, type the following command:

Ubuntu

sudo iptables-save > /etc/iptables/rules.v4
CentOS

iptables-save > /etc/sysconfig/iptables

 

To reload the file for IPv4, type the following command:

Debian/Ubuntu

iptables-restore < /etc/iptables/rules.v4
CentOS

iptables-restore < /etc/sysconfig/iptables

 

To load the rules automatically, you can use the following methods:

Ubuntu

With iptables-persistent the firewall rules are stored in configuration files in /etc/iptables/. These are reloaded when the server starts and are thus reactivated. For this purpose, the rules must be stored in the file /etc/iptables/rules.v4 for IPv4.

To use iptables-persistent, you must install the following package:

apt-get install iptables-persistent

CentOS 7

To permanently store the iptables rules, the service iptables-services must be installed.

yum install -y iptables services
To continue using iptables, the firewalld service must first be disabled.

systemctl stop firewall
systemctl mask firewall

Then the service must be activated.

systemctl enable iptables.service
systemctl -t service | grep iptables

The rules are stored for IPv4 in the file /etc/sysconfig/iptables

The following script can also be used to save the current rules:

[root@localhost ~]# /usr/libexec/iptables/iptables.init save

Note

After configuring iptables and saving the rules permanently, check if they are loaded after the server restart.

You can display the rules after restarting with the following command:

iptables -L
Alternatively, you can enter the following command to check the status of ip-tables:

systemctl status iptables.service

Checking the Firewall Configuration (Centos 8)

CentOS 8 sets up firewalls with the nftables infrastructure by default and uses nftables as the default backend. 

By default, nftables does not create tables and chains like its predecessor iptables. As administrator, you first create the tables and add chains to them, which hook into the Linux kernel as netfilter hooks. Then you create the appropriate rules for the chains.

Here are some other important differences between nftables and iptables:

  • Tables and chains are fully configurable.

  • There is no distinction between matches and targets anymore.

  • You can specify several actions in one single rule.

  • Better support for dynamic ruleset updates.


More information on the differences between iptables and nftables can be found here:

https://wiki.nftables.org/wiki-nftables/index.php/Main_differences_with_iptables

Syntax of the Commands

The basic commands for tables, chains and rules are always structured as follows:

nft <add|list|flush|delete> <table|chain|rule> <further_options>

Creating a Table

To create a table and a rule set, enter the following command:

[root@localhost ~]# nft add table inet my_table
nft list ruleset
table inet my_table {
}

To create a chain, enter the command below. When creating the chain, you must specify to which table the chain belongs. You must also define the type, the hook and the priority.

nft add chain inet my_table my_filter_chain { type filter hook input priority 0 \; }

Note

The backslash (\) is necessary so that the shell does not interpret the semicolon as the end of the command.

Chains can also be created without specifying a hook. Chains that you create without specifying a hook are equivalent to custom iptables chains. Rules can use the jump or goto statements to execute rules in the chain. This is useful for logically separating rules or for sharing a subset of rules that would otherwise be duplicated.

A major innovation in nftablesis the concept of families: nft provides a number of address families for the creation of rules. The following families are predefined: arp (ARP), bridge (previously provided by Ebtables), inet (includes IPv4 and IPv6), ip (for IPv4), ip6 (for IPv6) and netdev. All tables that belong together must be in the same family. This is particularly relevant for the generation of tables and chains.

For example, to create a rule for the chain that allows an SSH connection, enter the following command:

nft add rule address_family my_table my_filter_chain tcp dport ssh accept
Example:

[root@localhost ~]# nft add rule inet my_table my_filter_chain tcp dport ssh accept
Rules are deleted with the help of rule handles. To delete a rule, you must find the handle of the rule you want to delete. Example:

[root@localhost ~]# nft --handle list ruleset
table inet my_table { # handle 21
chain my_filter_chain { # handle 1
type filter hook input priority 0; policy accept;
tcp dport http accept # handle 3
tcp dport 1234 accept # handle 8
tcp dport nfs accept # handle 7
tcp dport ssh accept # handle 2
    }
}

Then use the handle to delete the rule. To do this, enter the following command:

nft delete rule [<family>] <table> <chain> [handle <handle>
Example:

[root@localhost ~]# nft delete rule inet my_table my_filter_chain handle 8
[root@localhost ~]# nft --handle list ruleset
table inet my_table { # handle 21
chain my_filter_chain { # handle 1
type filter hook input priority 0; policy accept;
tcp dport http accept # handle 3
tcp dport nfs accept # handle 7
tcp dport ssh accept # handle 2
    }
}

Listing Rules

To list a table, use the following commands:

nft list tables [<family>]
nft list table [<family >] <name> [-n] [-a]
nft (add | delete | flush) table [<family >] <name>

To call up all rules in a particular table, enter the following command:

[root@localhost ~]# nft list table inet my_table
table inet my_table {
chain my_filter_chain {
type filter hook input priority 0; policy accept;
tcp dport http accept
tcp dport nfs accept
tcp dport ssh accept
    }
}

To call all rules in a chain, then enter the following command:

[root@localhost ~]# nft list chain inet my_table my_other_chain
table inet my_table {
chain my_filter_chain {
udp dport 12345 log prefix "UDP-12345"
    }
}

With the following command you can save a rule set:

nft list ruleset > /root/nftables.conf

You can create a rule set with the following command:

nft -f /root/nftables.conf

To activate the systemd service and have your rules restored on restart, type the following command:

systemctl enable nftables
nft list ruleset > /etc/sysconfig/nftables.conf

More information about nftables can be found here:

https://wiki.nftables.org/wiki-nftables/index.php/Main_Page