I configured iptables to allow ports 80 and 443 for a webserver as well as 10000 for webmin using "iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT", etc. Please let me know if I correctly interpret the following iptables output.

Inputs

• First three lines allow ports 10,000, 443, and 80 using the TCP protocol. Why do these lines describe "out" and "destination if these are inputs?
• Line 4 means it will accept a response from a request.
• What does Line 5 mean?
• Line 6 means it will allow internal communication? Please elaborate.
• Line 7 allows port 22 using TCP protocol.
• Line 8 means if you get here, reject everything.

The forward section has to do with using Linux as a router, and it currently is set up not to do so.

The output section has no rules, and thus the server is allowed to output whatever it wants.

Thank you for your feedback.

As part of a multi-layered defence strategy you must expose as little as possible and especially not admin interfaces like Webmin. Ensure Webmin uses SSL, give it a separate iptables rule and allow only traffic from your management IP (ranges). "iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT" actually means a few things: no table specified: use the "filter" table (most block rules are better off in the "raw" table, using ipset and -j NOTRACK), make it the first rule of the INPUT chain (this almost never is a good thing as performance / rule order-wise you'd want the spot for the loopback interface, followed by INVALID / ESTABLISHED traffic, etc). Netfilter allows you to track a connections state and act on it. Doing otherwise isn't that good for performance.


Please avoid posting interpreted data and potentially incomplete rule sets: instead post output of Easier to read and correct.

Every rule can have a number of match criteria, such as the interface the packet is entering or exiting (the "in" and "out" matches) as well as the source and destination address, protocol type, and so on.

iptables -L -v produces a fixed set of columns for each row, including "in" and "out" (which is why using iptables-save is a good idea). If your rule doesn't include an interface or a destination address match criteria, that's the same as saying "any interface" or "any destination address".

That's correct. The ESTABLISHED state matches responses to previous requests and open TCP connections, while RELATED matches ICMP errors and secondary data streams (provided iptables knows how to interpret the protocol in question).

It allows all incoming ICMP packets. "Ping" replies and error messages related to other traffic (like various "unreachable" messages) are already implicitly allowed by the RELATED state match, but this rule will also allow other packets, like incoming Echo Requests.

Processes on the system itself may communicate using the loopback ("lo") interface. No external system can ever send packets to this interface, and packets from lo can never go out on the wire, so blocking it with a firewall rule makes little sense (and may cause all sorts of breakage).

It's considered a "best practice" to have a rule allowing traffic to/from lo at or very near the top of any firewall ruleset.

Correct, it allows incoming packets to the SSH daemon.

Correct.

Thank you Ser Olmy, that was very helpful.