The era of local development is history. The development of the Internet has led to the objective need for distributed information processing. Virtualization has led to the fact that one computer no longer has a significant perspective. The developer must have a complete set of virtual machines from any physical device. Setting up virtuality and technical feasibility of working through iptables has become a popular and important factor in the creation of modern information systems.
Modern development of information systems
High technologies, with all their achievements, are based on rigid syntactic constructions. The syntax of a programming language or configuration file is a lesser evil than the rigidity of the concept of the development of computer science in general.
An attempt to deduce syntax and semantics through hypertext did not lead to a qualitative leap, butmade it necessary to move development into a "distributed" status, into the clouds and virtuality.
Working on one computer and/or server is a limitation. The developer must have an arsenal of operating systems, a development and testing environment. A developer is a distributed team of specialists of various qualifications.
The iptables idea has come a long way in a short time. Today, it provides a fairly convenient toolkit for organizing technological processes of software development and its use.
Opening a port for a particular project with iptables is not a problem. Restrict (close) access - simple and convenient. The firewalld firewall is CentOS and iptables. You can open the port here with a special tool (utility). This is convenient, but not as practical as Debian through the command line.
The choice of an operating system from the Linux family in the context of solving the problem of port distribution is important for the system administrator in the context of configuration, but more important is understanding the essence of the issue: how to open a port through iptables and ensure the ability to work.
Switch and server
Before you start working with a Linux server, you need to pay serious attention to setting up a switch that provides access to the Internet and an internal local network.
This is a LAN switch for small business or home use. Big business uses moretechnological equipment, but in any case: a device for accessing the Internet and organizing a local network must pass all packets and have open all the ports that will be needed.
Linux server is iptables. How to open certain ports is shown by the entry, exit and transit rules (INPUT, OUTPUT and FORWARD). There are not so many rules, there are a little more parameters in them, but they provide a sufficient number of combinations and possibilities. Through iptables: open a port - no problem, work on input (PREROUTING) or output (POSTROUTING) - too.
All Linux server rules are equivalent: condition (criteria), description, action and counter. The content of the rule depends on its application.
Physical virtual machine server
There is no difference between a work computer and a server, but it is always preferable not to load the server with private tasks and make it a work computer of a specific developer.
Ideally, the server should have a graphical shell and "lead" its own workflow, outside the administrative one (file storage, hosting, web resource, …). In particular, to solve the problem: self-learning parsing and information retrieval, file storage and several virtual machines, a computer with Debian & Proxmox VE installed will be a good solution.
This will require iptables. Opening a port for each virtual machine is half the battle. It is necessary to set up bridges, routes and organize the operation of the server itself, as an independent computer that controls Apache,MySQL, PHP and browser. You also need to configure Proxmox VE as a system of virtual machines available inside and outside the local network.
This is a practical (working) example for Debian's iptables. How to open a port is shown in many examples. This is not an optimal set of rules, but it really works. Some rules overlap, but comparing them allows you to understand how and what to apply in a particular situation.
Note. The positions enp0s31f6, 192.168.100.0, 192.168.100.18 and 192.168.100.1 should be replaced with the real network interface, real network, real server IP address and gateway IP address.
Procedure and rules for working with iptables
If you want to make changes to an existing system, you should save all current rules and network settings. In a running system, under any circumstances, nothing can be done. The best option is to work on a new server, and when they are completed, change machines.
Better to start from scratch. Through the -F and -X iptables switches, it will not be possible to open the port, but the rules table will be cleared and it will be possible to perform administrative work with high quality. Firewall (ufw) is better to disable immediately. You can clean up the nat table - this will not be superfluous either.
Followed by the mandatory opening of access via ssh (through iptables open port 22). The server must be managed remotely. Allowing pings and checking them is also a must. The server administrator must be sure that the physical (technical) equipment is working properly. And if an error occurs,then it will be in the iptables rules. You can open ports pop, ftp, http, https and others using a general rule (multiport) or separate ones.
It is important to consider that the rules matter not only in terms of content, but also in terms of the order in which they are indicated. In the context of using Proxmox VE, be sure to comply with its requirements (in particular, open port 8006 through iptables).
Ports 80 (8080) and 443 should be given special attention. For example, iptables (open http & https ports) provides web resource traffic. Mail and FTP access are not critical unless they are included in the server's functionality.
iptables rules take effect immediately. The "-A" switch adds a rule, and the "-D" switch removes it. Save the set of generated rules:
iptables-save > /etc/iptables.rules
Restore previously created rule set:
iptables-restore < /etc/iptables.rules
To enable iptables and open ports at system boot, just write about it when raising the main interface in the file /etc/network/intefaces:
IPtables rules are not only about the order of work on the server and its security. This is optimization in practice. The iptables rules define the specific range of packets that the server will process, specify its functionality, and manage visitors. Through iptables, you can configure the optimal mode of administration and use of the machine.