Skip to content

Iptables

iptables command is a management interface to your local Linux firewall. If you want to allow or block network traffic to your Linux box iptables is the way to do so.

Rules

There are three types of rules: INPUT, OUTPUT, FORWARD. These are pretty straight forward.

INPUT describes traffic coming into your machine. OUTPUT describes traffic leaving your machine. FORWARD describes ways to share access between networks on your local machine.

Command Line Interface

List all your iptables rules

Bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
  $> iptables -L --line-numbers

  Chain INPUT (policy ACCEPT)
  num target    prot opt source           destination
  1   ACCEPT    tcp  --  192.168.1.0/24   anywhere
  tcp dpt:ssh
  2   DROP      all  --  anywhere         anywhere

  Chain FORWARD (policy ACCEPT)
  num target    prot opt source           destination

  Chain OUTPUT (policy ACCEPT)
  num target    prot opt source           destination
````

#### Export and import rules to/from a file

```sh
  # Export
  $> iptables-save > ~/iptables.txt

  # Import
  $> iptables-restore < ~/iptables.txt

Commonly used Commands and Parameters

Commands

  • -A, --append chain rule-specification: Append one or more rules to the end of the selected chain.

  • -I, --insert chain [rulenum] rule-specification: Insert one or more rules in the selected chain as the given rule number. So, if the rule number is 1, the rule or rules are inserted at the head of the chain. This is also the default if no rule number is specified.

  • -D, --delete chain rule-specification | rulenum: Delete one or more rules from the selected chain. There are two versions of this command: the rule can be specified as a number in the chain (starting at 1 for the first rule) or a rule to match.

  • -R, --replace chain rulenum rule-specification: Replace a rule in the selected chain. If the source and/or destination names resolve to multiple addresses, the command will fail. Rules are numbered starting at 1.

  • -L, --list [chain]: List all rules in the selected chain. If no chain is selected, all chains are listed. As every other iptables command, it applies to the specified table (filter is the default), so NAT rules get listed by

iptables -t nat -n -L

Please note that it is often used with the -n option, in order to avoid long reverse DNS lookups. It is legal to specify the -Z (zero) option as well, in which case the chain(s) will be atomically listed and zeroed. The exact output is affected by the other arguments given. The exact rules are suppressed until you use

iptables -L -v

Parameters

  • -p, --protocol [!] protocol: The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, icmp, or all, or it can be a numeric value, representing one of these protocols or a different one. A protocol name from /etc/protocols is also allowed. A "!" argument before the protocol inverts the test. The number zero is equivalent to all. Protocol all will match with all protocols and is taken as default when this option is omitted.

  • -s, --source [!] address[/mask]: Source specification. Address can be either a network name, a hostname (please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea), a network IP address (with /mask), or a plain IP address. The mask can be either a network mask or a plain number, specifying the number of 1's at the left side of the network mask. Thus, a mask of 24 is equivalent to 255.255.255.0. A "!" argument before the address specification inverts the sense of the address. The flag --src is an alias for this option.

  • -d, --destination [!] address[/mask]: Destination specification. See the description of the -s (source) flag for a detailed description of the syntax. The flag --dst is an alias for this option.

  • -j, --jump target: This specifies the target of the rule; i.e., what to do if the packet matches it. The target can be a user-defined chain (other than the one this rule is in), one of the special builtin targets which decide the fate of the packet immediately, or an extension (see EXTENSIONS below). If this option is omitted in a rule (and -g is not used), then matching the rule will have no effect on the packet's fate, but the counters on the rule will be incremented.

  • --line-numbers: When listing rules, add line numbers to the beginning of each rule, corresponding to that rule's position in the chain.

Common iptables operations

Deny All

This entry goes at the very bottom of the iptables rules list. As you can guess, this rule will deny all traffic if the traffic wasn't allowed by a previous rule.

Bash
1
2
3
4
5
# Deny all inbound traffic
$> sudo iptables -A INPUT -j DROP

# Deny all outbound traffic
$> sudo iptables -A OUTPUT -j DROP

Allow SSH from every system on 192.168.1.0/24

Bash
1
$> sudo iptables -I INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT

Deleting an entry

Bash
1
2
# Delete the second rule in the INPUT chain.
$> sudo iptables -D INPUT 2

Saving entries

If you want your iptables changes to survive a reboot then you need to save them.

Bash
1
2
# Save iptables rules for Redhat/CentOS distributions
$> sudo iptables-save > /etc/sysconfig/iptables

*For Ubuntu see the following resource: IptablesHowTo - Community Help Wiki (ubuntu.com)