Skip to content

Iptables

About

iptables is the userspace command line program used to configure the Linux 2.4.x and later packet filtering ruleset. It is targeted towards system administrators.

Since Network Address Translation is also configured from the packet filter ruleset, iptables is used for this, too.

The iptables package also includes ip6tables. ip6tables is used for configuring the IPv6 packet filter.

Installation

iptables almost always comes pre-installed on any Linux distribution. To update/install it, just retrieve the iptables package:

# Debian & Ubuntu
apt install -y iptables

# Centos / Fedora / RHEL
yum install -y iptables
dnf install -y iptables

# Arch / Manjaro
pacman -Sy iptables

Start/Stop/Restart Iptables Firewall

Systemd

------------ On Cent/RHEL 7 and Fedora 22+ ------------
systemctl start iptables
systemctl stop iptables
systemctl restart iptables

Sysvinit

------------ On Cent/RHEL 6/5 and Fedora ------------
/etc/init.d/iptables start
/etc/init.d/iptables stop
/etc/init.d/iptables restart

Basic options

Usage: iptables -[ACD] chain rule-specification [options]
       iptables -I chain [rulenum] rule-specification [options]
       iptables -R chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LS] [chain [rulenum]] [options]
       iptables -[FZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Commands:
Either long or short options are allowed.
  --append  -A chain Append to chain
  --check   -C chain Check for the existence of a rule
  --delete  -D chain Delete matching rule from chain
  --delete  -D chain rulenum  Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum] Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum  Replace rule rulenum (1 = first) in chain
  --list    -L [chain [rulenum]] List the rules in a chain or all chains
  --list-rules -S [chain [rulenum]] Print the rules in a chain or all chains
  --flush   -F [chain] Delete all rules in  chain or all chains
  --zero    -Z [chain [rulenum]]  Zero counters in chain or all chains
  --new     -N chain  Create a new user-defined chain
  --delete-chain -X [chain]  Delete a user-defined chain
  --policy  -P chain target  Change policy on chain to target
  --rename-chain -E old-chain new-chain  Change chain name, (moving any references)
Options:
    --ipv4 -4 Nothing (line is ignored by ip6tables-restore)
    --ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto     protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...] source specification
[!] --destination -d address[/mask][...]    destination specification
[!] --in-interface -i input name[+] network interface name ([+] for wildcard)
 --jump -j target   target for rule (may load target extension)
  --goto      -g chain  jump to chain with no return
  --match -m    match extended match (may load extension)
  --numeric -n  numeric output of addresses and ports
[!] --out-interface -o output name[+] network interface name ([+] for wildcard)
  --table -t    table table to manipulate (default: `filter')
  --verbose -v  verbose mode
  --wait -w [seconds]   maximum wait to acquire xtables lock before give up
  --wait-interval -W [usecs]    wait time to try to acquire xtables lock ,default is 1 second
  --line-numbers    print line numbers when listing
  --exact -x    expand numbers (display exact values)
[!] --fragment -f   match second or further fragments only
  --modprobe=<command>      try to insert modules using this command
  --set-counters PKTS BYTES     set the counter during insert/append
[!] --version -V    print package version.

Example of uses

Check all IPtables Firewall Rules

iptables -L -n -v

iptables -t nat -L -v -n

Block Specific IP Address in IPtables Firewall

iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP

iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx -j DROP

Unblock IP Address in IPtables Firewall

iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP

Block Specific Port on IPtables Firewall

iptables -A OUTPUT -p tcp --dport xxx -j DROP

iptables -A INPUT -p tcp --dport xxx -j ACCEPT

Allow Multiple Ports on IPtables using Multiport

iptables -A INPUT  -p tcp -m multiport --dports 22,80,443 -j ACCEPT

iptables -A OUTPUT -p tcp -m multiport --sports 22,80,443 -j ACCEPT

Allow Specific Network Range on Particular Port on IPtables

iptables -A OUTPUT -p tcp -d 192.168.100.0/24 --dport 22 -j ACCEPT

Setup Port Forwarding in IPtables

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 2525

Block Network Flood on Apache Port with IPtables

iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT

Block Incoming Ping Requests on IPtables

iptables -A INPUT -p icmp -i eth0 -j DROP

Allow loopback Access

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

Keep a Log of Dropped Network Packets on IPtables

iptables -A INPUT -i eth0 -j LOG --log-prefix "IPtables dropped packets:"

grep "IPtables dropped packets:" /var/log/messages

Block Access to Specific MAC Address on IPtables

iptables -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP

Limit the Number of Concurrent Connections per IP Address

iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT

Search within IPtables Rule

iptables -L $table -v -n | grep $string

iptables -L INPUT -v -n | grep 192.168.0.100

Define New IPTables Chain

iptables -N custom-filter

Flush IPtables Firewall Chains or Rules

iptables -F

iptables -t nat -F

Setup IPtables Rules for PCI Compliance

iptables -I INPUT -d SITE -p tcp -m multiport --dports 21,25,110,143,465,587,993,995 -j DROP

If you use cPanel or similar control panel, you may need to block it’s’ ports as well. Here is an example:

iptables -I in_sg -d DEDI_IP -p tcp -m multiport --dports  2082,2083,2095,2096,2525,2086,2087 -j DROP

Note

To make sure you meet your PCI vendor’s requirements, check their report carefully and apply the required rules. In some cases you may need to block UDP traffic on certain ports as well.

Allow Established and Related Connections

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

For outgoing use :

iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

Drop Invalid Packets in IPtables

iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

Block Connection on Network Interface

iptables -A INPUT -i eth0 -s xxx.xxx.xxx.xxx -j DROP

Disable Outgoing Mails through IPTables

iptables -A OUTPUT -p tcp --dports 25,465,587 -j REJECT

Save and restore you rules

Save IPtables Rules to a File

iptables-save > ~/iptables.rules

Restore IPtables Rules from a File

iptables-restore < ~/iptables.rules