The Linux Firewall: iptables
ipTables is the basic firewall included with all distributions of Linux and is managed with the iptables command.
This is a beginner’s command-line usage guide for iptables. If things here look a bit daunting we highly recommend you check out our guide on installing the CSF plugin for a much simpler firewall management interface.
ipTables rules are grouped into chains. A chain is a set of rules used to determine what to do with a network packet, and these chains are grouped into tables. ipTables has three built-in tables: filter, NAT and mangle. Filter is the table used to deny and allow access to the server.
The Filter Table
The Filter table is used to allow and block traffic. It consists of three chains: INPUT, OUTPUT, FORWARD.
The INPUT chain is used to filter packets destined for the local system.
The OUTPUT chain is used to filter packets created by the local system.
The FORWARD chain is used for packets passing through the system. This type of chain is used primarily in gateways and routers.
The general format of an iptables rule entered as a Linux command is:
iptables -A [CHAIN] -p [PROTOCOL] [ADDRESS] -j [ACTION]
Here “-A INPUT” means “append this rule to the input chain”
The “-p tcp” means this rule applies only to TCP packets, not UDP
ADDRESS: IP address affected by the rule.
ACTION: -j DROP/ACCEPT/LOG
What to do with packets matching this rule
Basic Use Examples
The most basic use of ipTables is to simply block and allow traffic.
Allowing Traffic - ipTables enables you to allow traffic based on a number of different conditions such as Ethernet adapter, IP Address, port and protocol.
Scenario: Allow incoming TCP traffic on port 22 for adapter eth0
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
Scenario: Allow incoming TCP traffic on port 80 (HTTP) for the IP range 192.168.0.1 to 192.168.0.254
iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
Block Traffic - ipTables can block traffic on the same conditions that traffic can be allowed.
Scenario: Block inbound TCP traffic on port 22
iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP
Scenario: Block inbound TCP traffic on port 80 from the IP 192.168.1.100
iptables -A INPUT -s 192.168.1.100 -p tcp -m tcp --dport 80 -j DROP
Limit Traffic - Along with allowing and denying traffic, ipTables can be used to limit the number of connections allowed over time thresholds.
A common use of limiting is to block brute force SSH attacks. The first rule below adds packets destined for port 22/tcp over interface eth0 to the sshbrute list. The second rule tells ipTables to check the sshbrute list and if the there are over 4 new connections over the last minute, to drop the packet.
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --name sshbrute --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --name sshbrute --update --seconds 60 --hitcount 4 -j DROP
ipTables is a very versatile and powerful tool! A few extra examples are below.
Drop all inbound telnet traffic
iptables -I INPUT -p tcp --dport 23 -j DROP
Drop all outbound web traffic
iptables -I OUTPUT -p tcp --dport 80 -j DROP
Drop all outbound traffic to 192.168.0.1
iptables -I OUTPUT -p tcp --dest 192.168.0.1 -j DROP
Allow all inbound web traffic
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
Allow inbound HTTPS traffic from 10.2.2.4
iptables -I INPUT -s 10.2.2.4 -p tcp -m tcp --dport 443 -j DROP
Deny outbound traffic to 184.108.40.206-220.127.116.11
iptables -I OUTPUT -d 18.104.22.168.0/24 -j DROP
Allow incoming connections to port 21 from one IP address 22.214.171.124
iptables -A INPUT -p tcp -m state --state NEW --dport 21 --source 126.96.36.199
Deny all other incoming connections to port 21
iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j DROP
We used the "-m state --state NEW --dport 21" rules above to match against new connections to port 21.
Additional Rule Modifiers
-A - append - Add the rule at the end of the specified chain
iptables -A INPUT …
-D - delete - Allows you to delete a chain. There are 2 ways of using it; you can either specify the number of the chain to delete or specify the rule to delete.
iptables -D INPUT 1
iptables -D INPUT --dport 80 -j DROP
-R - replace - Allows you to replace the specified chain.
iptables -R INPUT 1 -s 192.168.0.1 -j DROP
-I - insert - Allows you to add a chain in a specific area of the global chain.
iptables -I INPUT 1 --dport 80 -j ACCEPT
-L - list - Display the rules of a chain.
Display all the rules in all chains
iptables -L INPUT
Display all the INPUT rules
-F - flush - Delete all the rules of a chain.
iptables -F INPUT
Deletes all rules in the INPUT chain
Delete all the rules
-N - new chain - Allows you to create a new chain
iptables -N LOG_DROP
-X - delete chain - Allows you to delete a chain
iptables -X LOG_DROP
Delete the LOG_DROP chain
Deletes all chains
-P - policy - Allows you to specify, to the kernel, the default policy of a chain (ACCEPT, REJECT, DROP)
iptables -P INPUT DROP
Common Options and Switches
-A adds a rule at the end of the chain
-I inserts a rule at the given rule number. If no rule number is specified the rule is inserted at the head of the chain
-p the protocol of the rule
--dport the destination port to check on the rule
-i interface on which a packet was received
-j what to do if the rule matches
-s source IP address of the packet
-d destination IP address of the packet