Child pages
  • Linux Firewall Introduction
Skip to end of metadata
Go to start of metadata

The Linux Firewall: iptables

ipTables is the basic firewall included with all distributions of Linux and is managed with the iptables command. 

 

This is a beginner’s command-line usage guide for iptables. If things here look a bit daunting we highly recommend you check out our guide on installing the CSF plugin for a much simpler firewall management interface.

 

ipTables rules are grouped into chains. A chain is a set of rules used to determine what to do with a network packet, and these chains are grouped into tables. ipTables has three built-in tables: filterNAT and mangleFilter is the table used to deny and allow access to the server.


The Filter Table

The Filter table is used to allow and block traffic. It consists of three chains: INPUT, OUTPUT, FORWARD.

  • The INPUT chain is used to filter packets destined for the local system.

  • The OUTPUT chain is used to filter packets created by the local system.

  • The FORWARD chain is used for packets passing through the system. This type of chain is used primarily in gateways and routers.

The general format of an iptables rule entered as a Linux command is:

 

iptables -A [CHAIN] -p [PROTOCOL] [ADDRESS] -j [ACTION]


CHAININPUT/OUTPUT/FORWARD

 Here “-A INPUT” means “append this rule to the input chain”

PROTOCOLtcp/udp

The “-p tcp” means this rule applies only to TCP packets, not UDP

ADDRESSIP address affected by the rule.

ACTION-j DROP/ACCEPT/LOG

 What to do with packets matching this rule


Basic Use Examples


The most basic use of ipTables is to simply block and allow traffic.

 

Allowing Traffic - ipTables enables you to allow traffic based on a number of different conditions such as Ethernet adapter, IP Address, port and protocol.

 

Scenario: Allow incoming TCP traffic on port 22 for adapter eth0

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

 

Scenario: Allow incoming TCP traffic on port 80 (HTTP) for the IP range 192.168.0.1 to 192.168.0.254

iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT

 

Block Traffic - ipTables can block traffic on the same conditions that traffic can be allowed.

 

Scenario: Block inbound TCP traffic on port 22

iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP

 

Scenario: Block inbound TCP traffic on port 80 from the IP 192.168.1.100

iptables -A INPUT -s 192.168.1.100 -p tcp -m tcp --dport 80 -j DROP

 

Limit Traffic - Along with allowing and denying traffic, ipTables can be used to limit the number of connections allowed over time thresholds.

 

A common use of limiting is to block brute force SSH attacks. The first rule below adds packets destined for port 22/tcp over interface eth0 to the sshbrute list. The second rule tells ipTables to check the sshbrute list and if the there are over 4 new connections over the last minute, to drop the packet.

 

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --name sshbrute --set

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --name sshbrute --update --seconds 60 --hitcount 4 -j DROP

 

ipTables is a very versatile and powerful tool! A few extra examples are below.


Drop all inbound telnet traffic

iptables -I INPUT -p tcp --dport 23 -j DROP


Drop all outbound web traffic

iptables -I OUTPUT -p tcp --dport 80 -j DROP


Drop all outbound traffic to 192.168.0.1

iptables -I OUTPUT -p tcp --dest 192.168.0.1 -j DROP


Allow all inbound web traffic

iptables -I INPUT -p tcp --dport 80 -j ACCEPT


Allow inbound HTTPS traffic from 10.2.2.4

iptables -I INPUT -s 10.2.2.4 -p tcp -m tcp --dport 443 -j DROP


Deny outbound traffic to 192.2.4.0-192.2.4.255

iptables -I OUTPUT -d 192.2.4.6.0/24 -j DROP


Allow incoming connections to port 21 from one IP address 11.22.33.44

iptables -A INPUT -p tcp -m state --state NEW --dport 21 --source 11.22.33.44


Deny all other incoming connections to port 21

iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j DROP

We used the "-m state --state NEW --dport 21" rules above to match against new connections to port 21.


Additional Rule Modifiers


-A - append - Add the rule at the end of the specified chain

 usage:

 iptables -A INPUT …


-D - delete - Allows you to delete a chain. There are 2 ways of using it; you can either specify the number of the chain to delete or specify the rule to delete.

usage:

 iptables -D INPUT 1

 iptables -D INPUT --dport 80 -j DROP


-R - replace - Allows you to replace the specified chain.

 usage:

 iptables -R INPUT 1 -s 192.168.0.1 -j DROP


-I - insert - Allows you to add a chain in a specific area of the global chain.

 usage:

 iptables -I INPUT 1 --dport 80 -j ACCEPT


-L - list - Display the rules of a chain.

 usage:

  iptables -L

Display all the rules in all chains

  iptables -L INPUT

 Display all the INPUT rules


-F - flush - Delete all the rules of a chain.

 usage:

 iptables -F INPUT  

Deletes all rules in the INPUT chain

 iptables -F   

Delete all the rules


-N  - new chain - Allows you to create a new chain

 usage:

 iptables -N LOG_DROP


-X - delete chain - Allows you to delete a chain

 usage:

  iptables -X LOG_DROP

Delete the LOG_DROP chain

  iptables -X 

Deletes all chains


-P - policy - Allows you to specify, to the kernel, the default policy of a chain (ACCEPT, REJECT, DROP)

 usage:

 iptables -P INPUT DROP


Common Options and Switches


-A adds a rule at the end of the chain

-I inserts a rule at the given rule number. If no rule number is specified the rule is inserted at the head of the chain

-p the protocol of the rule

--dport the destination port to check on the rule

-i interface on which a packet was received

-j what to do if the rule matches

-s source IP address of the packet

-d destination IP address of the packet