Child pages
  • Linux Firewall Introduction
Skip to end of metadata
Go to start of metadata

The Linux Firewall: iptables

ipTables is the basic firewall included with all distributions of Linux and is managed with the iptables command. 


This is a beginner’s command-line usage guide for iptables. If things here look a bit daunting we highly recommend you check out our guide on installing the CSF plugin for a much simpler firewall management interface.


ipTables rules are grouped into chains. A chain is a set of rules used to determine what to do with a network packet, and these chains are grouped into tables. ipTables has three built-in tables: filterNAT and mangleFilter is the table used to deny and allow access to the server.

The Filter Table

The Filter table is used to allow and block traffic. It consists of three chains: INPUT, OUTPUT, FORWARD.

  • The INPUT chain is used to filter packets destined for the local system.

  • The OUTPUT chain is used to filter packets created by the local system.

  • The FORWARD chain is used for packets passing through the system. This type of chain is used primarily in gateways and routers.

The general format of an iptables rule entered as a Linux command is:


iptables -A [CHAIN] -p [PROTOCOL] [ADDRESS] -j [ACTION]


 Here “-A INPUT” means “append this rule to the input chain”


The “-p tcp” means this rule applies only to TCP packets, not UDP

ADDRESSIP address affected by the rule.


 What to do with packets matching this rule

Basic Use Examples

The most basic use of ipTables is to simply block and allow traffic.


Allowing Traffic - ipTables enables you to allow traffic based on a number of different conditions such as Ethernet adapter, IP Address, port and protocol.


Scenario: Allow incoming TCP traffic on port 22 for adapter eth0

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT


Scenario: Allow incoming TCP traffic on port 80 (HTTP) for the IP range to

iptables -A INPUT -s -p tcp -m tcp --dport 80 -j ACCEPT


Block Traffic - ipTables can block traffic on the same conditions that traffic can be allowed.


Scenario: Block inbound TCP traffic on port 22

iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP


Scenario: Block inbound TCP traffic on port 80 from the IP

iptables -A INPUT -s -p tcp -m tcp --dport 80 -j DROP


Limit Traffic - Along with allowing and denying traffic, ipTables can be used to limit the number of connections allowed over time thresholds.


A common use of limiting is to block brute force SSH attacks. The first rule below adds packets destined for port 22/tcp over interface eth0 to the sshbrute list. The second rule tells ipTables to check the sshbrute list and if the there are over 4 new connections over the last minute, to drop the packet.


iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --name sshbrute --set

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --name sshbrute --update --seconds 60 --hitcount 4 -j DROP


ipTables is a very versatile and powerful tool! A few extra examples are below.

Drop all inbound telnet traffic

iptables -I INPUT -p tcp --dport 23 -j DROP

Drop all outbound web traffic

iptables -I OUTPUT -p tcp --dport 80 -j DROP

Drop all outbound traffic to

iptables -I OUTPUT -p tcp --dest -j DROP

Allow all inbound web traffic

iptables -I INPUT -p tcp --dport 80 -j ACCEPT

Allow inbound HTTPS traffic from

iptables -I INPUT -s -p tcp -m tcp --dport 443 -j DROP

Deny outbound traffic to

iptables -I OUTPUT -d -j DROP

Allow incoming connections to port 21 from one IP address

iptables -A INPUT -p tcp -m state --state NEW --dport 21 --source

Deny all other incoming connections to port 21

iptables -A INPUT -p tcp -m state --state NEW --dport 21 -j DROP

We used the "-m state --state NEW --dport 21" rules above to match against new connections to port 21.

Additional Rule Modifiers

-A - append - Add the rule at the end of the specified chain


 iptables -A INPUT …

-D - delete - Allows you to delete a chain. There are 2 ways of using it; you can either specify the number of the chain to delete or specify the rule to delete.


 iptables -D INPUT 1

 iptables -D INPUT --dport 80 -j DROP

-R - replace - Allows you to replace the specified chain.


 iptables -R INPUT 1 -s -j DROP

-I - insert - Allows you to add a chain in a specific area of the global chain.


 iptables -I INPUT 1 --dport 80 -j ACCEPT

-L - list - Display the rules of a chain.


  iptables -L

Display all the rules in all chains

  iptables -L INPUT

 Display all the INPUT rules

-F - flush - Delete all the rules of a chain.


 iptables -F INPUT  

Deletes all rules in the INPUT chain

 iptables -F   

Delete all the rules

-N  - new chain - Allows you to create a new chain


 iptables -N LOG_DROP

-X - delete chain - Allows you to delete a chain


  iptables -X LOG_DROP

Delete the LOG_DROP chain

  iptables -X 

Deletes all chains

-P - policy - Allows you to specify, to the kernel, the default policy of a chain (ACCEPT, REJECT, DROP)


 iptables -P INPUT DROP

Common Options and Switches

-A adds a rule at the end of the chain

-I inserts a rule at the given rule number. If no rule number is specified the rule is inserted at the head of the chain

-p the protocol of the rule

--dport the destination port to check on the rule

-i interface on which a packet was received

-j what to do if the rule matches

-s source IP address of the packet

-d destination IP address of the packet