Iptables is a powerful and advanced tool that allows system administrators to configure and manage the Linux kernel firewall. It helps to secure your server by filtering incoming and outgoing traffic based on IP address, port number, protocol, and more.
By the end of this article, you will be able to create your own iptables rules and apply them to a server.
Iptables uses tables, chains, and rules to filter packets using Netfilter modules.
- A chain is a sequence of rules applied to packets in a certain order.
- A table is a collection of chains related to a specific function, such as filtering or network address translation (NAT).
- A rule is a statement which matches packets based on some criteria and performs an action.
- An action can either be a target, which decides the fate of the packet, or a jump, which sends the packet to another chain.
There are four default tables in iptables:
- Filter: This is the default table and the most commonly used one. It has three built-in chains: INPUT (incoming packets), OUTPUT (outgoing packets), and FORWARD (for packets that are routed through the server).
- NAT: This table is used for network address translation, which modifies the source or destination IP address or port of packets. It has three built-in chains: PREROUTING (for altering packets before routing), POSTROUTING (for altering packets after routing), and OUTPUT (for altering locally generated packets).
- Mangle: This table is used for modifying packet headers, such as changing the TTL (time to live) or TOS (type of service) fields. It has five built-in chains: PREROUTING, OUTPUT, INPUT, FORWARD, and POSTROUTING.
- Raw: This table is used for bypassing connection tracking, that keeps track of the state of network connections. It has two built-in chains: PREROUTING and OUTPUT.
You need to have root privileges or use sudo to use Iptables commands. The basic syntax of iptables commands is as follows:
sudo iptables [option] [chain] [criteria] [action]
Here are some common options that you can use with iptables commands:
|-A or --append
||Appends a rule to the end of a chain.
|-D or --delete
||Deletes a rule from a chain. You can specify the rule by its number or by its criteria.
|-I or --insert
||Inserts a rule at a specific position in a chain.
|-L or --list
||Lists all the rules in a chain or all chains in a table.
|-F or --flush
||Flushes (deletes) all the rules in a chain or all chains in a table.
|-P or --policy
||Sets the default policy for a chain, which is applied to packets that do not match any rule. The default policy can be either ACCEPT (allow), DROP (discard), or REJECT (reject and send an error).
|-N or --new-chain
||Creates a new custom chain.
|-X or --delete-chain
||Deletes a custom chain.
|-t or --table
||Specifies which table to use. If not specified, the filter table is used by default.
You can also specify various criteria to match packets based on their properties, such as:
|-p or --protocol
||Based on protocol, such as tcp, udp, icmp, etc.
|-s or --source
||Based on source IP address or network.
|-d or --destination
||Based on destination IP address or network.
|–sport or --source-port
||Based on source port number or range.
|–dport or --destination-port
||Based on destination port number or range.
|-i or --in-interface
||Based on the input network interface.
|-o or --out-interface
||Based on the output network interface.
|-m or --match
||Based on additional criteria, such as connection state, packet length, etc.
You can also specify an action to perform on the matched packets, such as:
|-j or --jump
||Specifies the target or the jump for the packet. A target can be one of the built-in targets, such as ACCEPT, DROP, REJECT, or LOG, or a custom chain. A jump can be another chain in the same table or a different table.
|-g or --goto
||Similar to the jump option, but it does not return to the original chain after executing the target or the jump.
|-r or --return
||Returns to the previous chain from where the packet came.
Firewall Rules and Examples
Let’s take a look at some common firewall rules and examples that can be used on a server.
Allow SSH Connections
You can use the following command to append a rule to the INPUT chain that allows incoming TCP packets on port 22:
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
If you are using a custom port for SSH, you need to replace 22 with your port number.
Allow HTTP and HTTPS Connections
You can use the following commands to append rules to the INPUT chain that allow incoming TCP packets on port 80 and port 443:
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
Allow Ping Requests
Ping is a tool that allows you to test the connectivity and latency between two hosts. You can use the following command to append a rule to the INPUT chain that allows incoming ICMP packets:
sudo iptables -A INPUT -p icmp -j ACCEPT
Block, an IP Address
If you want to block an IP address from accessing your server, you can use the DROP target, which discards the packet silently.
sudo iptables -A INPUT -s 192.168.1.32 -j DROP
You can replace 192.168.1.32 with the IP address that you want to block.
Block a Port
If you want to block a port from being accessed by anyone, you can use the DROP target as well.
sudo iptables -A INPUT -p tcp --dport 8080 -j DROP
You can replace 8080 with the port number that you want to block.
Log Dropped Packets
If you want to log dropped packets for debugging or auditing purposes, you can use the LOG target, which sends a message to the kernel log. You can use the following command to append a rule to the INPUT chain that logs dropped packets with a prefix “
sudo iptables -A INPUT -j LOG --log-prefix "[Dropped] "
You can view the kernel log with the
dmesg command or by checking the
How to Save and Restore Iptables Rules?
By default, iptables rules are not persistent and lost after a reboot or a restart of the iptables service. To save and restore iptables rules, you can use a tool called
To save your current iptables rules to a file called
iptables.rules, You can use the following command in your home directory:
sudo iptables-save > ~/iptables.rules
To restore your iptables rules from a file, You can use the following command in your home directory:
sudo iptables-restore < ~/iptables.rules
This command overwrites current iptables rules with the ones from the file. You can use the
--noflush option to append the rules from the file to your current rules, instead of replacing them.
To make your iptables rules persistent across reboots, you can use
iptables-persistent the tool. You can install iptables-persistent with apt using the command given below:
sudo apt-get install iptables-persistent
During the installation, you will be asked if you want to save current iptables rules. If you choose yes, your rules will be saved to
/etc/iptables/rules.v4 for IPv4 and
/etc/iptables/rules.v6 for IPv6.
To load your iptables rules automatically at boot time, you can use the
netfilter-persistent service, which is installed along with
sudo systemctl enable --now netfilter-persistent
You can also enable or disable this service from running at boot time.