Getting Started with Iptables

An intermediate’s guide to the command line usage for iptables…

Iptables is the basic firewall included with all distributions of Linux and is managed with the iptables command. If this guide looks a bit daunting, you might want to install the CSF plugin for cPanel, which will give you a simpler firewall management interface.

Iptables rules are grouped into chains. A chain is a set of rules used to determine what to do with a packet. These chains are grouped into tables. Iptables has three built-in tables: filter, NAT, and mangle. Filter is the table used to deny and allow access to the server.

The Filter Table

Filter is used to allow and block traffic. It consists of three chains: INPUT, OUTPUT, FORWARD.

The INPUT chain is used to filter packets destined for the local system.
The OUTPUT chain is used to filter packets created by the local system.
The FORWARD chain is used for packets passing through the system. This type of chain is used primarily in gateways and routers.

The general format of an iptables rule entered as a Linux command is…

# iptables -A [CHAIN] -p [PROTOCOL] [ADDRESS] -j [ACTION]

CHAIN: INPUT/OUTPUT/FORWARD

Here “-A INPUT” means “append this rule to the input chain”.

PROTOCOL: tcp/udp

The “-p tcp” means this rule applies only to TCP connections, not UDP.

ADDRESS: IP address affected by the rule.

ACTION: -j DROP/ACCEPT/LOG

What to do with packets matching this rule.

Basic Use Examples

The most basic use of iptables is to simply block and allow traffic.

Allow Traffic – Iptables enables you to allow traffic based on a number of different conditions such as Ethernet adapter, IP Address, port, and protocol.

Allow incoming TCP traffic on port 22 for adapter eth0

iptables -A INPUT -i eth0 -p tcp -m tcp –dport 22 -j ACCEPT

Allow incoming TCP traffic on port 80 (HTTP) for the IP range 192.168.0.1 to 192.168.0.254

iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp –dport 80 -j ACCEPT

Block Traffic – Iptables can block traffic on the same conditions that traffic can be allowed.

Block inbound TCP traffic on port 22

iptables -A INPUT -p tcp -m tcp –dport 22 -j DROP

Block inbound TCP traffic on port 80 from the IP 192.168.1.100

iptables -A INPUT -s 192.168.1.100 -p tcp -m tcp –dport 80 -j DROP

Limit Traffic – Along with allowing and denying traffic, iptables can be used to limit the number of connections allowed over time thresholds.

This is a common set of rules used to block brute force ssh attacks. The first rule makes sure the IP connecting is added to the sshbrute list. The second rule tells iptables to check the sshbrute list and if the packet threshold is exceeded to drop the traffic.

iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –name sshbrute –set

iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –name sshbrute –update –seconds 60 –hitcount 4 -j DROP

A Few Extra Examples…

Drop all inbound telnet traffic

iptables -I INPUT -p tcp –dport 23 -j DROP

Drop all outbound web traffic

iptables -I OUTPUT -p tcp –dport 80 -j DROP

Drop all outbound traffic to 192.168.0.1

iptables -I OUTPUT -p tcp –dest 192.168.0.1 -j DROP

Allow all inbound web traffic

iptables -I INPUT -p tcp –dport 80 -j ACCEPT

Allow inbound HTTPS traffic from 10.2.2.4

iptables -I INPUT -s 10.2.2.4 -p tcp -m tcp –dport 443 -j DROP

Deny outbound traffic to 192.2.4.0-192.2.4.255

iptables -I OUTPUT -d 192.2.4.6.0/24 -j DROP

Allow incoming connections to port 21 from one IP address 11.22.33.44

iptables -A INPUT -p tcp -m state –state NEW –dport 21 –source 11.22.33.44

Deny all other incoming connections to port 21

iptables -A INPUT -p tcp -m state –state NEW –dport 21 -j DROP

We used the “-m state –state NEW –dport 21” to match against new connections to port 21. Other options allow you to match against different things.

Additional Command Modifiers

-A append – Add the rule at the end of the specified chain

usage:

iptables -A INPUT …

-D delete – Allow to delete a chain. There are two ways to use it, you can specify the number of the chain to delete or specify the rule to delete.

usage:

iptables -D INPUT 1

iptables -D INPUT –dport 80 -j DROP

-R replace – Allow to replace the specified chain.

usage:

iptables -R INPUT 1 -s 192.168.0.1 -j DROP

-I insert – Allow to add a chain in a specific area of the global chain.

usage:

iptables -I INPUT 1 –dport 80 -j ACCEPT

-L list – Display the rules.

usage:

iptables -L Display all the rules of the FILTER chains

iptables -L INPUT Display all the INPUT rules (FILTER)

-F flush – Delete all the rules of a chain.

usage:

iptables -F INPUT Delete all the rules of the INPUT chain

iptables -F Delete all the rules

-N new chain – Allow to create a new chain

usage:

iptables -N LOG_DROP

-X delete chain – Allow to delete a chain

usage:

iptables -X LOG_DROP Delete the LOG_DROP chain

iptables -X Delete the chains

-P policy – Allow to specify to the kernel the default policy of a chain (ACCEPT, REJECT, DROP)

usage:

iptables -P INPUT DROP

Common Options and Switches

-A adds a rule at the end of the chain

-I inserts the rule at the given rule number. If no rule number is specified the rule is inserted at the head of the chain.

-p the protocol of the rule

–dport the destination port to check on the rule

-i interface on which the packet was received

-j what to do if the rule matches

-s source IP address of the packet

-d destination IP address of the packet

Getting Started with Iptables

Popular This Week

Update: Dirty Cow Vulnerability

Stop SOPA WordPress Plugin

Meet the Staff

Phasing Out Passwords

The Risks Of Not Backing Up Data

Recent posts

Make Hosting Easy With Managed Services & Support

How Data Analytics Can Help Fight Money Laundering

MySQL Tips And Tricks

How To Protect Servers Against Malware

5 Easy Ways To Reduce Latency