Getting Started with Iptables
An intermediate’s guide to the command line usage for iptables…
Iptables is the basic firewall included with all distributions of Linux and is managed with the iptables command. If this guide looks a bit daunting, you might want to install the CSF plugin for cPanel, which will give you a simpler firewall management interface.
Iptables rules are grouped into chains. A chain is a set of rules used to determine what to do with a packet. These chains are grouped into tables. Iptables has three built-in tables: filter, NAT, and mangle. Filter is the table used to deny and allow access to the server.
The Filter Table
Filter is used to allow and block traffic. It consists of three chains: INPUT, OUTPUT, FORWARD.
-
The INPUT chain is used to filter packets destined for the local system.
-
The OUTPUT chain is used to filter packets created by the local system.
-
The FORWARD chain is used for packets passing through the system. This type of chain is used primarily in gateways and routers.
The general format of an iptables rule entered as a Linux command is…
# iptables -A [CHAIN] -p [PROTOCOL] [ADDRESS] -j [ACTION]
CHAIN: INPUT/OUTPUT/FORWARD
Here “-A INPUT” means “append this rule to the input chain”.
PROTOCOL: tcp/udp
The “-p tcp” means this rule applies only to TCP connections, not UDP.
ADDRESS: IP address affected by the rule.
ACTION: -j DROP/ACCEPT/LOG
What to do with packets matching this rule.
Basic Use Examples
The most basic use of iptables is to simply block and allow traffic.
Allow Traffic – Iptables enables you to allow traffic based on a number of different conditions such as Ethernet adapter, IP Address, port, and protocol.
Allow incoming TCP traffic on port 22 for adapter eth0
iptables -A INPUT -i eth0 -p tcp -m tcp –dport 22 -j ACCEPT
Allow incoming TCP traffic on port 80 (HTTP) for the IP range 192.168.0.1 to 192.168.0.254
iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp –dport 80 -j ACCEPT
Block Traffic – Iptables can block traffic on the same conditions that traffic can be allowed.
Block inbound TCP traffic on port 22
iptables -A INPUT -p tcp -m tcp –dport 22 -j DROP
Block inbound TCP traffic on port 80 from the IP 192.168.1.100
iptables -A INPUT -s 192.168.1.100 -p tcp -m tcp –dport 80 -j DROP
Limit Traffic – Along with allowing and denying traffic, iptables can be used to limit the number of connections allowed over time thresholds.
This is a common set of rules used to block brute force ssh attacks. The first rule makes sure the IP connecting is added to the sshbrute list. The second rule tells iptables to check the sshbrute list and if the packet threshold is exceeded to drop the traffic.
iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –name sshbrute –set
iptables -I INPUT -p tcp –dport 22 -i eth0 -m state –state NEW -m recent –name sshbrute –update –seconds 60 –hitcount 4 -j DROP
A Few Extra Examples…
Drop all inbound telnet traffic
iptables -I INPUT -p tcp –dport 23 -j DROP
Drop all outbound web traffic
iptables -I OUTPUT -p tcp –dport 80 -j DROP
Drop all outbound traffic to 192.168.0.1
iptables -I OUTPUT -p tcp –dest 192.168.0.1 -j DROP
Allow all inbound web traffic
iptables -I INPUT -p tcp –dport 80 -j ACCEPT
Allow inbound HTTPS traffic from 10.2.2.4
iptables -I INPUT -s 10.2.2.4 -p tcp -m tcp –dport 443 -j DROP
Deny outbound traffic to 192.2.4.0-192.2.4.255
iptables -I OUTPUT -d 192.2.4.6.0/24 -j DROP
Allow incoming connections to port 21 from one IP address 11.22.33.44
iptables -A INPUT -p tcp -m state –state NEW –dport 21 –source 11.22.33.44
Deny all other incoming connections to port 21
iptables -A INPUT -p tcp -m state –state NEW –dport 21 -j DROP
We used the “-m state –state NEW –dport 21” to match against new connections to port 21. Other options allow you to match against different things.
Additional Command Modifiers
-A append – Add the rule at the end of the specified chain
usage:
iptables -A INPUT …
-D delete – Allow to delete a chain. There are two ways to use it, you can specify the number of the chain to delete or specify the rule to delete.
usage:
iptables -D INPUT 1
iptables -D INPUT –dport 80 -j DROP
-R replace – Allow to replace the specified chain.
usage:
iptables -R INPUT 1 -s 192.168.0.1 -j DROP
-I insert – Allow to add a chain in a specific area of the global chain.
usage:
iptables -I INPUT 1 –dport 80 -j ACCEPT
-L list – Display the rules.
usage:
iptables -L Display all the rules of the FILTER chains
iptables -L INPUT Display all the INPUT rules (FILTER)
-F flush – Delete all the rules of a chain.
usage:
iptables -F INPUT Delete all the rules of the INPUT chain
iptables -F Delete all the rules
-N new chain – Allow to create a new chain
usage:
iptables -N LOG_DROP
-X delete chain – Allow to delete a chain
usage:
iptables -X LOG_DROP Delete the LOG_DROP chain
iptables -X Delete the chains
-P policy – Allow to specify to the kernel the default policy of a chain (ACCEPT, REJECT, DROP)
usage:
iptables -P INPUT DROP
Common Options and Switches
-A adds a rule at the end of the chain
-I inserts the rule at the given rule number. If no rule number is specified the rule is inserted at the head of the chain.
-p the protocol of the rule
–dport the destination port to check on the rule
-i interface on which the packet was received
-j what to do if the rule matches
-s source IP address of the packet
-d destination IP address of the packet