logoCndocs
Routing and Firewall

iptables Command

Introduction

iptables is a powerful command-line firewall utility that uses policy chains to allow or block traffic. As the primary interface to the Linux kernel's netfilter framework, iptables enables system administrators to configure specific rules that will define how network traffic is handled. It serves as the traditional firewall tool for Linux systems, allowing fine-grained control over incoming and outgoing network packets.

Despite being gradually replaced by newer tools like nftables and firewalld in modern Linux distributions, iptables remains widely used due to its reliability, flexibility, and the extensive knowledge base surrounding it. Understanding iptables is essential for Linux system administrators who need to secure their servers and control network traffic.

iptables Command Output

Basic Concepts

Before diving into iptables commands, it's important to understand some key concepts:

Tables

Iptables organizes its rules into different tables, each serving a specific purpose:

  • filter: The default table, used for packet filtering (allowing, dropping, or rejecting packets)
  • nat: Used for Network Address Translation (changing source or destination addresses)
  • mangle: Used for specialized packet alteration
  • raw: Used to configure exemptions from connection tracking
  • security: Used for Mandatory Access Control networking rules

Chains

Each table contains chains, which are lists of rules. The built-in chains are:

  • INPUT: For packets destined to local sockets
  • FORWARD: For packets being routed through the system
  • OUTPUT: For locally-generated packets
  • PREROUTING: For altering packets as they arrive
  • POSTROUTING: For altering packets as they leave

Rules

Rules specify criteria for matching packets and actions (targets) to perform when a packet matches. Common targets include:

  • ACCEPT: Allow the packet to proceed
  • DROP: Discard the packet without notification
  • REJECT: Discard the packet and send an error message to the sender
  • LOG: Log the packet but continue processing rules

Installation

Iptables is typically pre-installed on most Linux distributions. If it's not available, you can install it using your distribution's package manager:

Debian/Ubuntu-based Systems

sudo apt update
sudo apt install iptables

Red Hat/CentOS/Fedora Systems

# For CentOS/RHEL
sudo yum install iptables-services
 
# For Fedora
sudo dnf install iptables-services

Arch Linux

sudo pacman -S iptables

Basic Syntax

The basic syntax of the iptables command is:

iptables [table] [action] [chain] [matching criteria] [target]

Where:

  • table: Specifies the table to operate on (-t filter, -t nat, etc.)
  • action: Specifies what to do (-A to append, -D to delete, -I to insert, etc.)
  • chain: Specifies the chain to operate on (INPUT, OUTPUT, etc.)
  • matching criteria: Specifies the conditions for the rule (-p tcp, --dport 22, etc.)
  • target: Specifies what happens when the rule matches (ACCEPT, DROP, etc.)

Basic Usage

Viewing Current Rules

To display the current iptables rules:

sudo iptables -L

This shows all rules in the filter table with hostnames and service names resolved.

Viewing Rules with Numeric Output

To display rules with numeric IP addresses and port numbers:

sudo iptables -L -n

Viewing Rules with Packet Counts

To display rules with packet and byte counters:

sudo iptables -L -v

Viewing Rules for a Specific Table

To display rules for a specific table (e.g., nat):

sudo iptables -t nat -L

Viewing Rules for a Specific Chain

To display rules for a specific chain (e.g., INPUT):

sudo iptables -L INPUT

Managing Rules

Adding a Rule

To append a rule to the end of a chain:

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

This allows incoming SSH connections.

Inserting a Rule

To insert a rule at a specific position in a chain:

sudo iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT

This inserts a rule at position 1 to allow incoming HTTP connections.

Deleting a Rule

To delete a rule by specification:

sudo iptables -D INPUT -p tcp --dport 80 -j ACCEPT

To delete a rule by its position in a chain:

sudo iptables -D INPUT 3

This deletes the third rule in the INPUT chain.

Replacing a Rule

To replace a rule at a specific position:

sudo iptables -R INPUT 2 -p tcp --dport 443 -j ACCEPT

This replaces the second rule in the INPUT chain.

Flushing Rules

To remove all rules from a specific chain:

sudo iptables -F INPUT

To remove all rules from all chains:

sudo iptables -F

Setting Chain Policies

To set the default policy for a chain:

sudo iptables -P INPUT DROP

This sets the default policy for the INPUT chain to DROP, meaning all incoming traffic will be dropped unless explicitly allowed by a rule.

Common Firewall Configurations

Setting Up a Basic Firewall

Here's a basic firewall setup that allows established connections, SSH, and drops all other incoming traffic:

# Flush existing rules
sudo iptables -F
 
# Set default chain policies
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
 
# Allow loopback traffic
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
 
# Allow established and related connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 
# Allow SSH
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 
# Save rules
sudo service iptables save

Allowing Specific Services

HTTP and HTTPS

To allow incoming HTTP and HTTPS traffic:

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

FTP

To allow incoming FTP traffic:

sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT

For passive FTP, you'll also need to allow a range of ports:

sudo iptables -A INPUT -p tcp --dport 1024:1048 -j ACCEPT

DNS

To allow incoming DNS queries:

sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 53 -j ACCEPT

Mail Services

To allow incoming mail services:

# SMTP
sudo iptables -A INPUT -p tcp --dport 25 -j ACCEPT
 
# IMAP
sudo iptables -A INPUT -p tcp --dport 143 -j ACCEPT
 
# IMAPS
sudo iptables -A INPUT -p tcp --dport 993 -j ACCEPT
 
# POP3
sudo iptables -A INPUT -p tcp --dport 110 -j ACCEPT
 
# POP3S
sudo iptables -A INPUT -p tcp --dport 995 -j ACCEPT

Blocking Traffic

Blocking an IP Address

To block all traffic from a specific IP address:

sudo iptables -A INPUT -s 192.168.1.100 -j DROP

Blocking a Range of IP Addresses

To block a range of IP addresses using CIDR notation:

sudo iptables -A INPUT -s 192.168.1.0/24 -j DROP

Blocking a Specific Port

To block incoming traffic on a specific port:

sudo iptables -A INPUT -p tcp --dport 23 -j DROP

Rate Limiting

To protect against brute force attacks, you can limit the rate of incoming connections:

sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

This limits SSH connections to 3 per minute from the same IP address.

Advanced Usage

Port Forwarding

To forward incoming traffic on port 80 to a different IP address and port:

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100:8080

Masquerading (NAT)

To enable NAT for outgoing traffic from a private network:

sudo iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

Logging

To log dropped packets before dropping them:

sudo iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "DROPPED SSH: "
sudo iptables -A INPUT -p tcp --dport 22 -j DROP

Custom Chains

To create and use a custom chain:

# Create a custom chain
sudo iptables -N SSH_RULES
 
# Add rules to the custom chain
sudo iptables -A SSH_RULES -s 192.168.1.0/24 -j ACCEPT
sudo iptables -A SSH_RULES -j DROP
 
# Jump to the custom chain from the INPUT chain
sudo iptables -A INPUT -p tcp --dport 22 -j SSH_RULES

Saving and Restoring Rules

Iptables rules are not persistent by default and will be lost after a system reboot. To save and restore rules:

Debian/Ubuntu

# Install iptables-persistent
sudo apt install iptables-persistent
 
# Save current rules
sudo netfilter-persistent save
 
# Reload saved rules
sudo netfilter-persistent reload

Red Hat/CentOS/Fedora

# Save current rules
sudo service iptables save
 
# Restore saved rules
sudo service iptables restart

Manual Method (All Distributions)

# Save rules to a file
sudo iptables-save > /etc/iptables/rules.v4
 
# Restore rules from a file
sudo iptables-restore < /etc/iptables/rules.v4

Troubleshooting

Common Issues

Rules Not Taking Effect

If your rules don't seem to be taking effect, check:

  1. Rule order: Rules are processed in order, and processing stops at the first match
  2. Default policies: Check your chain default policies
  3. Conflicting rules: Look for rules that might be conflicting with each other

Locked Out of SSH

If you accidentally lock yourself out of SSH:

  1. Use the console access provided by your hosting provider
  2. Boot into rescue mode if available
  3. Restore a backup of your iptables rules

High CPU Usage

If iptables is causing high CPU usage:

  1. Simplify your ruleset
  2. Use more efficient matching criteria
  3. Consider using ipset for large sets of IP addresses

Debugging Tips

Tracing Packet Flow

To trace how a packet flows through iptables chains:

sudo iptables -t raw -A PREROUTING -p tcp --dport 80 -j TRACE
sudo iptables -t raw -A OUTPUT -p tcp --sport 80 -j TRACE

Then monitor the kernel log:

sudo tail -f /var/log/kern.log

Testing Rules

Before implementing a complex ruleset, test your rules with the -C option:

sudo iptables -C INPUT -p tcp --dport 80 -j ACCEPT

This checks if the rule exists without adding it.

Comparison with Modern Alternatives

iptables vs. nftables

nftables is the successor to iptables with several improvements:

  • More consistent syntax
  • Better performance
  • Atomic rule updates
  • Simplified table structure

Example nftables equivalent to an iptables rule:

# iptables
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 
# nftables
sudo nft add rule inet filter input tcp dport 22 accept

iptables vs. firewalld

firewalld is a dynamic firewall manager that uses zones and services:

  • More user-friendly interface
  • Dynamic rule updates without disrupting connections
  • Zone-based configuration
  • D-Bus interface for applications

Example firewalld equivalent to an iptables rule:

# iptables
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 
# firewalld
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload

Best Practices

Security Recommendations

  1. Default Deny: Start with a default deny policy and explicitly allow only necessary traffic
  2. Least Privilege: Allow only the minimum access required for services to function
  3. Stateful Filtering: Use connection tracking to allow related and established connections
  4. Regular Audits: Regularly review and audit your firewall rules
  5. Documentation: Document your firewall rules and the purpose of each rule

Performance Optimization

  1. Rule Order: Place frequently matched rules earlier in the chain
  2. Use Specific Matches: Be as specific as possible with matching criteria
  3. Limit Logging: Excessive logging can impact performance
  4. Consider Hardware Offloading: Some network cards support hardware offloading for iptables

Conclusion

Iptables remains a powerful and flexible tool for managing Linux firewalls, despite the emergence of newer alternatives. Its command-line interface provides granular control over network traffic, allowing system administrators to implement complex security policies.

While the learning curve can be steep, mastering iptables gives you the ability to secure your Linux systems effectively. Whether you're setting up a simple firewall for a personal server or implementing complex network security policies for an enterprise environment, iptables provides the capabilities you need.

As you become more comfortable with iptables, consider exploring its modern alternatives like nftables and firewalld, which offer improved syntax and additional features while maintaining the powerful packet filtering capabilities that make iptables so valuable.

Test Your Knowledge

Take a quiz to reinforce what you've learned

Exam Preparation

Access short and long answer questions for written exams

Share this page