iptables is a command line utility for configuring Linux kernel firewall implemented within the Netfilter project.
iptables is the software firewall that is included with most Linux distributions by default. To install it, just retrieve the iptables package:
RHEL/CentOS:
# yum install iptables-services
Debian/Ubuntu:
# apt-get install iptables
Types of Chains
iptables uses five different chains: PREROUTING, INPUT, FORWARD, OUTPUT and POSTROUTING.
- PREROUTING: Packets will enter this chain before a routing decision is made.
- INPUT: Packet is going to be locally delivered. It does not have anything to do with processes having an opened socket; local delivery is controlled by the “local-delivery” routing table: ip route show table local.
- FORWARD: All packets that have been routed and were not for local delivery will traverse this chain.
- OUTPUT: Packets sent from the machine itself will be visiting this chain.
- POSTROUTING: Routing decision has been made. Packets enter this chain just before handing them off to the hardware.
List iptables Rules
You can list the rules using -L flag:
# iptables -L
You can show the line numbers for rules using –line-numbers:
# iptables -L --line-numbers
To list a specific table, use the -t flag with the table name like this:
# iptables -L -t nat
Adding iptables rules
With your policy chains configured, you can now configure iptables to allow or block specific addresses, address ranges, and ports. In these examples, we’ll set the connections to DROP, but you can switch them to ACCEPT or REJECT, depending on your needs and how you configured your policy chains.
Allow connections from a single IP address:
# iptables -A INPUT -s <IP_ADDRESS> -j DROP
Allow connections to a specific port:
# iptables -I INPUT <NUMBER> -s <IP_ADDRESS> --dport <PORT_NUMBER> -j ACCEPT
<NUMBER> – number of inserted rule. It should be the first one.
SYN Flooding
# iptables -A INPUT -p tcp -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
# iptables -A INPUT -p tcp -m state --state NEW -m recent --set -j ACCEPT
Remove iptables Rules
Determine the number of the rule and the name of the chain in the list:
# iptables -L --line-numbers
Remove the rule:
# iptables -D <CHAIN> <RULE_NUMBER>
Or you can remove the rule from the list directly:
# iptables -S
Copy the line from the output:
# iptables -D INPUT -s 12.34.56.78 -j DROP
Delete all rules:
# iptables -F
Save iptables Rules
RHEL/CentOS:
# iptables-save > /etc/sysconfig/iptables
Debian/Ubuntu:
# iptables-save > /etc/iptables/rules.v4
Restore Firewall Rules
RHEL/CentOS:
# iptables-restore < /etc/sysconfig/iptables
Debian/Ubuntu:
# iptables-restore < /etc/iptables/rules.v4
If you need help with server administration, you can order the Server Administration service from Unihost