iptables is a command line utility for configuring Linux kernel firewall implemented within the Netfilter project.

iptables is the software firewall that is included with most Linux distributions by default. To install it, just retrieve the iptables package:

RHEL/CentOS:

# yum install iptables-services

Debian/Ubuntu:

# apt-get install iptables

Types of Chains

iptables uses five different chains: PREROUTING, INPUT, FORWARD, OUTPUT and POSTROUTING.

  • PREROUTING: Packets will enter this chain before a routing decision is made.
  • INPUT: Packet is going to be locally delivered. It does not have anything to do with processes having an opened socket; local delivery is controlled by the “local-delivery” routing table: ip route show table local.
  • FORWARD: All packets that have been routed and were not for local delivery will traverse this chain.
  • OUTPUT: Packets sent from the machine itself will be visiting this chain.
  • POSTROUTING: Routing decision has been made. Packets enter this chain just before handing them off to the hardware.

List iptables Rules

You can list the rules using -L flag:

# iptables -L

You can show the line numbers for rules using –line-numbers:

# iptables -L  --line-numbers

To list a specific table, use the -t flag with the table name like this:

# iptables -L -t nat

Adding iptables rules

With your policy chains configured, you can now configure iptables to allow or block specific addresses, address ranges, and ports. In these examples, we’ll set the connections to DROP, but you can switch them to ACCEPT or REJECT, depending on your needs and how you configured your policy chains.

Allow connections from a single IP address:

# iptables -A INPUT -s <IP_ADDRESS> -j DROP

Allow connections to a specific port:

# iptables -I INPUT <NUMBER> -s <IP_ADDRESS>  --dport <PORT_NUMBER> -j ACCEPT

<NUMBER> – number of inserted rule. It should be the first one.

SYN Flooding

# iptables -A INPUT -p tcp -m state --state NEW -m recent --update --seconds 60 --hitcount 20 -j DROP
# iptables -A INPUT -p tcp -m state --state NEW -m recent --set -j ACCEPT

These rules limit the rate of SYN requests from one IP to 20 per minute. Do not use it on regular basis! You can block legitimate traffic originating from networks behind NAT.
 
Some SYN attacks are easy to filter because they have the same ‘unusual’ parameters in the TCP header.

Remove iptables Rules

Determine the number of the rule and the name of the chain in the list:

# iptables -L --line-numbers

Remove the rule:

# iptables -D <CHAIN> <RULE_NUMBER>

Or you can remove the rule from the list directly:

# iptables -S

Copy the line from the output:

#  iptables -D INPUT -s 12.34.56.78 -j DROP

Delete all rules:

# iptables -F

Save iptables Rules

RHEL/CentOS:

# iptables-save > /etc/sysconfig/iptables

Debian/Ubuntu:

# iptables-save > /etc/iptables/rules.v4

Restore Firewall Rules

RHEL/CentOS:

# iptables-restore < /etc/sysconfig/iptables

Debian/Ubuntu:

# iptables-restore < /etc/iptables/rules.v4

Tagged: