iptables is a great firewall utility built for Linux operating systems. Traditionally known as a user-space utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall and the chains and rules it stores. iptables applies to IPv4. iptables require elevated privileges to operate and must be executed by the user root, otherwise, it fails to function. On most Linux systems, iptables is installed as /usr/sbin/iptables.
So, in general we can say that Iptables is a Linux command line firewall to manage incoming and outgoing traffics via a set of rules. Here in this blog I have gathered some handy rules, which can be very useful for all system administrators.
As per iptables manual, there are currently 3 types of tables:
1. FILTER – this is the default table, which contains the built-in chains for:
- INPUT – packages destined for local sockets
- FORWARD – packets routed through the system
- OUTPUT – packets generated locally
2. NAT – a table that is consulted when a packet tries to create a new connection. It has the following built-in:
- PREROUTING – used for altering a packet as soon as it’s received
- OUTPUT – used for altering locally generated packets
- POSTROUTING – used for altering packets as they are about to go out
3. MANGLE – this table is used for packet altering.
- PREROUTING – for altering incoming connections
- OUTPUT – for altering locally generated packets
- INPUT – for incoming packets
- POSTROUTING – for altering packets as they are about to go out
- FORWARD – for packets routed through the box
Rule 1: Start/Stop/Restart Iptables Firewall
systemctl start iptables
systemctl stop iptables
systemctl restart iptables
Rule 2: Check all IPtables Firewall Rules
iptables –L –n –v
Rule 3: To check the rules for a specific table
iptables –t nat –L –n –v
Rule 4: Block Specific IP Address in IPtables Firewall
iptables -A INPUT -s 192.168.63.45 -j DROP
Rule 5: To block only TCP protocol:
iptables -A INPUT –p tcp -s 192.168.63.45 -j DROP
Rule 6: Unblock IP Address in IPtables Firewall
iptables -D INPUT -s 192.168.63.45 -j DROP
Rule 7: Block Specific Port on IPtables Firewall
To block outgoing connections on a specific port use:
iptables -A OUTPUT -p tcp --dport 80 -j DROP
To allow incoming connections use:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Rule 8: Allow Multiple Ports on IPtables using Multiport
iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --sports 22,80,443 -j ACCEPT
Rule 9: Allow Specific Network Range on Particular Port on IPtables
iptables -A OUTPUT -p tcp -d 192.168.100.0/24 --dport 22 -j ACCEPT
Rule 10: Block website on IPtables Firewall
For Example Domain: facebook.com
host facebook.com
->facebook.com has address 157.240.13.35
whois 157.240.13.35 | grep CIDR
->CIDR: 157.240.0.0/16
iptables -A OUTPUT -p tcp -d 66.220.144.0/20 -j DROP
Rule 11: Setup Port Forwarding in IPtables
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
Rule 12: Block Network Flood on Apache Port with IPtables
iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT
Rule 13: Block Incoming Ping Requests on IPtables
iptables -A INPUT -p icmp -i eth0 -j DROP
Rule 14: Allow loopback Access
Loopback access (access from 127.0.0.1) is important and you should always leave it active:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
Rule 15: Block Access to Specific MAC Address on IPtables
iptables -A INPUT -m mac --mac-source 00:AF:F0:3C:12:08 -j DROP
Rule 16: Limit the Number of Concurrent Connections per IP Address
iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
Rule 17: Search within IPtables Rule
Format: iptables -L $table -v -n | grep $string
iptables -L INPUT -v -n | grep 192.168.63.25
Rule 18: Define New IPTables Chain
iptables -N custom-filter
To check the new filter:
iptables –L
Rule 19: Flush IPtables Firewall Chains or Rules
iptables --flush
iptables --table nat –flush
Rule 20: IPtables Rules to/from a File
Save IPtables Rules to a File
iptables-save > ~/iptables.rules
Restore IPtables Rules from a File
iptables-restore < ~/iptables.rules
Rule 21: Allow Established and Related Connections
For incoming connections:
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
For outgoing use:
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
Rule 22: Drop Invalid Packets in IPtables
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
All Comments