25 Practical examples of iptables command

  1. FILTER – This is the default tables of iptables. It contains three chains:
  • INPUT – network packets destined for local sockets
  • OUTPUT – network packets generated locally
  • FORWARD – network packets routed through the system
  1. NAT – This is the table consulted by the system when a network packet tries to create a new connection. It has the following built-in chains:
  • PREROUTING – It is use to altering a network packet as soon as it’s received

  • POSTROUTING – It is use to altering a network packet when they are about to go out

  • OUTPUT – It is used to altering network packets which are locally generated

  1. MANGLE – This is the table use for altering network packets. Previously it has two chains but now 5:
  • PREROUTING – It is used for altering incoming network packets
  • POSTROUTING – It is used for altering outgoing network packets
  • INPUT – It is used for incoming packets
  • OUTPUT – It is used for altering locally-generated packets
  • FORWARD – It is used for the packets which are routed through the box

This article is to learn the uses of iptables CLI firewall. You will see here useful command to manage and configure iptables firewall for your own Linux box.

Examples:

Here we will explain iptables tools with several examples of uses which can help you to understand iptables uses in a practical scenario.

Manage iptables firewall services

To manage iptables service, you can use regular service command, which used to manage other Linux services.

On SystemD based Linux Distributions-

# systemctl start iptables
# systemctl stop iptables
# systemctl restart iptables

On SysVinit based Linux Distributions-

# /etc/init.d/iptables start
# /etc/init.d/iptables stop
# /etc/init.d/iptables restart

Check all configured iptables firewall rules

You can check existing configured iptables rules by using the following command:

# iptables -L -n -v

You will get the output like below:

Chain INPUT (policy ACCEPT 1129K packets, 415M bytes)
 pkts bytes target prot opt in out source destination
 0 0 ACCEPT tcp -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
 0 0 ACCEPT udp -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
 0 0 ACCEPT tcp -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
 0 0 ACCEPT udp -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
 0 0 ACCEPT all -- * lxcbr0 0.0.0.0/0 0.0.0.0/0
 0 0 ACCEPT all -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 354K packets, 185M bytes)
 pkts bytes target prot opt in out source destination

There is also an option to check the configured rules for a specific table. To check rules of specific table use “-t” option followed by the table name. For example, to check NAT table use following command:

# iptables -t nat -L -v -n

Block specific IP address in iptables firewall

You will get lots of chance to block IPs on your iptables firewall, especially we are doing it when we find any unusual or abusive activity on our system from an IP.

To block an IP address using iptables use following command:

# iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP

You can replace “xxx.xxx.xxx.xxx” with your IP address. You can use the “-A” option to append the rule at the end of the selected chain.

Sometimes you need to block TCP traffic from an IP, and you can use the “-p” option which is use to specify the protocol, like below command:

# iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx -j DROP

Unblock IP address in iptables firewall

If you want to remove or unblock specific IP from your iptables rule, you can delete the blocking rule with the following command:

# iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP

The “-D” option is to delete one or multiple rules from the selected chain. You can use “- – delete” also in place of “-D”.

Allow IP address range  on particular port using Iptables

Sometimes you need to allow a specific port for a specific range of IPs or network. Suppose you want to allow outgoing connection on port 25 to network 192.160.5.0/24.

You can perform this by using below command:

# iptables -A OUTPUT -p tcp -d 192.168.5.0/24 --dport 25 -j ACCEPT

Block social website using iptables firewall

Sometimes you can get the instruction to block any social media site or job sites in office or a particular system.

Let’s says we need to block facebook.com for a specific system using iptables firewall. You can block the facebook.com using these three steps:

  • First, find the IP address of the website

To find the IP address of facebook.com, use the following command.

# host facebook.com
facebook.com has address 31.13.80.36
facebook.com has IPv6 address 2a03:2880:f10e:83:face:b00c:0:25de
  • Find the used network range by that website

To find the used network range by the facebook.com, use the following command:

# whois 31.13.80.36 | grep inetnum
inetnum:        31.13.64.0 - 31.13.127.255

After calculating CIDR for given range of IP you will get 31.13.64.0/18.

  • Configure iptables rule to block IP range

Now you can block the find IP range in your system by using the following iptables command:

# iptables -A OUTPUT -p tcp -d 31.13.64.0/18 -j DROP

Blocak specific port on iptables firewall

Sometimes we have a requirement to block all incoming or outgoing traffic on a specific port. Whenever you are doing security setup for your Linux box, it has to do for network security.

You can use below command to block outgoing connection on a specific port:

# iptables -A OUTPUT -p tcp --dport xxx -j DROP

Similarly above command, you can use below command to block incoming connection on a specific port:

# iptables -A INPUT -p tcp --dport xxx -j DROP

In both commands given below, you should replace “xxx” with your actual port, and if your requirement to block UDP traffic instead of TCP traffic change “TCP” into “UDP”.

Allow multiple ports on iptables

Iptables has functionalities to write command to configure multiple ports in a single command. To perform this use multiport as seen in below command.

# iptables -A INPUT  -p tcp -m multiport --dports 22,80,443 -j ACCEPT
# iptables -A OUTPUT -p tcp -m multiport --sports 22,80,443 -j ACCEPT

Configure Port forwarding using iptables

Linux iptables firewall also supports port forwarding, which allows forwarding one service’s traffic to another port.

You can use port forwarding using the following command:

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 2525

The above command will configure an iptables rule which forwards all incoming traffic on network interface “eth0”, from port 25 to 2525. You can change the port as per your requirements.

Block network flood on http port using iptables

Sometimes you get numbers of connection on your network interface, because of IP address may request too many connections on web ports on your website or application. It can cause several issues to down your websites. You can prevent such problems by adding traffic control rules in your iptables firewall using below command:

# iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT

The above command will limit the incoming connection 100 per minute and limit burst to 200. You can set a limit and limit burst as per your needs.

Block incoming ping requests on iptables

Sometimes we block ping request also on our Linux server due to security concern. It will not meet a vital security requirement but good to know how to configure.

To block ping request on your Linux use following command:

# iptables -A INPUT -p icmp -i eth0 -j DROP

Allow loopback access using iptables

The accessing from the IP 127.0.0.1 is called loopback, and it is essential so we should leave it active always by using below command:

# iptables -A INPUT -i lo -j ACCEPT
# iptables -A OUTPUT -o lo -j ACCEPT

Keep logs of dropped packets on iptables

If you want to capture logs for dropped packets on network interface “eth0”, you can do it by the following command:

# iptables -A INPUT -i eth0 -j LOG --log-prefix "IPtables dropped packets:"

You can change the value of “- -log-prefix” as per your choice. This log will be captured in “/var/log/messages”, where you can search your log with the following command:

# grep "IPtables dropped packets:" /var/log/messages

Block specific MAC address access using iptables

Using iptables, you can block access of your system from a specific MAC address using the following command:

# iptables -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP

You can change “00:00:00:00:00:00” with your actual MAC address that you want to bock.

Configure number of concurrent connection per IP address using iptables

Sometime you may want to limit the concurrent connection for incoming traffic. If you’re going to restrict the simultaneous connection from a single IP address on given service or port you can do it by using below command:

# iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT

The above command allows only 3 concurrent connection from single IP to port 22, here you can change the port number to configure your service. You can also change the value of “–connlimit-above” as per your requirement.

Define New iptables chain

The iptables provides flexibility to define or configure your chain and store your custom rules in it.

You can define a chain using the below command:

# iptables -N custom-filter

Now, you can check your new filter is in the iptables list or not using the following command:

# iptables -L

You will get the output similar like below:

Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain custom-filter (0 references)
target prot opt source destination

Flush iptables firewall chains or rules

If you want to flush your firewall chains, use iptables command with the “-F” option like below:

# iptables -F

You have the option to flush chains from a specific table using the “-t” option followed by the table name, similarly below command:

# iptables -t nat -F

You can change “nat” in the above command with your desired table which chains you want to flush.

Save or backup iptables rules into a file

Sometimes you need to save, or backup configured iptable rules in a file to use it to restore or configure same rules in a different system.

To save configured rules in a file, use “iptables-save” command like below example:

# iptables-save > ~/iptables.rules

The file name and location is up to you where and which file name you want to put.

Restore or configure iptables rules from a file

You can restore iptables rules from a file using “iptables-restore” command as shown below:

# iptables-restore < ~/iptables.rules

You can use your file location in the above command.

Allow established and related Connections using iptables

The network traffic separated in incoming and outgoing connection type and you can allow established and related traffic for both.

For incoming traffic you can use below command:

# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

For outgoing traffic you can use below command:

# iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

Drop invalid packets in iptables

Using iptables, it is possible to mark invalid for some network packets and drop those packets.

To drop invalid network packet using iptables, you can use the following command:

# iptables -A INPUT -m conntrack --ctstate INVALID -j DROP 

Setup iptables rules for PCI compliance

PCI compliance required if your site has a direct or indirect payment based solution. If you need to configure your server to be PCI compliant, there are numbers of requirements by different PCI compliance vendors but some of the common setup rules.

In the maximum cases, you have more than one IP address. You need to apply below rules for your site’s IP address. Before adding rule make sure what are you going to do and execute the command when you sure about.

Block connection on network Interface using iptables

Sometimes you have more than one network interface, and you want to control traffic as per-interface specific. You can limit or block connection for your network interface.

You can block network interface connection for specific IP address using the following command:

# iptables -A INPUT -i eth0 -s xxx.xxx.xxx.xxx -j DROP

You can change “xxx.xxx.xxx.xxx” with your actual IP address which you want to block on network interface “eth0”. You can also replace “eth0” with your network interface name if you have a different name.

Disable Outgoing mails through iptables

If your system hasn’t a requirement to send an email, better to block smtp port to prevent from misuse.

You can block smtp ports by using the following command:

# iptables -A OUTPUT -p tcp --dports 25,465,587 -j REJECT

Conclusion

The iptables is the most useful and powerful tool for the Linux operating system; it has all capabilities what having a typical firewall. It is a handy utility for every Linux administrator or engineers, and mostly we have to work with it daily.

If you want to know more about iptables you can go through the iptables manual page:

# man iptables

If you have any other example of iptables which we can add in this list please inform us by comment here.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Related Articles