As a Linux administrator, managing network traffic on Linux box is a primary task forever administrator/engineer.
We always use a firewall to managing network traffic and control incoming and outgoing traffic, so here we learn iptables the command line table based Linux firewall.
Iptables configuring three types of tables that contains chains with builtin and user-defined rules to control I/O traffic on the system:
- FILTER – This is the default tables of iptables. It contains three chains:
- INPUT – network packets destined for local sockets
- OUTPUT – network packets generated locally
- FORWARD – network packets routed through the system
- NAT – This is the table consulted by the system when a network packet tries to create a new connection. It has the following built-in chains:
PREROUTING – It is use to altering a network packet as soon as it’s received
POSTROUTING – It is use to altering a network packet when they are about to go out
OUTPUT – It is used to altering network packets which are locally generated
- MANGLE – This is the table use for altering network packets. Previously it has two chains but now 5:
- PREROUTING – It is used for altering incoming network packets
- POSTROUTING – It is used for altering outgoing network packets
- INPUT – It is used for incoming packets
- OUTPUT – It is used for altering locally-generated packets
- FORWARD – It is used for the packets which are routed through the box
This article is to learn the uses of iptables CLI firewall. You will see here useful command to manage and configure iptables firewall for your own Linux box.
Here we will explain iptables tools with several examples of uses which can help you to understand iptables uses in a practical scenario.
Manage iptables firewall services
To manage iptables service, you can use regular service command, which used to manage other Linux services.
On SystemD based Linux Distributions-
# systemctl start iptables # systemctl stop iptables # systemctl restart iptables
On SysVinit based Linux Distributions-
# /etc/init.d/iptables start # /etc/init.d/iptables stop # /etc/init.d/iptables restart
Check all configured iptables firewall rules
You can check existing configured iptables rules by using the following command:
# iptables -L -n -v
You will get the output like below:
Chain INPUT (policy ACCEPT 1129K packets, 415M bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 0 0 ACCEPT udp -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 ACCEPT tcp -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 0 0 ACCEPT udp -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lxcbr0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lxcbr0 * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 354K packets, 185M bytes) pkts bytes target prot opt in out source destination
There is also an option to check the configured rules for a specific table. To check rules of specific table use “-t” option followed by the table name. For example, to check NAT table use following command:
# iptables -t nat -L -v -n
Block specific IP address in iptables firewall
You will get lots of chance to block IPs on your iptables firewall, especially we are doing it when we find any unusual or abusive activity on our system from an IP.
To block an IP address using iptables use following command:
# iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
You can replace “xxx.xxx.xxx.xxx” with your IP address. You can use the “-A” option to append the rule at the end of the selected chain.
Sometimes you need to block TCP traffic from an IP, and you can use the “-p” option which is use to specify the protocol, like below command:
# iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx -j DROP
Unblock IP address in iptables firewall
If you want to remove or unblock specific IP from your iptables rule, you can delete the blocking rule with the following command:
# iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP
The “-D” option is to delete one or multiple rules from the selected chain. You can use “- – delete” also in place of “-D”.
Allow IP address range on particular port using Iptables
Sometimes you need to allow a specific port for a specific range of IPs or network. Suppose you want to allow outgoing connection on port 25 to network 18.104.22.168/24.
You can perform this by using below command:
# iptables -A OUTPUT -p tcp -d 192.168.5.0/24 --dport 25 -j ACCEPT
Block social website using iptables firewall
Sometimes you can get the instruction to block any social media site or job sites in office or a particular system.
Let’s says we need to block facebook.com for a specific system using iptables firewall. You can block the facebook.com using these three steps:
- First, find the IP address of the website
To find the IP address of facebook.com, use the following command.
# host facebook.com facebook.com has address 22.214.171.124 facebook.com has IPv6 address 2a03:2880:f10e:83:face:b00c:0:25de
- Find the used network range by that website
To find the used network range by the facebook.com, use the following command:
# whois 126.96.36.199 | grep inetnum inetnum: 188.8.131.52 - 184.108.40.206
After calculating CIDR for given range of IP you will get 220.127.116.11/18.
- Configure iptables rule to block IP range
Now you can block the find IP range in your system by using the following iptables command:
# iptables -A OUTPUT -p tcp -d 18.104.22.168/18 -j DROP
Blocak specific port on iptables firewall
Sometimes we have a requirement to block all incoming or outgoing traffic on a specific port. Whenever you are doing security setup for your Linux box, it has to do for network security.
You can use below command to block outgoing connection on a specific port:
# iptables -A OUTPUT -p tcp --dport xxx -j DROP
Similarly above command, you can use below command to block incoming connection on a specific port:
# iptables -A INPUT -p tcp --dport xxx -j DROP
In both commands given below, you should replace “xxx” with your actual port, and if your requirement to block UDP traffic instead of TCP traffic change “TCP” into “UDP”.
Allow multiple ports on iptables
Iptables has functionalities to write command to configure multiple ports in a single command. To perform this use multiport as seen in below command.
# iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT # iptables -A OUTPUT -p tcp -m multiport --sports 22,80,443 -j ACCEPT
Configure Port forwarding using iptables
Linux iptables firewall also supports port forwarding, which allows forwarding one service’s traffic to another port.
You can use port forwarding using the following command:
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 2525
The above command will configure an iptables rule which forwards all incoming traffic on network interface “eth0”, from port 25 to 2525. You can change the port as per your requirements.
Block network flood on http port using iptables
Sometimes you get numbers of connection on your network interface, because of IP address may request too many connections on web ports on your website or application. It can cause several issues to down your websites. You can prevent such problems by adding traffic control rules in your iptables firewall using below command:
# iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT
The above command will limit the incoming connection 100 per minute and limit burst to 200. You can set a limit and limit burst as per your needs.
Block incoming ping requests on iptables
Sometimes we block ping request also on our Linux server due to security concern. It will not meet a vital security requirement but good to know how to configure.
To block ping request on your Linux use following command:
# iptables -A INPUT -p icmp -i eth0 -j DROP
Allow loopback access using iptables
The accessing from the IP 127.0.0.1 is called loopback, and it is essential so we should leave it active always by using below command:
# iptables -A INPUT -i lo -j ACCEPT # iptables -A OUTPUT -o lo -j ACCEPT
Keep logs of dropped packets on iptables
If you want to capture logs for dropped packets on network interface “eth0”, you can do it by the following command:
# iptables -A INPUT -i eth0 -j LOG --log-prefix "IPtables dropped packets:"
You can change the value of “- -log-prefix” as per your choice. This log will be captured in “/var/log/messages”, where you can search your log with the following command:
# grep "IPtables dropped packets:" /var/log/messages
Block specific MAC address access using iptables
Using iptables, you can block access of your system from a specific MAC address using the following command:
# iptables -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP
You can change “00:00:00:00:00:00” with your actual MAC address that you want to bock.
Configure number of concurrent connection per IP address using iptables
Sometime you may want to limit the concurrent connection for incoming traffic. If you’re going to restrict the simultaneous connection from a single IP address on given service or port you can do it by using below command:
# iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
The above command allows only 3 concurrent connection from single IP to port 22, here you can change the port number to configure your service. You can also change the value of “–connlimit-above” as per your requirement.
Define New iptables chain
The iptables provides flexibility to define or configure your chain and store your custom rules in it.
You can define a chain using the below command:
# iptables -N custom-filter
Now, you can check your new filter is in the iptables list or not using the following command:
# iptables -L
You will get the output similar like below:
Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain custom-filter (0 references) target prot opt source destination
Flush iptables firewall chains or rules
If you want to flush your firewall chains, use iptables command with the “-F” option like below:
# iptables -F
You have the option to flush chains from a specific table using the “-t” option followed by the table name, similarly below command:
# iptables -t nat -F
You can change “nat” in the above command with your desired table which chains you want to flush.
Save or backup iptables rules into a file
Sometimes you need to save, or backup configured iptable rules in a file to use it to restore or configure same rules in a different system.
To save configured rules in a file, use “iptables-save” command like below example:
# iptables-save > ~/iptables.rules
The file name and location is up to you where and which file name you want to put.
Restore or configure iptables rules from a file
You can restore iptables rules from a file using “iptables-restore” command as shown below:
# iptables-restore < ~/iptables.rules
You can use your file location in the above command.
Allow established and related Connections using iptables
The network traffic separated in incoming and outgoing connection type and you can allow established and related traffic for both.
For incoming traffic you can use below command:
# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
For outgoing traffic you can use below command:
# iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
Drop invalid packets in iptables
Using iptables, it is possible to mark invalid for some network packets and drop those packets.
To drop invalid network packet using iptables, you can use the following command:
# iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
Setup iptables rules for PCI compliance
PCI compliance required if your site has a direct or indirect payment based solution. If you need to configure your server to be PCI compliant, there are numbers of requirements by different PCI compliance vendors but some of the common setup rules.
In the maximum cases, you have more than one IP address. You need to apply below rules for your site’s IP address. Before adding rule make sure what are you going to do and execute the command when you sure about.
Block connection on network Interface using iptables
Sometimes you have more than one network interface, and you want to control traffic as per-interface specific. You can limit or block connection for your network interface.
You can block network interface connection for specific IP address using the following command:
# iptables -A INPUT -i eth0 -s xxx.xxx.xxx.xxx -j DROP
You can change “xxx.xxx.xxx.xxx” with your actual IP address which you want to block on network interface “eth0”. You can also replace “eth0” with your network interface name if you have a different name.
Disable Outgoing mails through iptables
If your system hasn’t a requirement to send an email, better to block smtp port to prevent from misuse.
You can block smtp ports by using the following command:
# iptables -A OUTPUT -p tcp --dports 25,465,587 -j REJECT
The iptables is the most useful and powerful tool for the Linux operating system; it has all capabilities what having a typical firewall. It is a handy utility for every Linux administrator or engineers, and mostly we have to work with it daily.
If you want to know more about iptables you can go through the iptables manual page:
# man iptables
If you have any other example of iptables which we can add in this list please inform us by comment here.