iptables Commands

iptables Command

The iptables command is commonly used firewall software on Linux, and is part of the netfilter project. It can be configured directly, or through many front ends and graphical interfaces.

Syntax

iptables (options) (parameters)

Options

-t<table>: specify the table to operate on;
-A: add an entry to the rule chain;
-D: delete an entry from the rule chain;
-i: insert an entry into the rule chain;
-R: replace an entry in the rule chain;
-L: display existing entries in the rule chain;
-F: clear existing entries in the rule chain;
-Z: clear the packet counters and byte counters in the rule chain;
-N: create a new user-defined rule chain;
-P: define the default target in the rule chain;
-h: display help information;
-p: specify the packet protocol type to match;
-s: specify the source ip address of the packet to match;
-j<target>: specify the target to jump to;
-i<network interface>: specify the network interface through which the packet enters the local machine;
-o<network interface>: specify the network interface through which the packet leaves the local machine.

iptables command option input order:

iptables -t table name <-A/I/D/R> rule chain name [rule number] <-i/o NIC name> -p protocol name <-s source IP/source subnet> --sport source port <-d destination IP/destination subnet> --dport destination port -j action

Table names include:

  • raw: advanced features, such as URL filtering.
  • mangle: packet modification (QOS), used to implement quality of service.
  • net: address translation, used for gateway routers.
  • filter: packet filtering, used for firewall rules.

Rule chain names include:

  • INPUT chain: processes incoming packets.
  • OUTPUT chain: processes outgoing packets.
  • PORWARD chain: processes forwarded packets.
  • PREROUTING chain: used for destination address translation (DNAT).
  • POSTOUTING chain: used for source address translation (SNAT).

Actions include:

  • accept: accept packets.
  • DROP: drop packets.
  • REDIRECT: redirection, mapping, transparent proxying.
  • SNAT: source address translation.
  • DNAT: destination address translation.
  • MASQUERADE: IP masquerading (NAT), used for ADSL.
  • LOG: logging.

Examples

Clear existing iptables rules

iptables -F
iptables -X
iptables -Z

Open specified ports

iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT               #Allow the local loopback interface (that is, the local machine accessing itself)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT    #Allow established or related connections
iptables -A OUTPUT -j ACCEPT         #Allow all outbound access from the local machine
iptables -A INPUT -p tcp --dport 22 -j ACCEPT    #Allow access to port 22
iptables -A INPUT -p tcp --dport 80 -j ACCEPT    #Allow access to port 80
iptables -A INPUT -p tcp --dport 22 -j DROP #Deny access to port 22
iptables -A INPUT -p tcp --dport 80 -j DROP #Deny access to port 80
iptables -A INPUT -p tcp --dport 21 -j ACCEPT    #Allow port 21 for the ftp service
iptables -A INPUT -p tcp --dport 20 -j ACCEPT    #Allow port 20 for the FTP service
iptables -A INPUT -j reject       #Block access by all other non-allowed rules
iptables -A FORWARD -j REJECT     #Block access by all other non-allowed rules

Block IPs

iptables -I INPUT -s 123.45.6.7 -j DROP       #Command to block a single IP
iptables -I INPUT -s 123.0.0.0/8 -j DROP      #Command to block the entire range, from 123.0.0.1 to 123.255.255.254
iptables -I INPUT -s 124.45.0.0/16 -j DROP    #Command to block the IP range, from 123.45.0.1 to 123.45.255.254
iptables -I INPUT -s 123.45.6.0/24 -j DROP    #Command to block the IP range, from 123.45.6.1 to 123.45.6.254

View added iptables rules

iptables -L -n -v
Chain INPUT (policy DROP 48106 packets, 2690K bytes)
 pkts bytes target     prot opt in     out     source               destination
 5075  589K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
 191K   90M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22
1499K  133M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80
4364K 6351M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
 6256  327K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 3382K packets, 1819M bytes)
 pkts bytes target     prot opt in     out     source               destination
 5075  589K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0

Delete added iptables rules

Display all iptables rules with numbered labels, then run:

iptables -L -n --line-numbers

For example, to delete rule number 8 in INPUT, run:

iptables -D INPUT 8

Leave a Comment

Your email address will not be published. Required fields are marked *

中文 EN
🚀

RedGate VPN

免费节点太挤太慢?
升级高速稳定专线

立即体验 →

告别卡顿

RedGate VPN
全球高速节点

免费下载 →
Scroll to Top