iptables Command
The iptables command is commonly used firewall software on Linux, and is part of the netfilter project. It can be configured directly, or through many front ends and graphical interfaces.
Syntax
iptables (options) (parameters)
Options
-t<table>: specify the table to operate on;
-A: add an entry to the rule chain;
-D: delete an entry from the rule chain;
-i: insert an entry into the rule chain;
-R: replace an entry in the rule chain;
-L: display existing entries in the rule chain;
-F: clear existing entries in the rule chain;
-Z: clear the packet counters and byte counters in the rule chain;
-N: create a new user-defined rule chain;
-P: define the default target in the rule chain;
-h: display help information;
-p: specify the packet protocol type to match;
-s: specify the source ip address of the packet to match;
-j<target>: specify the target to jump to;
-i<network interface>: specify the network interface through which the packet enters the local machine;
-o<network interface>: specify the network interface through which the packet leaves the local machine.
iptables command option input order:
iptables -t table name <-A/I/D/R> rule chain name [rule number] <-i/o NIC name> -p protocol name <-s source IP/source subnet> --sport source port <-d destination IP/destination subnet> --dport destination port -j action
Table names include:
- raw: advanced features, such as URL filtering.
- mangle: packet modification (QOS), used to implement quality of service.
- net: address translation, used for gateway routers.
- filter: packet filtering, used for firewall rules.
Rule chain names include:
- INPUT chain: processes incoming packets.
- OUTPUT chain: processes outgoing packets.
- PORWARD chain: processes forwarded packets.
- PREROUTING chain: used for destination address translation (DNAT).
- POSTOUTING chain: used for source address translation (SNAT).
Actions include:
- accept: accept packets.
- DROP: drop packets.
- REDIRECT: redirection, mapping, transparent proxying.
- SNAT: source address translation.
- DNAT: destination address translation.
- MASQUERADE: IP masquerading (NAT), used for ADSL.
- LOG: logging.
Examples
Clear existing iptables rules
iptables -F iptables -X iptables -Z
Open specified ports
iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT #Allow the local loopback interface (that is, the local machine accessing itself) iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow established or related connections iptables -A OUTPUT -j ACCEPT #Allow all outbound access from the local machine iptables -A INPUT -p tcp --dport 22 -j ACCEPT #Allow access to port 22 iptables -A INPUT -p tcp --dport 80 -j ACCEPT #Allow access to port 80 iptables -A INPUT -p tcp --dport 22 -j DROP #Deny access to port 22 iptables -A INPUT -p tcp --dport 80 -j DROP #Deny access to port 80 iptables -A INPUT -p tcp --dport 21 -j ACCEPT #Allow port 21 for the ftp service iptables -A INPUT -p tcp --dport 20 -j ACCEPT #Allow port 20 for the FTP service iptables -A INPUT -j reject #Block access by all other non-allowed rules iptables -A FORWARD -j REJECT #Block access by all other non-allowed rules
Block IPs
iptables -I INPUT -s 123.45.6.7 -j DROP #Command to block a single IP iptables -I INPUT -s 123.0.0.0/8 -j DROP #Command to block the entire range, from 123.0.0.1 to 123.255.255.254 iptables -I INPUT -s 124.45.0.0/16 -j DROP #Command to block the IP range, from 123.45.0.1 to 123.45.255.254 iptables -I INPUT -s 123.45.6.0/24 -j DROP #Command to block the IP range, from 123.45.6.1 to 123.45.6.254
View added iptables rules
iptables -L -n -v
Chain INPUT (policy DROP 48106 packets, 2690K bytes)
pkts bytes target prot opt in out source destination
5075 589K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
191K 90M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
1499K 133M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
4364K 6351M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6256 327K ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3382K packets, 1819M bytes)
pkts bytes target prot opt in out source destination
5075 589K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
Delete added iptables rules
Display all iptables rules with numbered labels, then run:
iptables -L -n --line-numbers
For example, to delete rule number 8 in INPUT, run:
iptables -D INPUT 8