Home > Network Management > iptables

iptables: Linux Firewall Rule Management

iptables is a command-line utility that uses the Netfilter framework in the Linux kernel to configure and manage IPv4 packet filtering and NAT (Network Address Translation) rules. It allows you to control network traffic and enhance system security. iptables defines packet processing rules using the concepts of chains and tables.

Overview

iptables implements system security policies by defining rules for incoming and outgoing network packets. Each rule specifies an action (target) such as ACCEPT, DROP, or REJECT for packets that match specific conditions. It primarily uses INPUT, OUTPUT, and FORWARD chains, and also utilizes PREROUTING and POSTROUTING chains for NAT functionality.

Key Features

  • Packet Filtering (Firewall)
  • Network Address Translation (NAT)
  • Port Forwarding and Redirection
  • Traffic control based on specific IP addresses, ports, and protocols

Key Options

The iptables command is used with various options to add, delete, modify, or list current rules.

Rule Management

Matching Conditions

Targets (Actions)

Generated command:

Try combining the commands.

Description:

`iptables` Executes the command.

Combine the above options to virtually execute commands with AI.

Usage Examples

Examples of setting up common firewall rules using iptables. It is recommended to always back up your current rules before adding new ones.

List All Current Rules

sudo iptables -L -v -n

Lists rules with verbose output and numeric IP addresses.

Allow SSH (Port 22)

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Allows incoming SSH connections from external sources.

Block Specific IP Address

sudo iptables -A INPUT -s 192.168.1.100 -j DROP

Blocks all inbound traffic from a specific IP address (e.g., 192.168.1.100).

Allow All Outbound Traffic

sudo iptables -P OUTPUT ACCEPT

Sets the default policy for the OUTPUT chain to allow all outbound traffic from the system.

Port Forwarding for Web Server (80 -> 8080)

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

Redirects incoming requests on port 80 to local port 8080. (Uses the NAT table)

Masquerading for Internal Network (NAT)

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Changes the source IP for traffic from the internal network when it exits through an external interface (e.g., eth0). (Uses the NAT table)

Installation

iptables is installed by default on most Linux distributions. If it is not installed, you can install it using the following commands.

Debian/Ubuntu

sudo apt update
sudo apt install iptables

CentOS/RHEL/Fedora

sudo dnf install iptables

Tips & Precautions

iptables rules can be lost upon system reboot, so it's important to know how to save rules permanently. Also, pay attention to the order of rules and default policies when configuring them.

Saving Rules Permanently

iptables rules are volatile by default and need to be saved to persist after a reboot. Recommended methods vary by distribution.

  • **Debian/Ubuntu**: Install `iptables-persistent` (`sudo apt install iptables-persistent`) and then save rules with `sudo netfilter-persistent save`. Rules are saved in `/etc/iptables/rules.v4` and `/etc/iptables/rules.v6`.
  • **CentOS/RHEL/Fedora**: Install `iptables-services` (`sudo dnf install iptables-services`), enable and start the service (`sudo systemctl enable iptables && sudo systemctl start iptables`), and save rules with `sudo iptables-save > /etc/sysconfig/iptables`.
  • **General Method**: Save rules to a file using `sudo iptables-save > /path/to/rules.v4`, then create a script to load the file on boot using `sudo iptables-restore < /path/to/rules.v4`.

Importance of Rule Order

iptables rules are applied sequentially from top to bottom within a chain. When a packet matches a rule, its action is executed, and subsequent rules are not checked. Therefore, it's crucial to place more specific rules (e.g., blocking a specific IP) above more general rules (e.g., allowing all HTTP).

Caution with Default Policy Settings

Be very careful when setting the default policy for a chain (e.g., `iptables -P INPUT DROP`). Before changing the default policy to DROP, ensure you have added rules to allow essential services like SSH access. Otherwise, all network connections to the system could be blocked, rendering it inaccessible.

Transition to nftables

Many modern Linux distributions use `nftables` as their default firewall framework instead of iptables. `nftables` integrates iptables' functionality and offers an improved syntax. The `iptables` command might operate as a compatibility layer internally using `nftables`, so it's advisable to check your system's default firewall tool.

Same category commands

curl

The Complete Guide to the Curl Command

dig

dig: DNS Information Lookup Tool

ftp

ftp: File Transfer Protocol Client

host

host: Simple DNS Information Lookup Tool

http

Mastering the HTTPie Command