What does the iptables command do?

The iptables command configures the Linux kernel firewall (netfilter) by creating rules to filter, modify, and route network packets based on various criteria.

How do I block a specific IP address with iptables?

Use 'iptables -A INPUT -s IP_ADDRESS -j DROP' to block incoming traffic from a specific IP address, replacing IP_ADDRESS with the actual IP.

How do I allow traffic on a specific port with iptables?

Use 'iptables -A INPUT -p tcp --dport PORT_NUMBER -j ACCEPT' to allow TCP traffic on a specific port, replacing PORT_NUMBER with the desired port.

iptables Command

The iptables command is the primary tool for configuring the Linux kernel firewall (netfilter). It allows you to create rules to filter, modify, and route network packets, providing essential network security functionality.

Syntax

iptables [-t table] {-A|-C|-D} chain rule-specification
iptables [-t table] -I chain [rulenum] rule-specification
iptables [-t table] -R chain rulenum rule-specification
iptables [-t table] -D chain rulenum
iptables [-t table] -S [chain [rulenum]]
iptables [-t table] {-F|-L|-Z} [chain [rulenum]]
iptables [-t table] -N chain
iptables [-t table] -X [chain]
iptables [-t table] -P chain target
iptables [-t table] -E old-chain-name new-chain-name

Description

The iptables command configures the Linux kernel firewall by manipulating netfilter rules. It operates on different tables (filter, nat, mangle, raw) and chains (INPUT, OUTPUT, FORWARD) to control packet flow.

Key concepts:

Tables - Different rule categories (filter, nat, mangle, raw)
Chains - Rule sequences (INPUT, OUTPUT, FORWARD, custom)
Rules - Conditions and actions for packet processing
Targets - Actions to take (ACCEPT, DROP, REJECT, etc.)
Matches - Criteria for rule matching

Warning: Incorrect iptables rules can lock you out of your system. Always test rules carefully and have a backup plan.

Tables and Chains

Table	Purpose	Built-in Chains
`filter`	Packet filtering (default)	INPUT, OUTPUT, FORWARD
`nat`	Network Address Translation	PREROUTING, OUTPUT, POSTROUTING
`mangle`	Packet alteration	PREROUTING, OUTPUT, INPUT, FORWARD, POSTROUTING
`raw`	Connection tracking exemption	PREROUTING, OUTPUT

Common Options

Option	Description
`-A, --append`	Append rule to end of chain
`-I, --insert`	Insert rule at specific position
`-D, --delete`	Delete rule from chain
`-R, --replace`	Replace rule at specific position
`-L, --list`	List rules in chain
`-F, --flush`	Delete all rules in chain
`-P, --policy`	Set default policy for chain
`-N, --new-chain`	Create new user-defined chain
`-X, --delete-chain`	Delete user-defined chain
`-Z, --zero`	Zero packet and byte counters

Examples

Basic Operations

List all rules

sudo iptables -L

Shows all rules in the filter table

List rules with line numbers

sudo iptables -L --line-numbers

Displays rules with line numbers for easy reference

List rules in specific table

sudo iptables -t nat -L

Shows rules in the NAT table

Show rules with packet counts

sudo iptables -L -v

Displays verbose output with packet and byte counters

Basic Filtering Rules

Allow incoming SSH

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Allows incoming SSH connections on port 22

Allow incoming HTTP and HTTPS

                        sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
                        sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
                    

Allows incoming web traffic on ports 80 and 443

Block specific IP address

sudo iptables -A INPUT -s 192.168.1.100 -j DROP

Blocks all incoming traffic from 192.168.1.100

Allow traffic from specific subnet

sudo iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT

Allows all traffic from the 192.168.1.0/24 subnet

Allow loopback traffic

                        sudo iptables -A INPUT -i lo -j ACCEPT
                        sudo iptables -A OUTPUT -o lo -j ACCEPT
                    

Allows all loopback interface traffic

Stateful Filtering

Allow established connections

sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allows packets for established and related connections

Allow new SSH connections

                        sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
                        sudo iptables -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
                    

Allows new SSH connections and established responses

Advanced Rules

Rate limiting

                        sudo iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j ACCEPT
                    

Limits SSH connections to 3 per minute with burst of 3

Port range

sudo iptables -A INPUT -p tcp --dport 1000:2000 -j ACCEPT

Allows TCP traffic on ports 1000-2000

Multiple ports

sudo iptables -A INPUT -p tcp -m multiport --dports 80,443,8080 -j ACCEPT

Allows traffic on multiple specific ports

Time-based rules

                        sudo iptables -A INPUT -p tcp --dport 80 -m time --timestart 09:00 --timestop 17:00 -j ACCEPT
                    

Allows HTTP traffic only during business hours

NAT Rules

SNAT (Source NAT)

sudo iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 203.0.113.1

Changes source IP to 203.0.113.1 for outgoing packets

MASQUERADE

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Masquerades outgoing packets (dynamic SNAT)

DNAT (Destination NAT)

                        sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100:8080
                    

Redirects incoming port 80 traffic to 192.168.1.100:8080

Policy and Management

Set default policies

                        sudo iptables -P INPUT DROP
                        sudo iptables -P FORWARD DROP
                        sudo iptables -P OUTPUT ACCEPT
                    

Sets default policies: drop input/forward, accept output

Delete specific rule

sudo iptables -D INPUT 3

Deletes rule number 3 from INPUT chain

Insert rule at specific position

sudo iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT

Inserts SSH rule at position 1 (top of chain)

Flush all rules

                        sudo iptables -F
                        sudo iptables -t nat -F
                        sudo iptables -t mangle -F
                    

Removes all rules from all tables

Saving and Restoring Rules

Save current rules

sudo iptables-save > /etc/iptables/rules.v4

Saves current rules to file

Restore rules from file

sudo iptables-restore < /etc/iptables/rules.v4

Restores rules from saved file

Common Firewall Scenarios

Basic web server firewall

                        # Allow loopback
                        sudo iptables -A INPUT -i lo -j ACCEPT
                        
                        # Allow established connections
                        sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
                        
                        # Allow SSH, HTTP, HTTPS
                        sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
                        sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
                        sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
                        
                        # Drop everything else
                        sudo iptables -P INPUT DROP
                    

Router/Gateway configuration

                        # Enable IP forwarding
                        echo 1 > /proc/sys/net/ipv4/ip_forward
                        
                        # Allow forwarding for established connections
                        sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
                        
                        # Allow forwarding from internal network
                        sudo iptables -A FORWARD -s 192.168.1.0/24 -j ACCEPT
                        
                        # NAT for internet access
                        sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
                    

Common Use Cases

When to Use iptables

Server Security - Protect servers from unauthorized access
Network Segmentation - Control traffic between network segments
NAT/Routing - Set up network address translation and routing
Traffic Shaping - Control bandwidth and connection limits
Intrusion Prevention - Block malicious traffic patterns