IPTables is invaluable for anyone wishing to secure a Linux server. It can drop or accept packets based on any number of criteria, forward ports and perform a variety of network analysis tasks. It is especially useful when defending against attacks, as it can perform all actions based on subnet and other criteria. This flexibility comes at a cost however, as the command line utility is complicated and confusing. Fortunately, with a few basic examples, much of its’ utility can be made far more accessible.
Getting Started with IPTables
The service is installed by default on most Linux distributions. However, for sake of convenience, this tutorial assumes you have either a dedicated or virtual server running a modern version of Ubuntu or CentOS.
Let’s step through a few examples of tasks you might perform with the service. These commands will give you a sense for what is possible, and should be easy to adapt for other circumstances.
We’ll begin by examining your firewall status. This command is incredibly useful for diagnosing issues, as you can use it to determine what rules are currently active, and if a given entry might be blocking traffic unexpectedly.
iptables -L -nv
Now let’s display only a subset of your firewall rules in this case, only the NAT chain.
iptables -t nat -L -nv
IPTables as a whole can be started, stopped or restarted. This is particularly useful if traffic routing is fundamentally messed up, and you’d like to shut down the entire subsystem to debug what went wrong.
service iptables start
service iptables stop
service iptables restart
If the firewall is completely broken, you may wish to flush all your IPTables rules at once. Note that this may break advanced forwarding setups and connectivity in some instances, but in general this won’t break something unless you’ve knowingly used an advanced feature. It is a good way to return to a working state and start again.
Say you’ve found a good set of rules and want to save them. They will then be automatically reactivated when the server is rebooted. Under CentOS/Redhat you’d type the following, and rules will be saved in /etc/sysconfig/iptables.
service iptables save
This command works under other distributions, and persists rules to /root/myrules:
iptables-save > /root/myrules
If your rules aren’t automatically restored on boot, use these commands to restore them. Under CentOS/Redhat:
service iptables restart
And under other distributions:
iptables-restore < /root/myrules
Now let's move on to creating specific types of firewall rules. Say you wish to block all traffic from 10.10.10.1 or subnet 10.10.10.0/24.
iptables -A INPUT -s 10.10.10.1 -j DROP
iptables -A INPUT -s 10.10.10.0/24 -j DROP
Next let's block all incoming SSH access. Be careful with this, as if you're connected by SSH then this will cut your current connection:
iptables -A INPUT -p tcp --dport 22 -j DROP
We'll now combine the previous two rules, blocking SSH access from a specific IP:
iptables -A INPUT -s 10.0.10.1 -p tcp --dport 22 -j DROP
This command does the exact opposite. It allows SSH traffic from a remote IP, 10.10.10.1, to a local IP, 192.168.0.1.
iptables -A INPUT -s 10.10.10.1 -d 192.168.0.1 -p tcp --dport 22 -j ACCEPT
Say you need to open a range of TCP ports for VOIP or gaming traffic. This command opens ports 30000-50000.
iptables -A INPUT -p tcp --dport 30000:50000 -j ACCEPT
Or maybe you want to block all ICMP packets. This isn't advisable for various reasons, but the following command shows how it can be done.
iptables –A INPUT –p icmp –icmp-type echo-request –j DROP
Perhaps you'd like to redirect a port? This is how you'd go about redirecting port 1234 to port 80. Replace eth0 with your actual network interface.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1234 -j REDIRECT --to-port 80
While these examples were specific, it is easy to change the details to achieve a host of related tasks. The above commands are enough to build a capable, responsive firewall. If this guide was helpful to you, kindly share it with others who may also be interested.