iptables Firewall: A Guide to Common Rules and Configuration

iptableslinux firewallfirewall rulescentos 7netfilter

Published·Dec 28, 2018Modified·Dec 28, 2018

iptables is a command-line tool for configuring the Linux kernel firewall and is part of the netfilter project. Currently, most Linux systems use iptables as their default firewall, making it essential to familiarize yourself with it.

Firewall

Installing iptables

If your system does not have iptables installed, you can install it using the following commands (example for CentOS 7):

yum install -y iptables
yum install iptables-services

Common Options

-t<Table>: Specify the table to manipulate;
-A: Add an entry to a rule chain;
-D: Delete an entry from a rule chain;
-i: Insert an entry into a rule chain;
-R: Replace an entry in a rule chain;
-L: Display existing entries in a rule chain;
-F: Clear existing entries in a rule chain;
-Z: Clear packet and byte counters in a rule chain;
-N: Create a new user-defined rule chain;
-P: Define the default target for a rule chain;
-h: Display help information;
-p: Specify the packet protocol type to match;
-s: Specify the source IP address to match;
-j<Target>: Specify the target action to jump to;
-i<Network Interface>: Specify the network interface through which packets enter the machine;
-o<Network Interface>: Specify the network interface used for packets leaving the machine.

Common Commands

# View current iptables rules
iptables -L -n
# Clear all default rules
iptables -F
# Clear all custom rules
iptables -X
# Allow all incoming traffic
iptables -P INPUT ACCEPT
# Save rules to configuration file
service iptables save
# Check iptables status
service iptables status
# Stop iptables
service iptables stop
# Start iptables
service iptables start
# Restart iptables
service iptables restart

Practical Examples

Allow only 222.209.77.60 to connect to port 22; drop all other connections to port 22:

iptables -I INPUT -s 222.209.77.60 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

Explanation of the parameters above:

-I: Insert as the first rule in the chain
-A: Append a rule to the chain
-s: Source IP address
-p: Specify protocol (common protocols include tcp, udp, icmp, http, ftp, etc.)
--dport: Specify the destination port
-j: Action to execute (common actions include ACCEPT, DROP, REJECT)
-d: Destination IP or subnet

You may notice the INPUT option in the rules above. This is called a rule chain. The most commonly used chains are INPUT (incoming), OUTPUT (outgoing), which manage incoming and outgoing traffic.

Following the same logic, adding a rule to block ping is straightforward. The example below drops all incoming ICMP packets:

iptables -A INPUT -p icmp -j DROP

The rules above handle incoming traffic (INPUT). Here is an example for outgoing traffic: block all outgoing UDP traffic, except for UDP requests to port 53 of 119.29.29.29:

# Block all outgoing UDP traffic
iptables -A OUTPUT -p udp -j DROP
# Allow outgoing UDP to 119.29.29.29 port 53
iptables -I OUTPUT -p udp -d 119.29.29.29 --dport 53 -j ACCEPT

Some Common Rules

# Allow port 80
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Block connection to port 3306
iptables -A INPUT -p tcp --dport 3306 -j DROP
# Block ping
iptables -A INPUT -p icmp -j DROP

Using the rules above only takes effect temporarily. To make them permanent, remember to save the rules using service iptables save.

Summary

iptables can do much more, such as port forwarding. The rules mentioned above are just a small part of its capabilities. Feel free to search and study further.

Some content referenced:

iptables command

Installing iptables firewall on CentOS 7

Related recommendations: Installing Firewalld firewall on CentOS 7 and common commands