iptables is a command-line tool for configuring the Linux kernel firewall and is part of the netfilter project. Currently, most Linux systems use iptables as the firewall by default, so it is necessary to be familiar with and understand it.

Installing iptables

If iptables is not installed on your system, you can install it using the following commands (for example, on CentOS 7):

yum install -y iptables
yum install iptables-services

Common Options

-t<Table>: Specify the table to manipulate;
-A: Add an entry to the rule chain;
-D: Delete an entry from the rule chain;
-i: Insert an entry into the rule chain;
-R: Replace an entry in the rule chain;
-L: List existing entries in the rule chain;
-F: Flush all existing entries in the rule chain;
-Z: Zero the packet and byte counters in the rule chain;
-N: Create a new user-defined rule chain;
-P: Set the default target in the rule chain;
-h: Display help information;
-p: Specify the packet protocol type to match;
-s: Specify the source IP address to match;
-j<Target>: Specify the target to jump to;
-i<Network Interface>: Specify the network interface for incoming packets;
-o<Network Interface>: Specify the network interface for outgoing packets.

Common Commands

# View current iptables rules
iptables -L -n
# Flush all default rules
iptables -F
# Flush all custom rules
iptables -X
# Allow all incoming traffic
iptables -P INPUT ACCEPT
# Save the rules to the configuration file
service iptables save
# View iptables status
service iptables status
# Stop iptables
service iptables stop
# Start iptables
service iptables start
# Restart iptables
service iptables restart

Let's look at some examples

Only allow 222.209.77.60 to connect to port 22, and drop all other IP connections to port 22

iptables -I INPUT -s 222.209.77.60 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

Explanation of the parameters above:

• -I: Insert the first rule into the chain
• -A: Add a rule to the chain
• -s: Source IP
• -p: Specify the protocol, commonly used protocols include tcp/udp/icmp/http/ftp, etc.
• --dport: Specify the destination port
• -j: Action to be taken, commonly used actions include ACCEPT (allow), DROP (discard), REJECT (reject)
• -d: Destination IP or subnet

You may also notice the INPUT option in the above rules. This option is called a rule chain, and the most commonly used chains include INPUT (incoming) and OUTPUT (outgoing), which are used to manage incoming and outgoing traffic through rule chains.

Following the previous examples, it is easy to add a rule to disable ping. The following example drops all incoming ICMP packets:

iptables -A INPUT -p icmp -j DROP

The above rules are all for incoming (INPUT). Let's now look at an outgoing example. The following rules reject all outgoing UDP traffic and only allow UDP traffic to port 53 of 119.29.29.29:

# First, block all outgoing UDP traffic
iptables -A OUTPUT -p udp -j DROP
# Allow outgoing UDP traffic to port 53 of 119.29.29.29
iptables -I OUTPUT -p udp -d 119.29.29.29 --dport 53 -j ACCEPT

Some common rules

# Allow port 80
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Block port 3306
iptables -A INPUT -p tcp --dport 3306 -j DROP
# Disable ping
iptables -A INPUT -p icmp -j DROP

Using the above rules only has temporary effects. If you want the rules to be permanent, don't forget to save the rules using service iptables save.

Summary

There are many things that iptables can do, such as port forwarding. The rules mentioned above are just the tip of the iceberg. If you are interested, you can search and explore more. Some content references:

• iptables command
• Install iptables Firewall on CentOS 7

Related recommendation: Install Firewalld Firewall and Common Commands on CentOS 7