Linux iptables how to

How to Manage Linux System Routing Rules With Iptables

Iptables is a user-space utility program for managing firewall rules on a Linux kernel. It is a powerful security tool that keeps your system safe by blocking undesired network traffic, allowing expected traffic, redirecting packets to other TCP/UDP ports, and warding off DDoS attacks among others.

#How Does Iptables Work?

Iptables uses filters organized into tables that contain a set of rules called chains that determine how network traffic packets are treated. Iptables monitors traffic flowing to and from a Linux server and checks to see if a connection or network packet matches a rule. If a connection is matched to a rule, a specific action is applied to the data packet based on the rule chain. If no rule is found, the default policy configured is applied.

In this tutorial, you will learn how to manage the Linux firewall using Iptables.

#How To Install Iptables on Linux

Iptables comes installed by default on most modern Linux distributions including Ubuntu, Debian, RHEL, Rocky Linux, and AlmaLinux.

In case Iptables is not installed on your distribution, here’s how you can get started.

#Iptables For Ubuntu / Debian

If you are running a Ubuntu / Debian server, install Iptables by running the following commands:

sudo apt install iptables 

Once installed, you can confirm if Iptables is installed using the command:

Since Ubuntu 22.04 nf_table has replaced iptables as the default firewall backend system.

Nftables ships with numerous benefits in terms of flexibility and performance when defining and deploying firewall rules, especially for systems using both IPv4 and Ipv6. The traditional Iptables utility now configures the nftables kernel backend, while the new nft userspace tool allows the creation of more flexible rules not currently supported by iptables.

#Iptables For RHEL / CentOS Stream / Fedora Rocky / AlmaLinux

If you are running a modern RHEL system or a Red Hat derivative, follow the steps outlined.

First, update the packages:

Next, install iptables using the following command:

sudo dnf install iptables-services 

After successful installation, verify that iptables is installed:

rpm -qa | grep -i iptables-services 

Then start and enable Iptables in order to start upon a reboot

sudo systemctl start iptables 

sudo systemctl enable iptables 

Finally, confirm that iptables is running

sudo systemctl status iptables 

#Exploring Iptables Chain Rules

At a high-level, Iptables is made up of multiple tables which contain multiple chains.

A chain is a set of built-in or user defined rules.

Rules contain criteria and a target which determine how incoming and outgoing packets are treated.

If a criterion is matched, an action is executed based on the values specified on the target. If not matched, it moves on to the next rule.

In a nutshell, Iptables takes the following structure:

Iptables -> Tables -> Chains -> Rules.

Iptables provides the following salient built-in tables.

#FILTER TABLE

This is the default table that provides the following built-in chains:

INPUT — Intended for packets coming to the local server.

OUTPUT — Intended for outbound packets. These are locally generated data packets that are heading out of the server.

FORWARD — This is a rule intended for a data packet routed to another NIC (Network Interface Card) on the server. It’s meant for packets routed through the server.

#NAT TABLE

This is a table for packets that are intended to initiate a new connection to the system.

PREROUTING – Alters inbound packets as soon as they get access to the system.

POSTROUTNG — Alters data packets after routing. In this case, packet translation occurs when the packets are outbound.

OUTPUT — This is a chain for altering locally generated data packets.

#MANGLE TABLE

This is a table that is used for specialized packet alteration. It comprises the following five chains:

INPUT — Alters incoming network packets targeted for the host.

OUTPUT — Alters locally-generated network packets before they leave the host.

FORWARD — Alters network packets routed through the host.

PREROUTING — Alters incoming network packets before they are routed.

POSTROUTING — Alters network packets before they head out of the system.

#Iptables Target Values

When a data packet matches a rule, it is assigned one of the following target values:

ACCEPT: Allows the packet to have entry to the system

DROP: Blocks entry of the packet to the system

RETURN: Prevents the packet from going through a chain and, instead, instructs it to go back to the previous chain.

Let’s now focus on some of the useful and widely used iptables commands used for managing firewall rules.

#List Iptables Firewall Rules

To list all the available firewall rules, run the command:

Once the command is executed, you will get output that resembles what we have below. It’s worth noting that since you are starting on a clean slate, you won’t get any user-defined rules printed on the terminal.

Let’s have a look at the command options:

-L or —list : Lists all the firewall rules in all the chains.

-n or —numeric : Displays the numeric output of addresses and ports.

-v or —verbose : Prints out verbose output.

To view rules for a specific table, pass the -t option followed by the name of the table. For example, to check the rules defined in the NAT table, run the following command:

sudo iptables -L -v -n -t nat 

To check the rules defined in the filter table execute the command:

sudo iptables -L -v -n -t filter 

sudo iptables -L -v -n -t mangle 

#How To Define Iptables Rule Chains

Creating an Itables rule simply implies appending a new rule to the chain. To achieve this, you need to pass the -A flag ( Append ) after the iptables command like so:

 sudo iptables -A -i -p -s --dport -j

The -A (append) flag instructs iptables that you are adding a new rule to a chain. Here are some of the options that are used alongside the append option:

-p (protocol) — This option specifies the network protocol on which the filtering process will take place. Examples include TCP and UDP to mention a few.

-i (interface) — Refers to the physical network interface where packet filtering will occur. For example, eth0, enp0s3, ens33, etc.

-s (source) — This is the IP address or FQDN ( Fully Qualified Domain Name ) from which the traffic comes.

—dport (—destination-port ) — This stands for the destination port. It matches the target port of the connection.

-j (target) — This is the target of the rule. It specifies the action to be taken if the packet matches a rule. A target can be a built-in target ( such as ACCEPT, DROP, RETURN ) or a user-defined chain which determines how the packets will be treated.

If you do not use the -t flag with the iptables command, it will use the default filter table type.

#Block an IP Address on Iptables

In case you detect unusual or suspicious behavior from an IP address, you can block it using the following command where xxx.xxx.xxx.xxx is the IP address of the remote host.

sudo iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP 

In addition, you can specify a protocol, for instance, TCP using the -p option.

For example, to block TCP traffic coming from IP 173.82.232.55 , run the command:

sudo iptables -A INPUT -p tcp -s 173.82.232.55 -j DROP 

#Unblock an IP Address on Iptables

To unblock traffic from an IP address, pass the -D or —delete option as shown. If you had specified the protocol when blocking the traffic from the remote host, remember to specify it again in the command.

sudo iptables -D INPUT -p tcp -s 173.82.232.55 -j DROP 

#Open a Port(s) On Iptables

To allow or open a single port in Iptables, run the following command where xxxx is the port number.

sudo iptables -A INPUT -p tcp --dport xxxx -j ACCEPT 

For example, to allow the default MySQL port 3306, run the command:

sudo iptables -A INPUT -p tcp --dport 3306 -j ACCEPT 

To confirm that the rule has been applied, list the Iptables rules as shown.

To open multiple ports in one command, list the ports separated by a comma as follows.

sudo iptables -A INPUT -p tcp -m multiport --dports 22,80,443,3389 -j ACCEPT 

#Allow a Network subnet On A Particular Port In Iptables

Sometimes, you might want to allow certain connections on a specific port to a specific network subnet. Suppose you want to limit incoming SSH connections only to the 192.168.40.0/24 subnet.

You can achieve this using the command:

sudo iptables -A INPUT -p tcp -d 192.168.40.0/24 --dport 22 -j ACCEPT 

To allow outgoing SSH connection to the same network range, run the command:

sudo iptables -A OUTPUT -p tcp -d 192.168.40.0/24 --dport 22 -j ACCEPT 

#Block a Port(s) On Iptables

To block or drop incoming packets from a specific port, use the following syntax where xxxx is the port number.

sudo iptables -A INPUT -p tcp --dport xxxx -j DROP 

For example, to block incoming web traffic on port 80, run the command:

sudo iptables -A INPUT -p tcp --dport 80 -j DROP 

To block the port on a specific network interface, pass the -i flag as shown in the following syntax.

sudo iptables -A INPUT -i interface-name -p tcp --dport xxxx -j DROP 

In the following example, incoming web traffic on port 80 is blocked on the ens33 network interface.

sudo iptables -A INPUT -i ens33 -p tcp --dport 80 -j DROP 

To block an outgoing port, replace the INPUT option with the OUTPUT parameter as shown in the following syntax.

sudo iptables -A OUTPUT -p tcp --dport xxxx -j DROP 

For example, to block outbound traffic on FTP port 21, run the command:

sudo iptables -A OUTPUT -p tcp --dport 21 -j DROP 

To block a port only for a specific IP address, for instance, 172.16.10.10 , run the command:

sudo iptables -A OUTPUT -p tcp -d 172.16.10.10 --dport 25 -j DROP 

#Block Incoming Ping Requests on Iptables

For security reasons, you might want to block incoming ping requests from botnets, hackers, or nefarious individuals who might be conducting some reconnaissance on your system to determine whether your system is reachable.

You can block incoming ping requests by using the following command. The -i flag specifies a network interface. In this case it’s ens33 .

sudo iptables -A INPUT -p icmp -i ens33 -j DROP 

#Block Access From Specific Mac Addresses on Iptables

You can limit access to your system by blocking a remote system’s mac address using the —mac-source option followed by its mac address as follows.

sudo iptables -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP 

#Flush IPtables Firewall Rules

To start from a clean slate, delete or flush all firewall chains or rules using the following command.

To flush firewall rules for a specific table, specify the table using the -t option as follows. In the examples below, we are flushing the firewall rules for the NAT and MANGLE filters.

#Save Iptables Firewall Rules

To save the chain rules that you have defined and make them persistent after a reboot, use the iptables-save command as shown. In this example, we have saved the firewall rules in the iptables.rules file in the home directory.

sudo iptables-save > ~/iptables.rules 

#Restore Iptables Firewall Rules From a File

If you wish to restore firewall rules from your previously created file, use the iptables-restore command. The command takes the following format.

#Conclusion

Iptables is a powerful security tool that safeguards your Linux system through a set of network traffic management options that control how network packets are routed. This gives you the autonomy to manage the flow of traffic across your Linux Server. For more information regarding Iptables, check out the official documentation.

Mantas Levinas

Helping engineers learn 💡 about new technologies and ingenious IT automation use cases to build better systems 💻

Join Cherry Servers Community

Get monthly practical guides about building more secure, efficient and easier to scale systems on an open cloud ecosystem.

Источник