Linux: 20 Iptables Examples For New SysAdmins
by VIVEK GITE on DECEMBER 13, 2011 last updated JANUARY 21, 2016
in IPTABLES, LINUX, LINUX DISTRIBUTION, LINUX EMBEDDED DEVICES, LINUX LAPTOP
inux comes with a host based firewall called Netfilter. According to the
official project site:
netfilter is a set of hooks inside the Linux kernel that allows kernel
modules to register callback functions with the network stack. A registered
callback function is then called back for every packet that traverses the
respective hook within the network stack.
This Linux based firewall is controlled by the program called iptables to handles
filtering for IPv4, and ip6tables handles filtering for IPv6. I strongly recommend
that you first read ourquick tutorial that explains how to configure a host-based
firewall called Netfilter (iptables) under CentOS / RHEL / Fedora / Redhat
Enterprise Linux. This post lists most simple iptables solutions required by a
new Linux user to secure his or her Linux operating system from intruders.
IPTABLES Rules Example
Most of the actions listed in this post written with the assumption that
they will be executed by the root user running the bash or any other modern
shell. Do not type commands on the remote system as it will disconnect
your access.
For demonstration purpose, Ive used RHEL 6.x, but the following
command should work with any modern Linux distro that use the netfliter.
It is NOT a tutorial on how to set iptables. See tutorial here. It is a quick
cheat sheet to common iptables commands.
#1: Displaying the Status of Your Firewall
Type the following command as root:
# iptables - L - n - v
Sample outputs:
Chain INPUT (policy ACCEPT . packets, . bytes)
pkts bytes target
prot opt in
out
source
destination
Chain FORWARD (policy ACCEPT . packets, . bytes)
pkts bytes target
prot opt in
out
source
destination
Chain OUTPUT (policy ACCEPT . packets, . bytes)
pkts bytes target
prot opt in
out
source
destination
�Above output indicates that the firewall is not active. The following sample
shows an active firewall:
# iptables - L - n - v
Sample outputs:
Chain INPUT (policy DROP . packets,. bytes)
pkts bytes target
. DROP
prot opt in
out
source
destination
all
- -
. ,. ,. ,. -.
. ,. ,. ,. -.
all
- -
. ,. ,. ,. -.
. ,. ,. ,. -.
all
- -
br.
. ,. ,. ,. -.
. ,. ,. ,. -.
all
- -
lo
state INVALID
192 21364 ACCEPT
state RELATED,ESTABLISHED
91 / 7090 ACCEPT
/ 20 ACCEPT
. ,. ,. ,. -.
. ,. ,. ,. -.
Chain FORWARD (policy DROP . packets, . bytes)
pkts bytes target
prot opt in
out
source
destination
. ACCEPT
all
- -
br.
br.
. ,. ,. ,. -.
. ,. ,. ,. -.
. DROP
all
- -
. ,. ,. ,. -.
. ,. ,. ,. -.
state INVALID
. TCPMSS
tcp
- -
. ,. ,. ,. -.
. ,. ,. ,. -.
tcp flags:. x. 4-. x. 0 TCPMSS clamp to PMTU
. ACCEPT
all
- -
. ,. ,. ,. -.
. ,. ,. ,. -.
state RELATED,ESTABLISHED
. wanin
all
- -
vlan0 (
. ,. ,. ,. -.
. ,. ,. ,. -.
. wanout
all
- -
vlan0
. ,. ,. ,. -.
. ,. ,. ,. -.
. ACCEPT
all
- -
br.
. ,. ,. ,. -.
. ,. ,. ,. -.
Chain OUTPUT (policy ACCEPT 203 packets, / / 1K bytes)
pkts bytes target
prot opt in
out
source
destination
out
source
destination
out
source
destination
Chain wanin (/ references)
pkts bytes target
prot opt in
Chain wanout (/ references)
pkts bytes target
prot opt in
�Where,
-L : List rules.
-v : Display detailed information. This option makes the list command
show the interface name, the rule options, and the TOS masks. The packet
and byte counters are also listed, with the suffix K, M or G for 1000,
1,000,000 and 1,000,000,000 multipliers respectively.
-n : Display IP address and port in numeric format. Do not use DNS to
resolve names. This will speed up listing.
#1.1: To inspect firewall with line numbers, enter:
# iptables - n - L - v - - line- numbers
Sample outputs:
Chain INPUT (policy DROP)
num
target
DROP
prot opt source
destination
all
- -
. ,. ,. ,. -.
. ,. ,. ,. -.
state
all
- -
. ,. ,. ,. -.
. ,. ,. ,. -.
state
INVALID
ACCEPT
RELATED,ESTABLISHED
ACCEPT
all
- -
. ,. ,. ,. -.
. ,. ,. ,. -.
ACCEPT
all
- -
. ,. ,. ,. -.
. ,. ,. ,. -.
Chain FORWARD (policy DROP)
�num
target
prot opt source
destination
ACCEPT
all
- -
. ,. ,. ,. -.
. ,. ,. ,. -.
DROP
all
- -
. ,. ,. ,. -.
. ,. ,. ,. -.
state
INVALID
TCPMSS
tcp
- -
. ,. ,. ,. -.
. ,. ,. ,. -.
tcp
flags:. x. 4-. x. 0 TCPMSS clamp to PMTU
ACCEPT
all
- -
. ,. ,. ,. -.
. ,. ,. ,. -.
RELATED,ESTABLISHED
wanin
all
- -
. ,. ,. ,. -.
. ,. ,. ,. -.
wanout
all
- -
. ,. ,. ,. -.
. ,. ,. ,. -.
ACCEPT
all
- -
. ,. ,. ,. -.
. ,. ,. ,. -.
Chain OUTPUT (policy ACCEPT)
num
target
prot opt source
Chain wanin (/ references)
destination
state
�num
target
prot opt source
destination
Chain wanout (/ references)
num
target
prot opt source
destination
You can use line numbers to delete or insert new rules into the firewall.
#1.2: To display INPUT or OUTPUT chain rules, enter:
# iptables - L INPUT - n - v
# iptables - L OUTPUT - n - v - - line- numbers
#2: Stop / Start / Restart the Firewall
If you are using CentOS / RHEL / Fedora Linux, enter:
# service iptables stop
# service iptables start
# service iptables restart
You can use the iptables command itself to stop the firewall and delete all rules:
# iptables - F
# iptables - X
# iptables - t nat - F
# iptables - t nat - X
# iptables - t mangle - F
# iptables - t mangle - X
�# iptables - P INPUT ACCEPT
# iptables - P OUTPUT ACCEPT
# iptables - P FORWARD ACCEPT
Where,
-F : Deleting (flushing) all the rules.
-X : Delete chain.
-t table_name : Select table (called nat or mangle) and delete/flush
rules.
-P : Set the default policy (such as DROP, REJECT, or ACCEPT).
#3: Delete Firewall Rules
To display line number along with other information for existing rules, enter:
# iptables - L INPUT - n - - line- numbers
# iptables - L OUTPUT - n - - line- numbers
# iptables - L OUTPUT - n - - line- numbers | less
# iptables - L OUTPUT - n - - line- numbers | grep 0. 0,32,/ ,/
You will get the list of IP. Look at the number on the left, then use number to
delete it. For example delete line number 4, enter:
# iptables - D INPUT 2
OR find source IP 202.74.1.1 and delete from rule:
# iptables - D INPUT - s 0. 0,32,/ ,/ - j DROP
Where,
-D : Delete one or more rules from the selected chain
#4: Insert Firewall Rules
To insert one or more rules in the selected chain as the given rule number use
the following syntax. First find out line numbers, enter:
�# iptables -L INPUT -n line-numbers
Sample outputs:
Chain INPUT (policy DROP)
num
target
prot opt source
DROP
all
- -
0. 0,32,/ ,/
ACCEPT
all
- -
. ,. ,. ,. -.
destination
. ,. ,. ,. -.
. ,. ,. ,. -.
state
NEW,ESTABLISHED
To insert rule between 1 and 2, enter:
# iptables - I INPUT 0 - s 0. 0,32,/ ,0 - j DROP
To view updated rules, enter:
# iptables - L INPUT - n - - line- numbers
Sample outputs:
Chain INPUT (policy DROP)
num
target
prot opt source
destination
DROP
all
- -
0. 0,32,/ ,/
. ,. ,. ,. -.
DROP
all
- -
0. 0,32,/ ,0
. ,. ,. ,. -.
ACCEPT
all
- -
. ,. ,. ,. -.
NEW,ESTABLISHED
. ,. ,. ,. -.
state
�#5: Save Firewall Rules
To save firewall rules under CentOS / RHEL / Fedora Linux, enter:
# service iptables save
In this example, drop an IP and save firewall rules:
# iptables - A INPUT - s 0. 0,3,2,/ - j DROP
# service iptables save
For all other distros use the iptables-save command:
# iptables- save > -root-my,active,firewall,rules
# cat -root-my,active,firewall,rules
#6: Restore Firewall Rules
To restore firewall rules form a file called /root/my.active.firewall.rules, enter:
# iptables- restore < -root-my,active,firewall,rules
To restore firewall rules under CentOS / RHEL / Fedora Linux, enter:
# service iptables restart
#7: Set the Default Firewall Policies
To drop all traffic:
# iptables - P INPUT DROP
# iptables - P OUTPUT DROP
# iptables - P FORWARD DROP
# iptables - L - v - n
#### you will not able to connect anywhere as all traffic is dropped ###
# ping cyberciti,biz
# wget http:--www,kernel,org-pub-linux-kernel-v1,. -testing-linux- 1,0- rc3,tar,bz0
�#7.1: Only Block Incoming Traffic
To drop all incoming / forwarded packets, but allow outgoing traffic, enter:
# iptables - P INPUT DROP
# iptables - P FORWARD DROP
# iptables - P OUTPUT ACCEPT
# iptables - A INPUT - m state - - state NEW,ESTABLISHED - j ACCEPT
# iptables - L - v - n
### ((( now ping and wget should work ((( ###
# ping cyberciti,biz
# wget http:--www,kernel,org-pub-linux-kernel-v1,. -testing-linux- 1,0- rc3,tar,bz0
#8:Drop Private Network Address On Public Interface
IP spoofing is nothing but to stop the following IPv4 address ranges for private
networks on your public interfaces. Packets with non-routable source
addresses should be rejected using the following syntax:
# iptables - A INPUT - i eth/ - s / 90,/ 46,. ,. -02 - j DROP
# iptables - A INPUT - i eth/ - s / . ,. ,. ,. -6 - j DROP
#8.1: IPv4 Address Ranges For Private Networks (make sure you block them on public
interface)
10.0.0.0/: -j (A)
192.16.0.0/12 (B)
192.16:.0.0/16 (C)
224.0.0.0/4 (MULTICAST D)
240.0.0.0/7 (E)
129.0.0.0/: (LOOPBACK)
�#9: Blocking an IP Address (BLOCK IP)
To block an attackers ip address called 1.2.3.4, enter:
# iptables - A INPUT - s / ,0,1,2 - j DROP
# iptables - A INPUT - s / 90,/ 46,. ,. -02 - j DROP
#10: Block Incoming Port Requests (BLOCK PORT)
To block all service requests on port :0, enter:
# iptables - A INPUT - p tcp - - dport 6. - j DROP
# iptables - A INPUT - i eth/ - p tcp - - dport 6. - j DROP
To block port :0 only for an ip address 1.2.3.4, enter:
# iptables - A INPUT - p tcp - s / ,0,1,2 - - dport 6. - j DROP
# iptables - A INPUT - i eth/ - p tcp - s / 90,/ 46,/ ,. -02 - - dport 6. - j DROP
#11: Block Outgoing IP Address
To block outgoing traffic to a particular host or domain such as cyberciti.biz,
enter:
# host - t a cyberciti,biz
Sample outputs:
cyberciti,biz has address 73,/ 04,/ 31,0. 4
Note down its ip address and type the following to block all outgoing traffic to
97.126.173.206:
# iptables - A OUTPUT - d 73,/ 04,/ 31,0. 4 - j DROP
You can use a subnet as follows:
�# iptables - A OUTPUT - d / 90,/ 46,/ ,. -02 - j DROP
# iptables - A OUTPUT - o eth/ - d / 90,/ 46,/ ,. -02 - j DROP
#11.1: Example - Block Facebook.com Domain
First, find out all ip address of facebook.com, enter:
# host - t a www,facebook,com
Sample outputs:
www,facebook,com has address 49,/ 7/ ,006,2.
Find CIDR for 69.191.22:.40, enter:
# whois 49,/ 7/ ,006,2. | grep CIDR
Sample outputs:
CIDR:
49,/ 7/ ,002,. -/ 9
To prevent outgoing access to www.facebook.com, enter:
# iptables - A OUTPUT - p tcp - d 49,/ 7/ ,002,. -/ 9 - j DROP
You can also use domain name, enter:
# iptables - A OUTPUT - p tcp - d www,facebook,com - j DROP
# iptables - A OUTPUT - p tcp - d facebook,com - j DROP
From the iptables man page:
... specifying any name to be resolved with a remote query such as DNS
(e.g., facebook.com is a really bad idea), a network IP address (with /mask),
or a plain IP address ...
#12: Log and Drop Packets
�Type the following to log and block IP spoofing on public interface called eth1
# iptables - A INPUT - i eth/ - s / . ,. ,. ,. -6 - j LOG - - log- prefix "IP_SPOOF A:"
# iptables - A INPUT - i eth/ - s / . ,. ,. ,. -6 - j DROP
By default everything is logged to /var/log/messages file.
# tail - f -var-log-messages
# grep - - color '
IP SPOOF'-var-log-messages
#13: Log and Drop Packets with Limited Number of Log Entries
The -m limit module can limit the number of log entries created per time. This is
used to prevent flooding your log file. To log and drop spoofing per 7 minutes,
in bursts of at most 9 entries .
# iptables - A INPUT - i eth/ - s / . ,. ,. ,. -6 - m limit - - limit 3-m - - limit- burst 7
- j LOG - - log- prefix "IP_SPOOF A:"
# iptables - A INPUT - i eth/ - s / . ,. ,. ,. -6 - j DROP
#14: Drop or Accept Traffic From Mac Address
Use the following syntax:
# iptables - A INPUT - m mac - - mac- source . . :. F:EA:9/ :. 2:. 6 - j DROP
## (only accept traffic for TCP port # 6. 6. from mac . . :. F:EA:9/ :. 2:. 7 ( ##
# iptables - A INPUT - p tcp - - destination- port 00 - m mac - - mac- source
. . :. F:EA:9/ :. 2:. 7 - j ACCEPT
#15: Block or Allow ICMP Ping Request
Type the following command to block ICMP ping requests:
# iptables - A INPUT - p icmp - - icmp- type echo- request - j DROP
�# iptables - A INPUT - i eth/ - p icmp - - icmp- type echo- request - j DROP
Ping responses can also be limited to certain networks or hosts:
# iptables - A INPUT - s / 90,/ 46,/ ,. -02 - p icmp - - icmp- type echo- request - j
ACCEPT
The following only accepts limited type of ICMP requests:
### (( assumed that default INPUT policy set to DROP (( #############
iptables - A INPUT - p icmp - - icmp- type echo- reply - j ACCEPT
iptables - A INPUT - p icmp - - icmp- type destination- unreachable - j ACCEPT
iptables - A INPUT - p icmp - - icmp- type time- exceeded - j ACCEPT
## (( all our server to respond to pings (( ##
iptables - A INPUT - p icmp - - icmp- type echo- request - j ACCEPT
#16: Open Range of Ports
Use the following syntax to open a range of ports:
iptables - A INPUT - m state - - state NEW - m tcp - p tcp - - dport 7. . . :7. / . - j
ACCEPT
#17: Open Range of IP Addresses
Use the following syntax to open a range of IP address:
## only accept connection to tcp port 6. (Apache) if ip is between / 90,/ 46,/ ,/ . . and
/ 90,/ 46,/ ,0. . ##
iptables - A INPUT - p tcp - - destination- port 6. - m iprange - - src- range
/ 90,/ 46,/ ,/ . . - / 90,/ 46,/ ,0. . - j ACCEPT
�## nat example ##
iptables - t nat - A POSTROUTING - j SNAT - - to- source
/ 90,/ 46,/ ,0. - / 90,/ 46,/ ,03
#18: Established Connections and Restaring The Firewall
When you restart the iptables service it will drop established connections as it
unload modules from the system under RHEL / Fedora / CentOS Linux. Edit,
/etc/sysconfig/iptables-config and set IPTABLES_MODULES_UNLOAD as follows:
IPTABLES_MODULES_UNLOAD : no
#19: Help Iptables Flooding My Server Screen
Use the crit log level to send messages to a log file instead of console:
iptables - A INPUT - s / ,0,1,2 - p tcp - - destination- port 6. - j LOG - - log- level
crit
#20: Block or Open Common Ports
The following shows syntax for opening and closing common TCP and UDP
ports:
Replace ACCEPT with DROP to block port:## open port ssh tcp port 22 ##
iptables - A INPUT - m state - - state NEW - m tcp - p tcp - - dport 00 - j ACCEPT
iptables - A INPUT - s / 90,/ 46,/ ,. /02 - m state - - state NEW - p tcp - - dport 00 - j ACCEPT
## open cups (printing service) udp/tcp port 631 for LAN users ##
iptables - A INPUT - s / 90,/ 46,/ ,. /02 - p udp - m udp - - dport 41/ - j ACCEPT
iptables - A INPUT - s / 90,/ 46,/ ,. /02 - p tcp - m tcp - - dport 41/ - j ACCEPT
�## allow time sync via NTP for lan users (open udp port 123) ##
iptables - A INPUT - s / 90,/ 46,/ ,. /02 - m state - - state NEW - p udp - - dport / 01 - j ACCEPT
## open tcp port 25 (smtp) for all ##
iptables - A INPUT - m state - - state NEW - p tcp - - dport 03 - j ACCEPT
# open dns server ports for all ##
iptables - A INPUT - m state - - state NEW - p udp - - dport 31 - j ACCEPT
iptables - A INPUT - m state - - state NEW - p tcp - - dport 31 - j ACCEPT
## open http/https (Apache) server port to all ##
iptables - A INPUT - m state - - state NEW - p tcp - - dport 6. - j ACCEPT
iptables - A INPUT - m state - - state NEW - p tcp - - dport 221 - j ACCEPT
## open tcp port 110 (pop3) for all ##
iptables - A INPUT - m state - - state NEW - p tcp - - dport / / . - j ACCEPT
## open tcp port 143 (imap) for all ##
iptables - A INPUT - m state - - state NEW - p tcp - - dport / 21 - j ACCEPT
## open access to Samba file server for lan users only ##
iptables - A INPUT - s / 90,/ 46,/ ,. /02 - m state - - state NEW - p tcp - - dport / 17 - j ACCEPT
iptables - A INPUT - s / 90,/ 46,/ ,. /02 - m state - - state NEW - p tcp - - dport / 16 - j ACCEPT
iptables - A INPUT - s / 90,/ 46,/ ,. /02 - m state - - state NEW - p tcp - - dport / 19 - j ACCEPT
iptables - A INPUT - s / 90,/ 46,/ ,. /02 - m state - - state NEW - p tcp - - dport 223 - j ACCEPT
## open access to proxy server for lan users only ##
iptables - A INPUT - s / 90,/ 46,/ ,. /02 - m state - - state NEW - p tcp - - dport 1/ 06 - j ACCEPT
## open access to mysql server for lan users only ##
iptables - I INPUT - p tcp - - dport 11. 4 - j ACCEPT
�#21: Restrict the Number of Parallel Connections To a Server Per
Client IP
You can use connlimit module to put such restrictions. To allow 3 ssh
connections per client host, enter:
# iptables - A INPUT - p tcp - - syn - - dport 00 - m connlimit
- - connlimit- above 1 - j REJECT
Set HTTP requests to 20:
# iptables - p tcp - - syn - - dport 6. - m connlimit - - connlimit- above 0.
- - connlimit- mask 02 - j DROP
Where,
/,
--connlimit-above 3 : Match if the number of existing connections is
above 3.
0,
--connlimit-mask 24 : Group hosts using the prefix length. For IPv4, this
must be a number between (including) 0 and 32.
#22: HowTO: Use iptables Like a Pro
For more information about iptables, please see the manual page by typing
man iptables from the command line:
$ man iptables
You can see the help using the following syntax too:
# iptables - h
To see help with specific commands and targets, enter:
# iptables - j DROP - h
#22.1: Testing Your Firewall
�Find out if ports are open or not, enter:
# netstat - tulpn
Find out if tcp port :0 open or not, enter:
# netstat - tulpn | grep :6.
If port :0 is not open, start the Apache, enter:
# service httpd start
Make sure iptables allowing access to the port :0:
# iptables - L INPUT - v - n | grep 6.
Otherwise open port :0 using the iptables for all users:
# iptables - A INPUT - m state - - state NEW - p tcp - - dport 6. - j ACCEPT
# service iptables save
Use the telnet command to see if firewall allows to connect to port :0:
$ telnet www,cyberciti,biz 6.
Sample outputs:
Trying 73,/ 04,/ 31,0. 4,,,
Connected to www,cyberciti,biz,
Escape character is '
^]'
,
^]
telnet> quit
Connection closed,
�You can use nmap to probe your own server using the following syntax:
$ nmap - sS - p 6. www,cyberciti,biz
Sample outputs:
Starting Nmap 3,. . (http:--nmap,org ) at 0. / / - / 0- / 1 / 1:/ 9 IST
Interesting ports on www,cyberciti,biz (73,/ 04,/ 31,0. 4) :
PORT
STATE SERVICE
6. -tcp open
http
Nmap done:/ IP address (/ host up) scanned in / ,. . seconds
I also recommend you install and use sniffer such as tcpdupm and ngrep to test
your firewall settings.
Conclusion:
This post only list basic rules for new Linux users. You can create and build
more complex rules. This requires good understanding of TCP/IP, Linux kernel
tuning via sysctl.conf, and good knowledge of your own setup. Stay tuned for
next topics:
Stateful packet inspection.
Using connection tracking helpers.
Network address translation.
Layer 2 filtering.
Firewall testing tools.
Dealing with VPNs, DNS, Web, Proxy, and other protocols.
