General iptables firewall rules and commands

Today we are going to show you some general firewall rules and commands in iptables. Iptables is a useful command line utility for configuring the Linux kernel firewall. Iptables contains five tables: raw, filter, nat, mangle, and security. Each table is made up of chains. A chain is a list of firewall rules that follow in order. Let’s start with some general iptables firewall rules and commands.

Install iptables

Log into your VPS via SSH as root user:

ssh [email protected]_Address -p Port_number

Installing iptables is very easy. If you have an Ubuntu VPS or Debian VPS, run the following commands:

apt-get update 
apt-get upgrade
apt-get install iptables iptables-persistent

If you have CentOS or Fedora installed on your VPS, run the following commands:

yum clean all
yum update
yum install iptables

That’s it, you should now successfully install iptables on your server.

General iptables firewall rules

The following are examples of common firewall rules. Accept all ESTABLISHED and RELATED packages:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow HTTP and HTTPS connections from anywhere:

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Allow access to port 21 only from a specific IP address (for example, 192.168.1.123) and block access from all other IP addresses to the server (for example, the server IP address 192.168.1.100):

iptables -A INPUT -s 192.168.1.123 -d 192.168.1.100 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -d 192.168.1.100 -p tcp -m tcp --dport 21 -j DROP
iptables-save

Block IP address (e.g. 192.168.1.21):

iptables -A INPUT -s 192.168.1.21 -j DROP

Block the IP range and reject all packets (e.g. 192.168.1.0/24):

iptables -A INPUT -s 192.168.1.0/24 -j REJECT

To block outgoing traffic to a port (for example port 123) use:

iptables -A OUTPUT -p tcp --dport 123 -j DROP

General iptables commands

List all rules in all chains in verbose mode and show IP addresses and port numbers instead of host and service names, including the interface name, rule parameters (if any), and TOS masks:

iptables -nvL | less
Chain INPUT (policy ACCEPT 17M packets, 3161M bytes)
 pkts bytes target     prot opt in     out     source               destination
  90M   18G cP-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 cP-Firewall-1-INPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 16M packets, 5107M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 25,465,587 owner GID match 32006
18618 9100K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 25,465,587 owner GID match 12
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            127.0.0.1           multiport dports 25,465,587 owner UID match 32001
10686  946K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           multiport dports 25,465,587 owner UID match 0

Chain cP-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination
   39  2264 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:993
   54  2872 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53
 7509  450K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:21
 557K   34M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:443
19655 1142K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80
 1057 43388 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:8080
 7533  452K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:143
  382 16664 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
2871K  173M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:995
23539 1284K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:110
 8353  500K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:25
   71  3680 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:465
 519K   31M ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:3306
  132  9948 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:53

To display rules in chains with rule numbers, use:

iptables -nvL --line-numbers

This is useful if you want to remove a rule (for example, remove rule number 9 from the INPUT chain):

iptables -D INPUT 9

Or add a rule between two existing rules (for example, add a firewall rule between rules # 2 and 3):

iptables -I OUTPUT 3 -d 127.0.0.1/32 -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner 201 -j ACCEPT

To list all the commands that were used to create the currently used iptables rules, use the following command:

iptables -S

This command is useful if you need to edit or remove some of the firewall rules.

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N cP-Firewall-1-INPUT
-A INPUT -j cP-Firewall-1-INPUT
-A FORWARD -j cP-Firewall-1-INPUT
-A OUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --gid-owner mailman -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --gid-owner mail -j ACCEPT
-A OUTPUT -d 127.0.0.1/32 -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner cpanel -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 25,465,587 -m owner --uid-owner root -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 53 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 143 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 995 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 110 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 465 -j ACCEPT
-A cP-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT
-A cP-Firewall-1-INPUT -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT

Clear all firewall rules:

iptables -F

Use ‘iptables -h | less’ for more information on all the options for the iptables command.

Sidebar