IPTables is invaluable for anyone looking to secure a Linux server. It can block or accept packets based on any number of criteria, external ports, and perform many network analysis tasks. This is especially useful when protecting against attacks, as it can perform all actions based on subnet and other criteria. This flexible utility, however, since it is a command line utility, is complex and confusing. Fortunately, with a few basic examples, much of its “usefulness” can be made much more accessible.
Getting Started with IPTables
The service is installed by default on most Linux distributions. However, for convenience, this tutorial assumes that you have either a dedicated or virtual server running the latest versions of Ubuntu or CentOS.
Let’s take a step-by-step look at some examples of tasks you could accomplish with the service. These commands will give you a sense that this is possible and should be easy to adapt to other circumstances.
We’ll start by examining the state of the firewall. This command is incredibly useful for diagnosing problems, you can use it to determine which rules are currently active and if a given entry might block traffic unexpectedly.
iptables -L -nv
Now, let’s only display a subset of your firewall rules in this case, only the NAT chain.
iptables -t nat -L -nv
IPTables in general can be started, stopped, or restarted. This is especially useful if the traffic routing is significantly messed up and you would like to shut down the entire subsystem for debugging when something went wrong.
service iptables start service iptables stop service iptables restart
If the firewall is completely broken, you can clear all your IPTables rules at once. Please note that this can break advanced settings and connection redirects in some cases, but in general it will not break anything, you did not use advanced features for nothing. It’s a good way to get it back up and running and start over.
Let’s say you’ve found a good set of rules and want to keep them. They will then automatically resume when the server is restarted. Under CentOS / Redhat, enter the following command and the rules will be saved in / etc / sysconfig / Iptables.
service iptables save
This command works with other distributions, and the / root / myrules rules are preserved:
iptables-save > /root/myrules
If your rules are not automatically restored on boot, use these commands to restore them. On CentOS / Redhat:
service iptables restart
Under other distributions:
iptables-restore < /root/myrules
Now let’s move on to creating specific types of firewall rules. Let’s say you want to block all traffic from 10.01.10.1 or the 10.01.10.0/24 subnet.
iptables -A INPUT -s 10.10.10.1 -j DROP iptables -A INPUT -s 10.10.10.0/24 -j DROP
Now let’s block any incoming SSH access. Be careful with this, if you are SSH connected, this will terminate the current connection:
iptables -A INPUT -p tcp --dport 22 -j DROP
We will now combine the previous two rules, blocking SSH access from a specific IP address:
iptables -A INPUT -s 10.0.10.1 -p tcp --dport 22 -j DROP
This command does the exact opposite. It allows SSH traffic from a remote IP, 10.01.10.1, to a local IP, 192.168.0.1.
iptables -A INPUT -s 10.10.10.1 -d 192.168.0.1 -p tcp --dport 22 -j ACCEPT
Let’s say you need to open a range of TCP ports for IP telephony or gaming traffic. This command opens ports 30000-50000.
iptables -A INPUT -p tcp --dport 30000:50000 -j ACCEPT
Or you want to block all ICMP packets. This is not recommended for various reasons, but the following command shows how it can be done.
iptables –A INPUT –p icmp –icmp-type echo-request –j DROP
Maybe you would like to forward the port? You will forward port 1234 to port 80. Replace eth0 with your actual network interface.
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 1234 -j REDIRECT --to-port 80
While these examples were specific, it is easy to modify the details to achieve a variety of associated objectives. The above commands are enough to build a responsive firewall. If this guide was helpful to you, please kindly share it with others who might also be interested.