iptables command

iptables - administration tool for IPv4/IPv6 packet filtering and NAT

The iptables command in Linux is a powerful tool used to configure and manage firewall rules in the kernel’s netfilter framework. It controls how network packets are filtered, forwarded, or modified, allowing you to secure your system.

Note: iptables requires root privileges (sudo). On modern systems, nftables is replacing iptables, but it’s still widely used. Install with sudo apt install iptables if needed.

Usage: [options] -t table chain rule-specification

• options: Flags like -A (append), -L (list).
• table: Filter (filter), NAT (nat), etc. (default: filter).
• chain: INPUT, OUTPUT, FORWARD, etc.
• rule-specification: Conditions and actions (e.g., -p tcp -j ACCEPT).

Common Options Summary

Option	Description
-A	Append a rule to a chain
-L	List rules
-D	Delete a rule
-P	Set chain policy (e.g., DROP, ACCEPT)
-p	Protocol (tcp, udp, icmp)
--dport	Destination port
-s	Source IP
-j	Jump to target (ACCEPT, DROP, REJECT)

Examples

• Key Concepts

  • Tables:
    • filter: Default for filtering (INPUT, OUTPUT, FORWARD chains).
    • nat: Network Address Translation (PREROUTING, POSTROUTING).
  • Chains:
    • INPUT: Incoming packets to this system.
    • OUTPUT: Outgoing packets from this system.
    • FORWARD: Packets passing through (e.g., router).
  • Actions:
    • ACCEPT: Allow packet.
    • DROP: Silently discard.
    • REJECT: Discard with an error response.

• Listing Rules

  View current rules with -L.

  sudo iptables -L

  • Output (example):

    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination

  • Add -v for details, -n for numeric IPs/ports:

    sudo iptables -L -v -n

• Allowing Traffic

  Add a rule with -A (append) to permit traffic.

  Example (Allow SSH):

  sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  • -p tcp: Protocol (TCP).
  • --dport 22: Destination port (SSH).
  • -j ACCEPT: Action to allow.

  Example (Specific IP):

  sudo iptables -A INPUT -s 192.168.1.100 -j ACCEPT
  • -s: Source IP.

• Blocking Traffic

  Use -j DROP or -j REJECT to deny traffic.

  Example (Block Port 23):

  sudo iptables -A INPUT -p tcp --dport 23 -j DROP
  • Blocks Telnet (port 23).

• Setting Default Policy

  Define what happens to unmatched packets.

  Example (Drop All Incoming):

  sudo iptables -P INPUT DROP
  • Sets INPUT chain policy to DROP.

  Allow Outgoing:

  sudo iptables -P OUTPUT ACCEPT

• Deleting Rules

  Remove a rule with -D by chain and rule number or specification.

  Example (List with Numbers):

  sudo iptables -L INPUT --line-numbers
  • Output:

    num  target     prot opt source               destination
    1    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22
  • Delete:

    sudo iptables -D INPUT 1

• Saving Rules

  Rules reset on reboot unless saved.

  Save (Debian/Ubuntu):

  sudo iptables-save > /etc/iptables/rules.v4
  • Restore:

    sudo iptables-restore < /etc/iptables/rules.v4

  Save (CentOS/RHEL):

  Use service or iptables-persistent package.

To get help related to the iptables command use --help option

For more details, check the manual with man iptables