modern operating systems come equipped with a firewall, a software application that regulates network traffic to a computer. Firewalls create a barrier between a trusted network (such as an office network) and an untrusted one (such as the Internet). Firewalls work by defining rules that govern what traffic is allowed and what is blocked. The utility firewall developed for Linux systems is iptables.
In this tutorial, you will learn how to install iptables, configure, and use iptables on Linux.
- A user account with sudo privileges
- Accessing a terminal/command line window (Ctrl-Alt-T, Ctrl-Alt-F2)
How iptables work
Network traffic consists of packets. The data is broken down into smaller parts (called packets), sent over a network, and then put back together. Iptables identifies received packets and then uses a set of rules to decide what to do with them.
Iptables filters packets based on
- Tables: Tables are files that join similar actions. A table consists of several chains.
- Strings: A string is a chain of rules. When a packet is received, iptables finds the appropriate table and then executes it through the rule chain until it finds a match.
- Rules: A rule is an instruction that tells the system what to do with a package. Rules can block one type of packet or forward another type of packet. The result, where a packet is sent, is called a target.
- Goals: A destination is a decision of what to do with a package. Usually, this is accepting, deleting, or rejecting it (which sends an error to the sender).
Tables and strings
Linux firewall iptables has four default tables. We will list the four along with the strings that each table contains.
The Filter table is the most commonly used. He acts as a goalkeeper, deciding who goes in and out of his net. It has the following default strings
- Inbound: The rules in this chain control the packets received by the
- Outbound: This string handles packets for outbound traffic
- Forward: This set of rules controls packets that are routed through the server
2. Network Address Translation
This table contains network address translation (NAT) rules for routing packets to networks that cannot be directly accessed. When the destination or source of the packet must be modified, the NAT table is used. It includes the following strings
- This string assigns packets as soon as the server receives them. Output:
- works the same as the output string described in the filter table
- Post-routing: The rules in this chain allow changes to be made to packets after they leave the output chain
The Mangrove table adjusts the IP header properties of packets. The table has all of the following strings described above:
The Raw table is used to exempt packets from connection tracing. The raw table has two of the strings we mentioned earlier:
5. Security (optional)
Some versions of Linux also use a security table to manage special access rules. This table includes input, output, and forward strings, as does the filter table.
A destination is what happens after a packet matches a rule criterion. Unfinished destinations continue to match packets to rules in a chain, even when the packet matches a rule.
With termination targets, a packet is evaluated immediately and not compared to another string. The termination targets in Linux iptables are:
- OK – this rule accepts packets passing through the iptables firewall
- Drop – the dropped packet is not compared to any other string. When Linux iptables interrupts an incoming connection to your server, the person trying to connect does not receive an error. It looks as if they are trying to connect to a non-existent machine.
- Return: This rule sends the packet back to the source string so that you can compare it with other rules.
- Reject: The iptables firewall rejects a packet and sends an error to the connecting device.
How to install and configure Linux Firewall iptables
are installed by default on most Linux systems. To confirm
that iptables is installed, use the following command: sudo apt-get install iptables
The sample output in Ubuntu confirms that the latest version of iptables is already present
If you want to keep the iptables firewall rules when you restart the system, install the persistent package:
sudo apt-get install iptables-persistent
on CentOS 7, iptables was replaced by firewalld.
To install iptables, you must first stop the firewall. Enter the following commands:
sudo systemctl stop firewalld sudo systemctl disable firewalld sudo systemctl mask firewalld
The commands stop and prevent firewalld from starting at boot, and do not allow other services to start firewalld
Next, install and enable iptables. First,
install the iptables service package with the following command: sudo yum -y install iptables-services
This package preserves the rules after the system restarts. The following information confirms that the installation is complete
: Enter the following commands to enable and launch iptables on CentOS 7: sudo systemctl enable iptables sudo systemctl start iptables
The status command confirms the state of the application
: sudo status systemctl iptables
Basic syntax for
iptables commands and
In general, An iptables command looks like this
: sudo iptables [option] CHAIN_rule [-j target]
Here is a list of some common iptables options:
- A -append – Add a rule to a string (at the end).
- C -check – Look for a rule that matches the requirements of the
- flush – Delete all rules.
- -I -insert – Add a rule to a string at a given position
- v -verbose – Displays more information when using a list option
- X -delete-chain – Delete the provided string
string. -D -delete – Delete specified rules from a string. -F –
. -L -list – Displays all the rules in a chain. -N -new-chain – Create a new chain. –
Iptables is case sensitive, so make sure you’re using the right options.
Configure iptables on Linux
By default, these commands affect the filter table. If you need to specify a different table, use the -t option, followed by the table name.
Check the current status of iptables
To view the current set of rules on your server, enter the following in the terminal window:
The system displays the status of your strings. The output will list three strings:
Chain INPUT (policy ACCEPT) Chain FORWARD (policy ACCEPT) Chain OUTPUT (policy ACCEPT)
It is safe to allow traffic from your own system (the localhost). Append the input string by entering the following:
sudo iptables -A INPUT -i lo -j ACCEPT
This command configures the firewall to accept traffic for the localhost (lo) (-i) interface. Now anything that originates from your system will pass through your firewall. You must set this rule to allow applications to communicate with the localhost interface.
traffic on specific ports
These rules allow traffic on different ports that you specify using the commands listed below. A port is a communication endpoint specified for a specific type of data.
To allow HTTP web traffic, type the following command: sudo iptables -A INPUT -p tcp -dport 80 -j ACCEPT To allow
only incoming Secure Shell (SSH)
traffic, type the following: sudo iptables -A INPUT -p tcp -dport 22 -j ACCEPT
To allow HTTPS Internet traffic, type the
: sudo iptables -A INPUT -p tcp -dport 443 -j ACCEPT
The options work as follows:
- -p – Check the specified protocol (tcp).
- dport – Specify the destination port
- j jump – Perform the specified action
traffic by IP address Use the following command to ACCEPT traffic from a specific IP address. sudo iptables -A INPUT -s 192.168.0.27 -j OK Replace the IP address
in the command with the IP address you want to allow
. You can also DELETE traffic from an IP address: sudo iptables -A INPUT -s 192.168.0.27 -j DROP
REJECT traffic from a range of IP addresses, but the command is more complex
: sudo iptables -A INPUT -m iprange -src-range 192.168.0.1-192.168.0.255 -j REJECT
The iptables options we use in the examples work as follows:
- m – Matches the specified option
- iprange – Tell the system to expect a range of IP addresses instead of just one
- src-range – Identifies the IP address range.
If you define dport firewall rules iptables, you must prevent unauthorized access by deleting any traffic coming through other ports: sudo iptables
-A INPUT -j DROP
The -A option adds a new rule to the chain. If any connection arrives through ports other than those you defined, it will be deleted.
Delete a rule
You can use the -F option to clear all iptables firewall rules. A more accurate method is to remove the line number from a rule.
First, list all the rules by entering the following
: sudo iptables -L -line-numbers Locate the line of the firewall rule you want to delete
and run this command:
sudo iptables -D INPUT <Number>
Replace <Number> with the actual rule line number you want to delete
Iptables does not maintain rules created when the system is restarted. As long as you configure iptables on Linux, any changes you make will be applied only until the first reboot.
To save the rules on Debian-based systems, type: sudo /sbin/iptables-save To save the rules on
Red-Hat-based systems, type:
sudo /sbin/service iptables save
The next time the system starts, iptables will automatically reload the firewall rules
After reading this Linux iptables tutorial, you should have a better understanding of how iptables work and how to install the
iptables tool. Now you can also configure basic iptables firewall rules for your Linux system.
Feel free to experiment, as you can always remove rules you don’t need, or empty all the rules and start over.