Managing IPTables Rules

What is IPTables?

IPTables is an extremely flexible command-line based firewall utility built specifically for Linux distros. IPTables uses policy chains to allow or block traffic. When a connection is being established on your server, IPTables will identify a rule in its list to determine what action needs to be taken. If no rule is present for the connection, it’ll resort to the default action defined for your system.

How do I install IPTables?

Generally, IPTables is installed by default on most Linux systems. To update or install it, you can retrieve the IPTables package by issuing the following commands:

Note: IPTables should be pre-installed on CentOS 6.

Ubuntu

apt-get install iptables-persistent

1	apt-get install iptables-persistent

CentOS 7

systemctl stop firewalld

1	systemctl stop firewalld

systemctl mask firewalld

1	systemctl mask firewalld

yum install iptables-services

1	yum install iptables-services

systemctl enable iptables

1	systemctl enable iptables

systemctl start iptables

1	systemctl start iptables

IPTables will now be installed on your system. Let’s take a look at how to use IPTables.

How do I use IPTables?

This section will cover some basic IPTables specific commands and uses, such as how to list your current ruleset and blocking an IP address from establishing a connection.

List Rules by Specification

To list the currently active ruleset by specification you’d issue the following command:

iptables -S

1	iptables -S

List Rules by Specific Chain

To display the rules that are currently being applied to a specific chain you can use the following command. This example will show all of the rule specifications for the UDP chain:

iptables -S UDP

1	iptables -S UDP

List Rules as Tables

You can list all of the current IPTables rules that are in place in a table view by using the following command that invokes the -L option. This will list all current rulesets sorted by chain type.

iptables -L

1	iptables -L

Delete Rule using Specification

You can delete rules in IPTables by using the -D option. You can remove rulesets a few different ways. We will cover removing rules by specification. For example, if you wanted to remove the rule that allows all incoming traffic on port 443, you’d use the following command:

iptables -D INPUT -i eth0 -p tcp --dport 443 -j ACCEPT

1	iptables -D INPUT -i eth0 -p tcp --dport 443 -j ACCEPT

Flush Rules

With IPTables, you can flush rules. This can be done by flushing a single chain or by flushing all chains. We will cover both methods below.

To flush a single chain you can use the -F option, or the equivalent –flush option, combined with the name of the chain that you’d like to flush. For example, you can delete all of the rules in the INPUT chain by utilizing the following command:

iptables -F INPUT

1	iptables -F INPUT

To flush all chains you’d again use the -F or equivalent –flush option without any additional parameters. This will effectively remove ALL of the firewall rules that are currently active on the server. The command is as follows:

iptables -F

1	iptables -F

Block an IP address

IPTables provides the ability to block network connections from a specific IP address. For example, to block all incoming connections from 10.10.10.10 you’d run the following command:

iptables -A INPUT -s 10.10.10.10 -j DROP

1	iptables -A INPUT -s 10.10.10.10 -j DROP

You can also reject the connection, which will respond with a “connection refused” error. Simply replace DROP with REJECT.

iptables -A INPUT -s 10.10.10.10 -j REJECT

1	iptables -A INPUT -s 10.10.10.10 -j REJECT

You can also block connections from a specific IP to a specific network device, such as eth1, by using the -i option.

iptables -A INPUT -i eth1 -s 10.10.10.10 -j DROP

1	iptables -A INPUT -i eth1 -s 10.10.10.10 -j DROP

Allow All Incoming SSH Connections

To allow ALL incoming SSH connections on the default SSH port (22), use the following commands:

iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

1	iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

1	iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow All Incoming SSH Connections from explicit IP

You can also limit SSH connections to only be allowed from a specific IP address or subnet. For example, if you only wanted to allow the IP address 10.10.10.10 to connect to the server via SSH, you’d use the following command:

iptables -A INPUT -p tcp -s 10.10.10.10 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

1	iptables -A INPUT -p tcp -s 10.10.10.10 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

1	iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

This can also be done for an entire subnet by adding the subnet to the command, such as /27 as the following command illustrates:

iptables -A INPUT -p tcp -s 10.10.10.10/27 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

1	iptables -A INPUT -p tcp -s 10.10.10.10/27 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

Allow Outgoing SSH Connections

Your firewall may not have the OUTPUT policy set to ACCEPT. If this is the case, you may need to allow outgoing SSH connections if you wish to connect to an external server from your server directly. You can run the following commands to achieve this on the default SSH port (22). If you’re using a different SSH port, simply replace “22” in the following example with the port number that you’re using:

iptables -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

1	iptables -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

1	iptables -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow All Incoming HTTP and HTTPS Connections

By default, HTTP traffic is generally served up on port 80 and HTTPS traffic is typically served up on port 443. You can allow both types of connections to your web server by using the following commands.

Note: If you only want to allow one and not the other, simply remove the port number from the command that correlates to the protocol you’d like to allow.

iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

1	iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

1	iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Block Outgoing SMTP

IPTables allows you to block specific ports, such as the default SMTP port (25). For example, you may not want to allow outgoing mail on your server. To stop this using IPTables you can issue the following command:

iptables -A OUTPUT -p tcp --dport 25 -j REJECT

1	iptables -A OUTPUT -p tcp --dport 25 -j REJECT

This will configure IPTables to reject all outgoing traffic on port 25. If you’d like to reject traffic on a different port, you can replace “25” with the port number in question.

Allow Incoming SMTP Connections

You can allow your server to respond to all SMTP connections on port 25 by running the following commands:

iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

1	iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT

1	iptables -A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT