What is IPTables?
IPTables is an extremely flexible command-line based firewall utility built specifically for Linux distros. IPTables uses policy chains to allow or block traffic. When a connection is being established on your server, IPTables will identify a rule in its list to determine what action needs to be taken. If no rule is present for the connection, it’ll resort to the default action defined for your system.
How do I install IPTables?
Generally, IPTables is installed by default on most Linux systems. To update or install it, you can retrieve the IPTables package by issuing the following commands:
Note: IPTables should be pre-installed on CentOS 6.
Ubuntu
|
1 |
apt-get install iptables-persistent |
CentOS 7
|
1 |
systemctl stop firewalld |
|
1 |
systemctl mask firewalld |
|
1 |
yum install iptables-services |
|
1 |
systemctl enable iptables |
|
1 |
systemctl start iptables |
IPTables will now be installed on your system. Let’s take a look at how to use IPTables.
How do I use IPTables?
This section will cover some basic IPTables specific commands and uses, such as how to list your current ruleset and blocking an IP address from establishing a connection.
List Rules by Specification
To list the currently active ruleset by specification you’d issue the following command:
|
1 |
iptables -S |
List Rules by Specific Chain
To display the rules that are currently being applied to a specific chain you can use the following command. This example will show all of the rule specifications for the UDP chain:
|
1 |
iptables -S UDP |
List Rules as Tables
You can list all of the current IPTables rules that are in place in a table view by using the following command that invokes the -L option. This will list all current rulesets sorted by chain type.
|
1 |
iptables -L |
Delete Rule using Specification
You can delete rules in IPTables by using the -D option. You can remove rulesets a few different ways. We will cover removing rules by specification. For example, if you wanted to remove the rule that allows all incoming traffic on port 443, you’d use the following command:
|
1 |
iptables -D INPUT -i eth0 -p tcp --dport 443 -j ACCEPT |
Flush Rules
With IPTables, you can flush rules. This can be done by flushing a single chain or by flushing all chains. We will cover both methods below.
To flush a single chain you can use the -F option, or the equivalent –flush option, combined with the name of the chain that you’d like to flush. For example, you can delete all of the rules in the INPUT chain by utilizing the following command:
|
1 |
iptables -F INPUT |
To flush all chains you’d again use the -F or equivalent –flush option without any additional parameters. This will effectively remove ALL of the firewall rules that are currently active on the server. The command is as follows:
|
1 |
iptables -F |
Block an IP address
IPTables provides the ability to block network connections from a specific IP address. For example, to block all incoming connections from 10.10.10.10 you’d run the following command:
|
1 |
iptables -A INPUT -s 10.10.10.10 -j DROP |
You can also reject the connection, which will respond with a “connection refused” error. Simply replace DROP with REJECT.
|
1 |
iptables -A INPUT -s 10.10.10.10 -j REJECT |
You can also block connections from a specific IP to a specific network device, such as eth1, by using the -i option.
|
1 |
iptables -A INPUT -i eth1 -s 10.10.10.10 -j DROP |
Allow All Incoming SSH Connections
To allow ALL incoming SSH connections on the default SSH port (22), use the following commands:
|
1 |
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT |
|
1 |
iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT |
Allow All Incoming SSH Connections from explicit IP
You can also limit SSH connections to only be allowed from a specific IP address or subnet. For example, if you only wanted to allow the IP address 10.10.10.10 to connect to the server via SSH, you’d use the following command:
|
1 |
iptables -A INPUT -p tcp -s 10.10.10.10 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT |
|
1 |
iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT |
This can also be done for an entire subnet by adding the subnet to the command, such as /27 as the following command illustrates:
|
1 |
iptables -A INPUT -p tcp -s 10.10.10.10/27 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT |
Allow Outgoing SSH Connections
Your firewall may not have the OUTPUT policy set to ACCEPT. If this is the case, you may need to allow outgoing SSH connections if you wish to connect to an external server from your server directly. You can run the following commands to achieve this on the default SSH port (22). If you’re using a different SSH port, simply replace “22” in the following example with the port number that you’re using:
|
1 |
iptables -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT |
|
1 |
iptables -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT |
Allow All Incoming HTTP and HTTPS Connections
By default, HTTP traffic is generally served up on port 80 and HTTPS traffic is typically served up on port 443. You can allow both types of connections to your web server by using the following commands.
Note: If you only want to allow one and not the other, simply remove the port number from the command that correlates to the protocol you’d like to allow.
|
1 |
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT |
|
1 |
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT |
Block Outgoing SMTP
IPTables allows you to block specific ports, such as the default SMTP port (25). For example, you may not want to allow outgoing mail on your server. To stop this using IPTables you can issue the following command:
|
1 |
iptables -A OUTPUT -p tcp --dport 25 -j REJECT |
This will configure IPTables to reject all outgoing traffic on port 25. If you’d like to reject traffic on a different port, you can replace “25” with the port number in question.
Allow Incoming SMTP Connections
You can allow your server to respond to all SMTP connections on port 25 by running the following commands:
|
1 |
iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT |
|
1 |
iptables -A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT |