Table of Contents
In this article I will take you through 30 most popular iptables commands in Linux. IPTABLES is a firewall built into Linux that allows a system administrator to define tables containing chains of rules that determine how network packets should be treated.
Packets are processed by sequentially traversing rules in chains within the following tables:
Raw: This is a default table that filters packets before any other table. It is mainly used for rules related to connection tracking.
Filter: This is a default table for filtering packets.
NAT: This is a default table used for network address translation.
Mangle: This is a default table used for specialized packet alteration and is not used by the Security Group API.
A rule in a chain can cause a jump to another chain, which, in turn, can jump to another chain, and so on. This behavior can be repeated to whatever level of nesting is desired. If the traffic does not match the rules of a subchain, the system recalls the point at which the jump occurred and returns to that point for further processing. When iptables is enabled, every network packet arriving at or leaving an interface traverses at least one chain.
There are five default chains, and the origin of the packet determines which chain will be initially traversed. The five default chains include the following:
PREROUTING: Packets will enter this chain before a routing decision is made. The PREROUTING chain is used by the raw, mangle, and NAT tables.
INPUT: This is used when a packet is going to be locally delivered to the host machine. The INPUT chain is used by the mangle and filter tables.
FORWARD: All packets that have been routed and were not for local delivery will traverse this chain. The FORWARD chain is used by the mangle and filter tables.
OUTPUT: Packets sent from the host machine itself will traverse this chain. The OUTPUT chain is used by the raw, mangle, NAT, and filter tables.
POSTROUTING: Packets will enter this chain when a routing decision has been made. The POSTROUTING chain is used by the mangle and NAT tables.
Each rule in a chain contains criteria that packets can be matched against. The rule may also contain a target, such as another chain, or a verdict, such as DROP or ACCEPT. As a packet traverses a chain, each rule is examined. If a rule does not match the packet, the packet is passed to the next rule. If a rule does match the packet, the rule takes the action indicated by the target or verdict.
Possible verdicts include the following:
ACCEPT: The packet is accepted and sent to the application for processing
DROP: The packet is dropped silently
REJECT: The packet is dropped and an error message is sent to the sender
LOG: The packet details are logged
DNAT: This rewrites the destination IP of the packet
SNAT: This rewrites the source IP of the packet
RETURN: Processing returns to the calling chain
The ACCEPT, DROP, and REJECT verdicts are often used by the filter table. Common rule criteria include the following:
-p <protocol>
: Matches protocols such as TCP, UDP, ICMP, and more
-s <ip_addr>
: Matches source IP address
-d <ip_addr>
: Matches destination IP address
--sport
: Matches source port
--dport
: Matches destination port
-I <interface>
: Matches the interface from which the packet entered
-o <interface>
: Matches the interface from which the packet exits
IPTABLES COMMANDS
Also Read: Top 25 ufw Firewall Commands Every Linux Admin Should Know
1. To check the current status of Firewall
If you want to check all the firewall rules, you can run iptables -L -n -v
command to check that as shown below.
[root@localhost ~]# iptables -L -n -v
-L: List all rules in the selected chain. If no chain is selected, all chains are listed.
-n: Numeric output. IP addresses and port numbers will be printed in numeric format.
-v: Verbose output. This option makes the list command show the interface name, the rule options (if any), and the TOS masks.
2. To save Firewall Rules
If you want to save all the current iptables rules, you need to run service iptables save
command. This will save all the ipv4 rules in /etc/sysconfig/iptables file.
[root@localhost ~]# service iptables save
3. To save all the iptables rules in a File
If you want to save all the iptables rules in a custom file instead of saving it in standard /etc/sysconfig/iptables, then you need to redirect the output to a file using redirection operator(>) as shown below.
[root@localhost ~]# iptables-save > /root/my.active.firewall.rules [root@localhost ~]# cat /root/my.active.firewall.rules
4. To restore the rules from a file
If you want to restore all the rules from a file, then you can do that by using iptables-restore
command as shown below. This command will restore all the rules set in /root/abc.rules as current active rule.
[root@localhost ~]# iptables-restore < /root/abc.rules
5. To block outbound tcp traffic to IP 192.168.0.106
To block the outbound tcp traffic going to destination 192.168.0.106, you can run below command. This command will drop all the tcp traffic destined for 192.168.0.106.
[root@localhost ~]# iptables -A OUTPUT -p tcp -d 192.168.0.106 -j DROP
-A: Append one or more rules to the end of the selected chain.
-p: The protocol of the rule or of the packet to check.
-d: Destination specification.
-j: This specifies the target of the rule; i.e., what to do if the packet matches it.
6. To allow a subnet on port 22
To allow outbound traffic to 192.168.54.0/24 subnet on port 22, you can run below command.
[root@localhost ~]# iptables -A OUTPUT -p tcp -d 192.168.54.0/24 --dport 22 -j ACCEPT
7. To block incoming ICMP requests
If you want to block inbound ICMP requests on interface eth0, you can run below command.
[root@localhost ~]# iptables -A INPUT -p icmp -i eth0 -j DROP
8. To block a MAC Address
If you want to drop inbound traffic to mac address 00:00:00:00:00:00, you can run below command.
[root@localhost ~]# iptables -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP
9. To Limit the Number of Concurrent Connections
If you want to limit the inbound traffic concurrent connections limit to 3 on port 22, you can run below command.
[root@localhost ~]# iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
connlimit: Allows you to restrict the number of parallel TCP connections to a server per client IP address (or address block).
--connlimit-above n: match if the number of existing tcp connections is (not) above n
10. To flush all the iptables rules
To flush all the iptables rules currently exists in your system, you can run below command.
[root@localhost ~]# iptables -F
-F: Flush the selected chain (all the chains in the table if none is given). This is equivalent to deleting all the rules one by one.
11. To drop Invalid Packets
If you want to drop packets marked as INVALID, you can do that by using --ctstate INVALID
with iptables command.
[root@localhost ~]# iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
12. To block connection on Network Interface
If you want to block interface eth0 on source IP 192.168.0.106, then you need to use below command.
[root@localhost ~]# iptables -A INPUT -i eth0 -s 192.168.0.106 -j DROP
13. To open particular range of ports
If you want to open a range of ports, say from 3000 to 3050, then you need to use below command.
[root@localhost ~]# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 3000:3050 -j ACCEPT
14. To check all the rules for filter table
If you want to check all the rules currently set for filter table, then you need to use below iptables command.
[root@localhost ~]# iptables -t filter -n -L
NOTE:
15. To create a New Chain
If you want to custom create a new chain, for example a chain with name outbound-service
, then you can create it by using -N
option with iptables command as shown below.
[root@localhost ~]# iptables -N outbound-service
16. Print all the Rules in Selected Chain
If you want to print all the rules for INPUT chain, you can do that by using below command.
[root@localhost ~]# iptables -S INPUT
If no chain is selected, it will show rules for all the chain.
[root@localhost ~]# iptables -S
-S: Print all rules in the selected chain. If no chain is selected, all chains are printed like iptables-save.
17. Rename a Chain
If you want to rename outbound-service chain to inbound-service, you need to use -E
option with iptables command to do that.
[root@localhost ~]# iptables -E inbound-service outbound-service
-E: Rename the user specified chain to the user supplied name.
18. List iptables rule with line numbers
If you want to list all the iptables rules with line numbers, you can run below command.
[root@localhost ~]# iptables --list --line-numbers
--list: List all rules in the selected chain. If no chain is selected, all chains are listed.
--line-numbers: When listing rules, add line numbers to the beginning of each rule, corresponding to that rule's position in the chain.
19. Reject TCP Packets with ICMP PORT UNREACHABLE Message
If you want to reject TCP Packets with ICMP Port Unreachable message, then you need to use --reject-with
iptables command as shown below.
[root@localhost ~]# iptables -A INPUT -p tcp -j REJECT --reject-with icmp-port-unreachable
--reject-with type: This can be used to return appropriate ICMP Messages.
20. To Zero out the Counter for all Chain and Rules
If you want to reset the counter to zero for all chain and rules, then you need to use -Z
option with iptables command.
[root@localhost ~]# iptables -Z
-Z: Zero the packet and byte counters in all chains.
21. Delete a Rule
If you want to delete a particular rule INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
, you can do that by using -D option with iptables command as shown below.
[root@localhost ~]# iptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
22. Check Chain stats
If you want to see stats like no of packets, bytes, source, destination etc for chain OUTPUT, then you need to use -v
option with iptables command.
[root@localhost ~]# iptables -L OUTPUT -v
-v: verbose output.
23. Using Port Redirection
Sometimes you might need to hide the real port which listens to the incoming connection, for those cases port redirection or port forwarding will be very useful. In below example, you can redirect the traffic from port 65 to port 4000 using REDIRECT target as shown below.
[root@localhost ~]# iptables -t nat -A PREROUTING -i enp0s3 -p udp --dport 65 -j REDIRECT --to-port 4000
24. Using Multiple Ports
If you want to drop inbound tcp traffic to IP Address 192.156.34.21 on multiple ports like 54,32,65 and 108, then you need to run below command.
[root@localhost ~]# iptables -I INPUT -d 192.156.34.21 -p tcp -m multiport --dports 54,32,65,108 -j DROP
25. Allow Established Connections Packets
If you only want to allow inbound traffic of established state packets, then you need to run below command.
[root@localhost ~]# iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
26. Saving logs of Rejected Packets
If you want to save all the logs of rejected packets using some labels, for example, in this you can save all the logs for rejected packets by using --log-prefix
option as shown below.
[root@localhost ~]# iptables -A INPUT -i eth0 -j LOG --log-prefix "IPtables Rejected packets:"
27. Block Packets with Bogus TCP Flags
If someone is sending packets without having all the flags set, then we can use below rule where we will only accept packets which has FIN,SYN,RST,PSH,ACK,URG Flag set and drop rest of them as shown in below command.
[root@localhost ~]# iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
--tcp-flags [!] mask comp: Match when the TCP flags are as specified. The first argument is the flags which we should examine, written as a comma-separated list, and the second argument is a comma-separated list of flags which must be set.
28. Block new packets which are not SYN
If you want to block all packets which does not have SYN Flag set, then probably you want to use below command to drop those packets. This is another very useful command in preventing DDOS attacks.
[root@localhost ~]# iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
29. Limit new TCP Connections per second
If you want to limit the number of new connection, then you can do that by using below iptables command. This command will be very much useful for preventing DDOS attacks.
[root@localhost ~]# iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT
-m: match option or matching module name
--limit rate: Maximum average matching rate: specified as a number, with an optional '/second', '/minute', '/hour', or '/day' suffix; the default is 3/hour.
--limit-burst rate: Maximum initial number of packets to match: this number gets recharged by one every time the limit specified above is not reached, up to this number; the default is 5.
30. Check Other Options with iptables command
If you want to check all other options with iptables command, you check it by using -h
option with iptables command.
[root@localhost ~]# iptables -h
Also Read: IPTABLES Man Page
Reference: Learning Openstack Networking