IPtable in Linux with Examples - Part 1
Various Rules of IPtable Firewall
Useful IPtable Firewall Rules is explained in this article. Iptables command allows the system administrators to manage incoming and outgoing traffics. IPtables contains set of tables, tables consists of chains and chains consists of rules.
Three types of tables
1. FILTER &ndash Filter table is the default table in IPtables which has the following in build chains:
INPUT &ndash packages which destined for the local sockets
FORWARD &ndash packets that routed through system
OUTPUT &ndash packets which generated locally
2. MANGLE &ndash used for packet altering. Which has the following in build chains:
PREROUTING &ndash to alter incoming connections
OUTPUT &ndash to alter locally generated packets
INPUT &ndash for incoming packets
POSTROUTING &ndash to alter packets which are about to go out
FORWARD &ndash for the packets which routed through the box
3. NAT &ndash NAT stands for Network Address Translation. It is used when a packet tries to create a new connection, which has the following in build chain.
PREROUTING &ndash It is used to alter a packet as soon as it is received
OUTPUT &ndash It is used to alter the locally generated packets
POSTROUTING &ndash It is used to alter the packets which are about to go out
OPTION | DESCRIPTION |
-A | Appends iptables rule to end of specified chain. Used to add a rule when rule order in the chain does not matter. |
-D | Deletes a rule in a particular chain by number (such as 5 for the fifth rule in a chain). |
-F | Flushes selected chain, it deletes every rule in the chain. If no chain is mentioned, this command flushes every rule from every chain. |
-L | Lists all of the rules in the chain specified after the command. |
-N | Creates a new chain with a user-specified name. |
-X | Deletes a user-specified chain. |
-d | Sets the destination hostname, IP address, or network of a packet that matches the rule |
-i | Sets the incoming network interface, such as eth0 or ppp0. With iptables, this optional parameter may be used with the INPUT and FORWARD chains when used with the filter table and the PREROUTING chain with nat and mangletables. |
-j | Jumps to specified target when a packet matches a particular rule |
-p | Sets IP protocol for the rule, which can be either icmp, tcp, udp, or all, to match every supported protocol |
-s | Sets the source for a particular packet using the same syntax as the destination (-d) parameter |
-v | Displays verbose output, such as the number of packets and bytes each chain has seen, the number of packets and bytes each rule has matched, and which interfaces apply to a particular rule. |
-n | Displays IP addresses and port numbers in numeric format, rather than the default hostname and network service format. |
-t | Specifies a table name. |
-m | Specifies a match to use, that is, an extension module that tests for a specific property |
--dport | Sets the destination port for the packet for both UDP and TCP protocols |
--sport | Specifies the source port for the packet for both UDP and TCP protocols |
--mac-source | Matches a MAC address of the network interface card that sent the packet. To exclude a MAC address from a rule, place an exclamation point (!) after the --mac-source match option |
--log-prefix | Places a string of up to 29 characters before the log line when it is written |
--limit | Sets the number of matches for a particular range of time, specified with a number and time modifier arranged in a / format |
--limit-burst | Sets a limit on the number of packets able to match a rule at one time |
--syn | Applies to all TCP packets designed to initiate communication, commonly called SYN packets |
--connlimit-above | Match if the number of existing connections is not above to the mentioned connections. |
--ctstate | statelist is a comma seperated list of connection states to match |
--to-ports | To specify a destination or the range of source ports to use |
How to manage IPtable services
Run the following command to start, stop, restart, enable or disable and status for iptables service with various Linux distributions.
For SysVinit based Linux Distributions
------------ On Cent/RHEL 6/5 and Fedora ------------
[root@linuxhelp ~]# /etc/init.d/iptables start
[root@linuxhelp ~]# /etc/init.d/iptables stop
[root@linuxhelp ~]# /etc/init.d/iptables restart
(OR)
[root@linuxhelp ~]# service iptables start
[root@linuxhelp ~]# service iptables stop
[root@linuxhelp ~]# service iptables restart
[root@linuxhelp ~]# service iptables status
[root@linuxhelp ~]# chkconfig iptables on
[root@linuxhelp ~]# chkconfig iptables off
For SystemD based Linux Distributions
------------ On Cent/RHEL 7 and Fedora 22+ ------------
[root@linuxhelp ~]# systemctl start iptables [root@linuxhelp ~]# systemctl stop iptables [root@linuxhelp ~]# systemctl restart iptables [root@linuxhelp ~]# systemctl enable iptables ln -s ' /usr/lib/systemd/system/iptables.service' ' /etc/systemd/system/basic.target.wants/iptables.service' [root@linuxhelp ~]# systemctl disable iptables rm ' /etc/systemd/system/basic.target.wants/iptables.service' [root@linuxhelp ~]# systemctl status iptables iptables.service - IPv4 firewall with iptables Loaded: loaded (/usr/lib/systemd/system/iptables.service enabled) Active: active (exited) since Wed 2016-05-04 09:40:49 IST 7s ago Process: 12393 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=0/SUCCESS) Main PID: 12393 (code=exited, status=0/SUCCESS) May 04 09:40:49 linuxhelp systemd[1]: Starting IPv4 firewall with iptables... May 04 09:40:49 linuxhelp iptables.init[12393]: iptables: Applying firewall rules: [ OK ] May 04 09:40:49 linuxhelp systemd[1]: Started IPv4 firewall with iptables.
To List current IPtables Rules
To check the current rules that is applied in iptables, run the following command.
[root@linuxhelp ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 1332 packets, 174K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 481 packets, 71256 bytes)
pkts bytes target prot opt in out source destination
Where
-L &rarr list rules
-n &rarr displays the IP Address and port in numeric format
-v &rarr display the detailed information
From the above output, there are no rules applied. If there is any rules, an entry will be shown like below.
[root@linuxhelp ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 ACCEPT udp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT tcp -- virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
57 13111 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * virbr0 0.0.0.0/0 192.168.122.0/24 state RELATED,ESTABLISHED
0 0 ACCEPT all -- virbr0 * 192.168.122.0/24 0.0.0.0/0
0 0 ACCEPT all -- virbr0 virbr0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 27 packets, 1657 bytes)
pkts bytes target prot opt in out source destination
By using -t option, check the rules in the NAT table
[root@linuxhelp ~]# iptables -L -n &ndash v -t nat
Chain PREROUTING (policy ACCEPT 7 packets, 1007 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 24 packets, 1534 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE tcp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE udp -- * * 192.168.122.0/24 !192.168.122.0/24 masq ports: 1024-65535
0 0 MASQUERADE all -- * * 192.168.122.0/24 !192.168.122.0/24
Chain OUTPUT (policy ACCEPT 24 packets, 1534 bytes)
pkts bytes target prot opt in out source destination
To Block a Particular IP Address in IPtables
Execute the following command to block IP address if an unusual or abusive activity from an IP address occurs.
[root@linuxhelp ~]# iptables -A INPUT -s 192.168.5.22 -j DROP
[root@linuxhelp ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 447 packets, 672K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 192.168.5.22 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 373 packets, 21028 bytes)
pkts bytes target prot opt in out source destination
Use the -p option which specifies the protocol to block the TCP traffic from that IP address.
[root@linuxhelp ~]# iptables -A INPUT -p icmp -s 192.168.5.89 -j DROP
[root@linuxhelp ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 192.168.5.89 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
To Unblock or delete an entry in IPtables rules
Run the following command to unblock the IP address that has been blocked.
[root@linuxhelp ~]# iptables -D INPUT -s 192.168.5.22 -j DROP
[root@linuxhelp ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 1 packets, 52 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2 packets, 104 bytes)
pkts bytes target prot opt in out source destination
To Block Particular Port on IPtables
Use the below command to block the incoming and outgoing connections on a specific port.
[root@linuxhelp ~]# iptables -A OUTPUT -p tcp --dport 22 -j DROP
[root@linuxhelp ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:ssh
Use the below command to allow incoming connections,
[root@linuxhelp ~]# iptables -A INPUT -p tcp --dport 25 -j ACCEPT
[root@linuxhelp ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:ssh
To Allow Multiple Ports on IPtables
By using multiport, we can allow multiple ports at once for incoming and outgoing connections as follows.
[root@linuxhelp ~]# iptables -A INPUT -p tcp -m multiport --dports 22,25,80 -j ACCEPT
[root@linuxhelp ~]# iptables -A OUTPUT -p tcp -m multiport --sports 22,25,80 -j ACCEPT
[root@linuxhelp ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere multiport dports ssh,smtp,http
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere multiport sports ssh,smtp,http
To Set a Particular Port for a Particular Network Range
Use the following command to allow the specific connections on particular port to the network.
[root@linuxhelp ~]# iptables -A OUTPUT -p tcp -d 192.168.5.0/24 --dport 80 -j ACCEPT
[root@linuxhelp ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere multiport dports ssh,smtp,http
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere multiport sports ssh,smtp,http
ACCEPT tcp -- anywhere 192.168.5.0/24 tcp dpt:http
To Block whole Network on IPtables
Use the following command to block all access for a particular network in IPtables.
[root@linuxhelp ~]# iptables -A OUTPUT -p tcp -d 192.168.7.0/24 -j DROP
[root@linuxhelp ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere multiport dports ssh,smtp,http
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere multiport sports ssh,smtp,http
ACCEPT tcp -- anywhere 192.168.5.0/24 tcp dpt:http
DROP tcp -- anywhere 192.168.7.0/24
To Set a Rich Rule in IPtables
Execute the following command to set a port forwarding rule (rich rule) in iptables.
[root@linuxhelp ~]# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2213 -j REDIRECT --to-port 22
[root@linuxhelp ~]# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 3316
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
By using the above command, all incoming traffic are forwarded on network interface eth0 from port 80 to port 3316
To Block Outgoing Ping Requests in IPtables
Execute the following command to block Outgoing ping requests for security reasons.
[root@linuxhelp ~]# iptables -A OUTPUT -p icmp -j DROP
[root@linuxhelp ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
To Block the Access from a particular MAC Address on IPtables
Use the below command to block the access from a particular MAC Address on IPtables.
[root@linuxhelp ~]# iptables -A INPUT -m mac --mac-source 00:0a:95:9d:68:16 -j DROP
[root@linuxhelp ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere MAC 00:0A:95:9D:68:16
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Change " 00:0a:95:9d:68:16" with the actual MAC address that you want to block.
# iptables -D INPUT -s 192.168.5.22 -j DROP
# iptables -A INPUT -s 192.168.5.22 -j DROP
# iptables -L -n –v -t nat
# iptables -L -n -v
# iptables -A OUTPUT -p tcp -d 192.168.5.0/24 --dport 80 -j ACCEPT