IPtable in Linux with Examples - Part 2

Various Rules of IPtable Firewall

Iptables command allows the system administrators to manage incoming and outgoing traffics. Some of the useful IPtable Firewall Rules were explained in previous article Part 1. In this article we discuss the rest of the rules in IPtables.

For more info IPtable Firewall: https://www.linuxhelp.com/iptable-in-linux-with-examples-part-1/

To Block loopback Access using IPtables

Loopback access can be blocked by using IPtables as follows.

[root@linuxhelp ~]# iptables -A INPUT -i lo -j DROP
[root@linuxhelp ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  lo     *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

To Keep a Log of Dropped Network Packets on IPtables

Execute the following command to log the dropped packets on network interface ' eth0' .

[root@linuxhelp ~]# iptables -A INPUT -i eth0 -j LOG --log-prefix " rejected packets:" 
[root@linuxhelp ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             LOG level warning prefix " rejected packets:" 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


Here we can change the value after ' --log-prefix' . To verify run the below command.



[root@linuxhelp ~]# grep "  rejected packets:"  /var/log/messages


To limit a network connections for web server using IPtables

Several connections towards web ports on the websites will cause number of issues, to prevent such problems, use the following rule given below.

[root@linuxhelp ~]# iptables -A INPUT -p tcp --dport 80 -m limit --limit 110/minute --limit-burst 150 -j ACCEPT
[root@linuxhelp ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             multiport dports ssh,smtp,http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http limit: avg 110/min burst 150

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             multiport sports ssh,smtp,http
ACCEPT     tcp  --  anywhere             192.168.5.0/24       tcp dpt:http
DROP       tcp  --  anywhere             192.168.7.0/24

To limit a network access for a particular connections using IPtables

Execute the below command to limit excess concurrent connection which is from the single IP address on the given port.

[root@linuxhelp ~]# iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
[root@linuxhelp ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             tcp dpt:smtp flags:FIN,SYN,RST,ACK/SYN #conn src/32 >  3 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

To Search for a specific rule in IPtables

After the iptables rules are defined, it is necessary to search from time to time for altering, use the following command.

[root@linuxhelp ~]# iptables -L INPUT -v -n | grep icmp
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:25 flags:0x17/0x02 #conn src/32 >  3 reject-with icmp-port-unreachable
    0     0 DROP       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0

To Define New IPTables Chain

Run the following command to define own chain custom rules.

[root@linuxhelp ~]# iptables -N New-chain
[root@linuxhelp ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain New-chain (0 references)
target     prot opt source               destination

To Delete a IPTables Chain

Run the following command to delete own chain created before.



[root@linuxhelp ~]# iptables -X New-chain
[root@linuxhelp ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

To allow related and established connections

Use the following command to allow related and established connections in IPtables.

[root@linuxhelp ~]# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
[root@linuxhelp ~]# iptables -L -n -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

To Drop Invalid Packets in IPtables

Use the following command to drop the invalid packets.



[root@linuxhelp ~]# iptables -A INPUT -m conntrack --ctstate INVALID -j DROP 
[root@linuxhelp ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain New-chain (0 references)
target     prot opt source               destination

To Block Connection on Network Interface

By using the following command, limit the access to that network interface or block connections from certain IP address.

[root@linuxhelp ~]# iptables -A INPUT -i eth0 -s 192.168.5.121 -j DROP
[root@linuxhelp ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             ctstate INVALID
DROP       all  --  192.168.5.121        anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain New-chain (0 references)
target     prot opt source               destination

To block the outgoing mails through SMTP

If you want to block all outgoing mails for SMTP, then block the ports for SMTP in IPtables as follows.

[root@linuxhelp ~]# iptables -A OUTPUT -p tcp -m multiport --dports 25,465,587 -j REJECT
[root@linuxhelp ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
REJECT     tcp  --  anywhere             anywhere             multiport dports smtp,urd,submission reject-with icmp-port-unreachable

To Flush the IPtables Firewall Chains or Rules

Use the following command to flush the firewall chains.

[root@linuxhelp ~]# iptables -F

To flush chains from specific table

Use the below command to flush chains from specific table.

[root@linuxhelp ~]# iptables -t nat -F

To Save IPtables Rules

Use the following command to save the firewall rules.

[root@linuxhelp ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
Tag : Iptables
FAQ
Q
how to block the outgoing mails through SMTP port in iptables?
A
by using the following command to block the outgoing mails through SMTP port in iptables
# iptables -A OUTPUT -p tcp -m multiport --dports 25,465,587 -j REJECT
Q
which command to drop Invalid Packets in IPtables?
A
use the following command to drop invalid packets in iptables
# iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
Q
In which location log files are present in iptables?
A
log files of iptables are located in /var/log/messages
Q
How to set limit for network connections in web server using IPtables?
A
set limit for network connections in web server using following command
# iptables -A INPUT -p tcp --dport 80 -m limit --limit 110/minute --limit-burst 150 -j ACCEPT
Q
How to create log for dropped network packets in iptables?
A
create a log for dropped network by using the command
# iptables -A INPUT -i eth0 -j LOG --log-prefix " rejected packets:"