Basic iptables tutorial with examples in Linux I

by

For those who are not sure of the term iptables let me clarify you (From Wiki) iptables are the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores. 
 
Few important points on iptables

  • iptables requires elevated privileges to operate and must be executed by user root, otherwise it fails to function. 
  • On most Linux systems, iptables is installed as /usr/sbin/iptables and documented in its man pages which can be opened using man iptables when installed. It may also be found in /sbin/iptables, but since iptables is more like a service rather than an "essential binary", the preferred location remains /usr/sbin.
  • It generally works in Layer 3 and layer 4 i.e. network and transport layer.
  • iptables is also responsible for managing ICMP (Internet Control messaging Protocol) that comes in data link layer
  • iptables also supports MAC level filtering so it works on Layer 2 as well (Data Link layer)
  • Layer 3 focuses on source (192.168.0.x) and destination (172.168.0.x) addresses.
  • Layer 4 focuses on protocols, ports, TCP : 80, UDP : 69 (Most of the applications are dependent on TCP and UDP ports.
NOTE:

TCP/UDP ports use a 16-bit range (0-65535) and IP addresses are based on 32-bit ranges (4 billion)

 

Package

Verify that iptables rpm is installed in your machine

# rpm -qa | grep iptables
iptables-1.4.7-4.el6.i686
iptables-ipv6-1.4.7-4.el6.i686

To check if kernel is compiled to use iptables (here config-2.6.x.x may vary as per your kernel)

# less /boot/config-2.6.32-220.el6.i686 | grep CONFIG_NETFILTER
CONFIG_NETFILTER=y

 
Make sure the first line as shown above should be "y"
 

Types of tables in iptables

  1. mangle - alter packets (TOS/TTL) with TCP/UDP/ICMP
  2. NAT (Network Address Translation)
  3. Filter (IP packet filtering)
NOTE:

NAT allows to change IP address along with the port

 

ACL syntax for iptables

  1. name of chain - action (Append/Insert/Replace)
  2. name of table (filter) - mangle/nat/user-defined
  3. layer 3 object (source/destination)
  4. optionally layer 4 subject (tcp/udp protocols/ports)
  5. Jump/Target -j - ACCEPT/DROP/DENY/REJECT/LOG

Some Examples
Block a source IP 192.168.0.20 from communicating with our system

# iptables -A INPUT -s 192.168.0.30 -j DROP

So here I am appending a rule into the input chain for the source 192.168.0.30 and the action to be taken is DROP all the packets coming from the source machine.
To view the current rules in iptables

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  192.168.0.30         anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh
DROP       tcp  --  anywhere             anywhere            tcp dpt:telnet
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

So now if 192.168.0.30 tries to connect to our local machine it would get a request time out.
Other commands to view the iptables

# iptables -L -v
Chain INPUT (policy ACCEPT 2559 packets, 223K bytes)
 pkts bytes target     prot opt in     out   source        destination
    0    0 DROP       all  --  any    any   192.168.0.30    anywhere
    0    0 ACCEPT     tcp  --  any    any   anywhere        anywhere            tcp spt:ssh
    0    0 DROP       tcp  --  any    any   anywhere        anywhere            tcp dpt:telnet
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 297 packets, 40151 bytes)
 pkts bytes target     prot opt in     out     source               destination

Here -v reveals bytes in (k/M/G) which means the bytes of packets blocked or allowed for any rule which was applied in iptables

# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    DROP       all  --  192.168.0.30         anywhere
2    ACCEPT     tcp  --  anywhere             anywhere          tcp spt:ssh
3    DROP       tcp  --  anywhere             anywhere          tcp dpt:telnet
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
# iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  192.168.0.30         anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp spt:ssh
DROP       tcp  --  anywhere             anywhere            tcp dpt:telnet
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

 

Appending/Inserting rules

You can either Append a new rule into any chain or you can insert the rule where the difference is while appending the rule will end up in the last row while if you want your rule to be preferred first beofre any other rule in the chain then use INSERT along with iptables as shown below

# iptables -I INSERT -s 192.168.0.30 -j DROP

Some more examples
Create a rule to permit ssh connection from everyone to your local machine

# iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Create a rule to deny telnet access from everyone to your local machine

# iptables -A INPUT -p tcp --dport telnet -j DROP

 

Deleting rules

For deleting any rule from the chain you will require line number
For Example:

# iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    DROP       all  --  192.168.0.30         anywhere
2    ACCEPT     tcp  --  anywhere             anywhere          tcp spt:ssh
3    DROP       tcp  --  anywhere             anywhere          tcp dpt:telnet
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Suppose I want to delete the rule for source 192.168.0.30

# iptables -D INPUT 1

In case you want to go the hard way, you will have to delete rule on the basis of the first match by giving the complete rule along with D switch

# iptables -D INPUT -s 192.168.0.30 -j DROP

 

Replace rules

You can also replace rules instead of deleting and creating any rule if there are some change which you want to do.
For example in the above question suppose we want to block communication from 192.168.0.25 instead of 192.168.0.30 so we can easily replace the rule

# iptables -R INPUT 1 -s 192.168.0.25 -j DROP

 

Saving or Restoring rules in iptables

# iptables -save (defaults dumps to STDOUT)
# iptables -restore (default reads rule from STDIN)

Example:

# iptables-save > rules.txt
# iptables-restore < rules.txt

 

Flushing rules

This term is used to delete all the rules from all the chains.

# iptables -F

This command will temporarily remove all the rules but once you restart your iptables services all the rules will come back to default setup.
Related Articles
Iptables rules to allow/block ssh incoming/outgoing connection in Linux
Iptables rules to block/allow icmp ping request in Linux
iptables rules for Samba 4 in Red Hat Linux
Basic iptables tutorial in Linux II
Iptables for Samba server