Iptables is pre-installed program in Linux which is default firewall application. All incoming and outgoing traffic is filtered by iptables.
How does IPtables work
Before going any further note that in iptables you make a set of rules and all network traffic is compared against these set of rules. All traffic is matched against these rule sets. Once traffic matches with defined rule, an action is initiated on the specific packet (accept or drop). This initiated action is known as target.
Types of Chains
The set of rule we have mentioned above are built into chains. The traffic is matched against rules in sequence and when one set of does not match net set is checked for match. Once traffic is matched with one set of rule next set is not checked.
Linux has three types of Chains
Input Chains – Input chains deal with traffic which are targeted for your server.
Output Chain – This chain deals with all packets / traffic going out from your server.
Forward Chain – This chain is meant for packets and traffic not created on your server but are targeted for some other server.
These chains can have zero or more rules and an default policy. The packets which do not match any of the rules, this policy is applied. You can either Accept or Drop the packet by setting this policy.
IPv4 uses iptables, where as IPv6 uses ip6tables.
Basic IPtables commands
Start IPtables
To start iptable use following command in linux
systemctl start iptables.service
Stop IPtables
To start iptable use following command in linux
systemctl stop iptables.service
Restart IPtables
To start iptable use following command in linux
systemctl restart iptables.service
Check status of IPtables
To start iptable use following command in linux
systemctl status iptables.service
List existing IPtables rules
Below command will list existing IPtables rules on your server for a specific tables
iptables -t <table_name> -L
To view rules for filter table, use command syntax
iptables -t filter -L
Similarly for NAT table use command
iptables -t nat -L
iptables -L INPUT -n --line-numbers
Block port for network traffic with IPtable
The basic function on iptables is to block or open a specific port for network traffic. This can be done for both incoming and outgoing traffic.
To block outgoing traffic use command
iptables -A OUTPUT -p <traffic_type> --dport <xxx> -j DROP
To block incoming traffic use command
iptables -A INPUT -p <traffic_type> --dport <xxx> -j DROP
There are two variable in above command traffic_type will be replaced by tcp or udp depending of type of traffic you want to block. Second variable is port where xxx will be replaced by port number.
Open port for network traffic with IPtables
Blocked port by iptables can be opened by using below command. This can be done for both incoming and outgoing traffic.
To open outgoing traffic use command
iptables -A OUTPUT -p <traffic_type> --dport <xxx> -j ACCEPT
To open incoming traffic use command
iptables -A INPUT -p <traffic_type> --dport <xxx> -j ACCEPT
There are two variable in above command traffic_type will be replaced by tcp or udp depending of type of traffic you want to open to. Second variable is port where xxx will be replaced by port number.
Allow Specific Network Range on Particular Port on IPtables
Traffic on a network range can be either or blocked using iptables. Below is command where all traffic directed towards tcp port number 22 with destination to ip range of 192.168.124.0/24 is allowed.
iptables -A OUTPUT -p tcp -d 192.168.124.0/24 --dport 22 -j ACCEPT
The second command here blocks all incoming traffic to eth0 interface for source IP range 192.168.1.0/24.
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j DROP
Block specific ip address with iptables
To block incoming traffic from a specific ip address use command
iptables -A INPUT -s <xxx.xxx.xxx.xxx> -j DROP
where <xxx.xxx.xxx.xxx> is ip address
Allow / Block specific mac address with iptables
To block incoming traffic from a specific mac address use command
iptables -A INPUT -m mac --mac-source <xx:xx:xx:xx:xx:xx> -j DROP
where <xx:xx:xx:xx:xx:xx> should be replaced by mac address of system to be blocked
To allow incoming traffic from a specific mac address use command
iptables -I INPUT -p tcp --dport 21 -m mac --mac-source <xx:xx:xx:xx:xx:xx> -j ACCEPT
Note: Using -A adds rule to end of command while using -I you can add rule to any number which you specify or simply at beginning of table if you don’t specify.