IP tables ( Linux Firewall) and basic guide to iptables commands

Iptables is pre-installed program in Linux which is default firewall application. All incoming and outgoing traffic is filtered by iptables. 

How does IPtables work

Before going any further note that in iptables you make a set of rules and all network traffic is compared against these set of rules. All traffic is matched against these rule sets. Once traffic matches with defined rule, an action is initiated on the specific packet (accept or drop). This initiated action is known as target.

Types of Chains

The set of rule we have mentioned above are built into chains. The traffic is matched against rules in sequence and when one set of does not match net set is checked for match. Once traffic is matched with one set of rule next set is not checked.

Linux has three types of Chains

Input Chains – Input chains deal with traffic which are targeted for your server.

Output Chain – This chain deals with all packets / traffic going out from your server.

Forward Chain – This chain is meant for packets and traffic not created on your server but are targeted for some other server.

These chains can have zero or more rules and an default policy. The packets which do not match any of the rules, this policy is applied. You can either Accept or Drop the packet by setting this policy.

IPv4 uses iptables, where as IPv6 uses ip6tables.

Basic IPtables commands

Start IPtables

To start iptable use following command in linux

systemctl start  iptables.service

Stop IPtables

To start iptable use following command in linux

systemctl stop  iptables.service

Restart IPtables

To start iptable use following command in linux

systemctl restart  iptables.service

Check status of IPtables

To start iptable use following command in linux

systemctl status  iptables.service

List existing IPtables rules

Below command will list existing IPtables rules on your server for a specific tables

iptables -t <table_name> -L

To view rules for filter table, use command syntax

iptables -t filter -L

Similarly for NAT table use command

iptables -t nat -L

iptables -L INPUT -n --line-numbers

Block port for network traffic with IPtable

The basic function on iptables is to block or open a specific port for network traffic. This can be done for both incoming and outgoing traffic.

To block outgoing traffic use command

iptables -A OUTPUT -p <traffic_type> --dport <xxx> -j DROP

To block incoming traffic use command

iptables -A INPUT -p <traffic_type> --dport <xxx> -j DROP

There are two variable in above command traffic_type will be replaced by tcp or udp depending of type of traffic you want to block. Second variable is port where xxx will be replaced by port number.

Open port for network traffic with IPtables

Blocked port by iptables can be opened by using below command. This can be done for both incoming and outgoing traffic.

To open outgoing traffic use command

iptables -A OUTPUT -p <traffic_type> --dport <xxx> -j ACCEPT

To open incoming traffic use command

iptables -A INPUT -p <traffic_type> --dport <xxx> -j ACCEPT

There are two variable in above command traffic_type will be replaced by tcp or udp depending of type of traffic you want to open to. Second variable is port where xxx will be replaced by port number.

Allow Specific Network Range on Particular Port on IPtables

Traffic on a network range can be either or blocked using iptables. Below is command where all traffic directed towards tcp port number 22 with destination to ip range of 192.168.124.0/24 is allowed. 

iptables -A OUTPUT -p tcp -d 192.168.124.0/24 --dport 22 -j ACCEPT

The second command here blocks all incoming traffic to eth0 interface for source IP range 192.168.1.0/24.

iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j DROP

Block specific ip address with iptables

To block incoming traffic from a specific ip address use command 

iptables -A INPUT -s <xxx.xxx.xxx.xxx> -j DROP

where <xxx.xxx.xxx.xxx> is ip address

Allow / Block specific mac address with iptables

To block incoming traffic from a specific mac address use command 

iptables -A INPUT -m mac --mac-source <xx:xx:xx:xx:xx:xx> -j DROP

where <xx:xx:xx:xx:xx:xx> should be replaced by mac address of system to be blocked

To allow incoming traffic from a specific mac address use command 

iptables -I INPUT -p tcp --dport 21 -m mac --mac-source <xx:xx:xx:xx:xx:xx> -j ACCEPT

Note: Using -A adds rule to end of command while using -I you can add rule to any number which you specify or simply at beginning of table if you don’t specify.