iptables
Configure Linux firewall rules
TLDR
View chains, rules, packet/byte counters and line numbers for the filter table
Set chain policy rule
Append rule to chain policy for IP
Append rule to chain policy for IP considering protocol and port
Add a NAT rule to translate all traffic from the 192.168.0.0/24 subnet to the host's public IP
Delete chain rule
SYNOPSIS
iptables [-t table] [-A|-I chain rule-specification] [-D chain rule-specification] [-R chain rule-number rule-specification] [-S [chain]] [-F [chain]] [-Z [chain]] [-L [chain] [-v [-v]] [-x] [-n] [--line-numbers] [-N chain] [-X [chain]] [-P chain target] [-E old-chain-name new-chain-name] [-h|--help]
PARAMETERS
-t table
Specifies the table to use (e.g., filter, nat, mangle, raw, security). Default is 'filter'.
-A chain
Appends a new rule to the end of the specified chain.
-I chain [rulenum]
Inserts a new rule into the specified chain at the given position (rulenum). If rulenum is omitted, the rule is inserted at the beginning.
-D chain rule-specification
Deletes a rule from the specified chain. rule-specification can be either the rule number or the rule itself.
-R chain rulenum rule-specification
Replaces a rule in the specified chain at the given position (rulenum).
-S [chain]
Prints all rules in the selected chain. If no chain is specified, all rules in all chains are printed.
-F [chain]
Flushes (deletes all rules from) the specified chain. If no chain is specified, all chains are flushed.
-Z [chain]
Zeros the packet and byte counters for all rules in the specified chain. If no chain is specified, all chains are zeroed.
-L [chain]
Lists the rules in the specified chain. If no chain is specified, all chains are listed.
-v
Verbose output.
-x
Expand numbers (don't abbreviate bytes, packets and so on).
-n
Numeric output. Don't try to resolve hostnames or services.
--line-numbers
Show line numbers when listing rules.
-N chain
Creates a new chain with the given name.
-X [chain]
Deletes the specified empty chain. If no chain is specified, all user-defined chains are deleted.
-P chain target
Sets the policy for the specified chain to the given target. The target must be one of the built-in targets: ACCEPT, DROP, REJECT, or RETURN.
-E old-chain-name new-chain-name
Renames the specified chain.
-h|--help
Displays help information.
DESCRIPTION
iptables is a command-line utility used to configure the IPv4 packet filter ruleset of the Linux kernel's netfilter firewall. It acts as the interface for managing the tables, chains, and rules that govern how network traffic is handled. These rules specify criteria for matching packets and actions to be taken on matching packets, such as accepting, dropping, or modifying them.
Essentially, iptables allows system administrators to define policies for network security, including filtering traffic based on source/destination IP addresses, ports, protocols, and more. It's a powerful tool for creating firewalls, network address translation (NAT), and other network security configurations. It operates by traversing a set of pre-defined tables and chains containing rules, providing a flexible way to manage network traffic flow.
The user interacts with iptables by creating and modifying rules which are stored in the kernel's memory.
CAVEATS
Iptables requires root privileges to run. Rules are not persistent across reboots unless saved (e.g., using `iptables-save` and `iptables-restore`). Iptables can be complex to configure correctly, and misconfigurations can lock you out of the system.
TARGETS
Targets specify what to do with a packet that matches a rule. Common targets include:
ACCEPT: Allow the packet.
DROP: Silently drop the packet.
REJECT: Drop the packet and send an ICMP error message back to the sender.
RETURN: Stop traversing the current chain and resume processing in the previous chain.
Also it is possible to redirect or masquerade a packet.
TABLES
Iptables organizes rules into different tables, each serving a specific purpose:
filter: Default table; used for general packet filtering.
nat: Used for Network Address Translation (NAT).
mangle: Used for altering packet headers (e.g., TTL).
raw: Used for configuring exemptions from connection tracking.
security: For Mandatory Access Control (MAC) networking rules, such as those enabled by SELinux.
HISTORY
iptables replaced ipchains in Linux 2.4 as the primary tool for managing the netfilter firewall. Its development stemmed from the need for a more flexible and extensible firewall framework. Iptables quickly became a standard tool for system administrators, enabling complex network security configurations. Recently, nftables is designed to be the successor to iptables.
SEE ALSO
iptables-save(8), iptables-restore(8), netfilter(3), nft(8)