LinuxCommandLibrary

iptables

Configure Linux firewall rules

TLDR

View chains, rules, packet/byte counters and line numbers for the filter table

$ sudo iptables [[-vnL --line-numbers|--verbose --numeric --list --line-numbers]]
copy

Set chain policy rule
$ sudo iptables [[-P|--policy]] [chain] [rule]
copy

Append rule to chain policy for IP
$ sudo iptables [[-A|--append]] [chain] [[-s|--source]] [ip] [[-j|--jump]] [rule]
copy

Append rule to chain policy for IP considering protocol and port
$ sudo iptables [[-A|--append]] [chain] [[-s|--source]] [ip] [[-p|--protocol]] [tcp|udp|icmp|...] --dport [port] [[-j|--jump]] [rule]
copy

Add a NAT rule to translate all traffic from the 192.168.0.0/24 subnet to the host's public IP
$ sudo iptables [[-t|--table]] [nat] [[-A|--append]] [POSTROUTING] [[-s|--source]] [192.168.0.0/24] [[-j|--jump]] [MASQUERADE]
copy

Delete chain rule
$ sudo iptables [[-D|--delete]] [chain] [rule_line_number]
copy

SYNOPSIS

iptables [-t table] command [chain] [match-options] [-j target]

Common commands:
  iptables -A chain rule-specification -j target (Append a rule)
  iptables -L [chain] (List rules)
  iptables -F [chain] (Flush rules)
  iptables -P chain target (Set default policy)

PARAMETERS

-t table
    Specifies the table to operate on (e.g., 'filter', 'nat', 'mangle', 'raw'). Default is 'filter'.

-A, --append chain
    Appends one or more rules to the end of the specified chain.

-I, --insert chain [rulenum]
    Inserts one or more rules at the specified position in the chain (default is 1, the beginning).

-D, --delete chain rule-specification / rulenum
    Deletes one or more rules from the specified chain, either by specification or by rule number.

-L, --list [chain]
    Lists all rules in the specified chain, or all chains if none is specified.

-F, --flush [chain]
    Flushes (deletes all rules from) the specified chain, or all chains if none is specified.

-P, --policy chain target
    Sets the default policy for a built-in chain (e.g., ACCEPT, DROP).

-j, --jump target
    Specifies the action to take if the packet matches the rule (e.g., ACCEPT, DROP, REJECT, LOG, or a user-defined chain).

-p, --protocol [protocol]
    Matches the specified protocol (e.g., 'tcp', 'udp', 'icmp', 'all').

-s, --source address[/mask]
    Matches if the packet's source IP address is the one specified.

-d, --destination address[/mask]
    Matches if the packet's destination IP address is the one specified.

-i, --in-interface name
    Matches if the packet was received from the specified interface (e.g., 'eth0', 'lo').

-o, --out-interface name
    Matches if the packet is going out through the specified interface.

-m, --match module
    Loads an extension match module (e.g., 'state', 'tcp', 'udp', 'limit').

DESCRIPTION

iptables is a user-space utility program that allows a system administrator to configure the IP packet filter ruleset of the Linux kernel firewall, known as Netfilter. It operates by defining rules that dictate how network packets are handled, such as accepting, dropping, or rejecting them based on various criteria. These rules are organized into logical structures called chains, which are themselves grouped into tables. Common tables include 'filter' (for general packet filtering), 'nat' (for Network Address Translation), and 'mangle' (for altering packet headers). iptables is a powerful and essential tool for securing Linux systems, controlling network access, and implementing complex networking functions like port forwarding and masquerading. It supports both stateless and stateful packet filtering, making it highly versatile.

CAVEATS


  • Complexity and Learning Curve: iptables has a steep learning curve due to its extensive options, multiple tables, chains, and various match/target extensions.

  • Rule Persistence: Rules configured with iptables are by default volatile and reside only in memory. They must be explicitly saved (e.g., using iptables-save) and restored (e.g., using iptables-restore or system-specific services) to survive a reboot.

  • Order Matters: The order of rules within a chain is crucial. A packet is evaluated against rules sequentially, and the first matching rule with a terminating target determines the packet's fate.

  • Potential for Network Disruption: Misconfigurations can easily lead to network connectivity loss, locking out administrators, or creating security vulnerabilities.

  • Successor Technology: While still widely used, iptables is gradually being superseded by nftables in newer Linux distributions, which offers a unified framework for packet filtering across IPv4, IPv6, and Ethernet bridges.

TABLES AND CHAINS EXPLAINED

iptables organizes rules into tables, each serving a specific purpose. The most common are:
  filter: The default table, used for general packet filtering (ACCEPT, DROP, REJECT).
  nat: Used for Network Address Translation (e.g., masquerading, port forwarding).
  mangle: Used for altering packet headers (e.g., TTL, TOS).
  raw: For very early processing of packets, before connection tracking.

Within each table, rules are grouped into chains. Built-in chains correspond to specific points in the packet flow, such as INPUT (for packets destined for the local host), OUTPUT (for packets originating from the local host), and FORWARD (for packets routed through the local host). Users can also create their own custom chains for better organization.

COMMON TARGETS

When a packet matches a rule, a target determines the action to take. Common targets include:
  ACCEPT: Allow the packet to pass.
  DROP: Silently discard the packet (no response sent).
  REJECT: Discard the packet and send an error message back to the sender (e.g., ICMP port unreachable).
  LOG: Log information about the packet to the kernel log.
  RETURN: Stop traversing the current chain and resume at the calling chain.
  Custom Chains: Jump to a user-defined chain for further processing.

HISTORY

iptables is part of the Netfilter project, which fundamentally rewrote Linux's packet filtering capabilities. It was introduced in Linux kernel 2.4 (released in 2001), replacing its predecessors: ipfwadm (Linux 2.0, 1996) and ipchains (Linux 2.2, 1999).

The main improvements of iptables over ipchains included:
  Full stateful firewall capabilities (connection tracking).
  More flexible and extensible architecture through modules for various match criteria and targets.
  Introduction of separate tables for different functionalities (filter, nat, mangle, raw).

For nearly two decades, iptables remained the standard Linux firewall utility. However, with the increasing complexity of network configurations and the need for a unified approach across different IP versions, nftables began to emerge as its successor, starting development around 2008 and becoming more prominent from kernel 3.13 (2014) onwards. Despite the rise of nftables, iptables remains widely deployed and actively maintained, often running as a compatibility layer on systems primarily using nftables.

SEE ALSO

iptables-save(8), iptables-restore(8), ip6tables(8), nft(8), ufw(8), firewalld(1)

Copied to clipboard