LinuxCommandLibrary

iptables

Configure Linux firewall rules

TLDR

View chains, rules, packet/byte counters and line numbers for the filter table

$ sudo iptables [[-vnL --line-numbers|--verbose --numeric --list --line-numbers]]
copy

Set chain policy rule
$ sudo iptables [[-P|--policy]] [chain] [rule]
copy

Append rule to chain policy for IP
$ sudo iptables [[-A|--append]] [chain] [[-s|--source]] [ip] [[-j|--jump]] [rule]
copy

Append rule to chain policy for IP considering protocol and port
$ sudo iptables [[-A|--append]] [chain] [[-s|--source]] [ip] [[-p|--protocol]] [tcp|udp|icmp|...] --dport [port] [[-j|--jump]] [rule]
copy

Add a NAT rule to translate all traffic from the 192.168.0.0/24 subnet to the host's public IP
$ sudo iptables [[-t|--table]] [nat] [[-A|--append]] [POSTROUTING] [[-s|--source]] [192.168.0.0/24] [[-j|--jump]] [MASQUERADE]
copy

Delete chain rule
$ sudo iptables [[-D|--delete]] [chain] [rule_line_number]
copy

SYNOPSIS

iptables [-t table] [-A|-I chain rule-specification] [-D chain rule-specification] [-R chain rule-number rule-specification] [-S [chain]] [-F [chain]] [-Z [chain]] [-L [chain] [-v [-v]] [-x] [-n] [--line-numbers] [-N chain] [-X [chain]] [-P chain target] [-E old-chain-name new-chain-name] [-h|--help]

PARAMETERS

-t table
    Specifies the table to use (e.g., filter, nat, mangle, raw, security). Default is 'filter'.

-A chain
    Appends a new rule to the end of the specified chain.

-I chain [rulenum]
    Inserts a new rule into the specified chain at the given position (rulenum). If rulenum is omitted, the rule is inserted at the beginning.

-D chain rule-specification
    Deletes a rule from the specified chain. rule-specification can be either the rule number or the rule itself.

-R chain rulenum rule-specification
    Replaces a rule in the specified chain at the given position (rulenum).

-S [chain]
    Prints all rules in the selected chain. If no chain is specified, all rules in all chains are printed.

-F [chain]
    Flushes (deletes all rules from) the specified chain. If no chain is specified, all chains are flushed.

-Z [chain]
    Zeros the packet and byte counters for all rules in the specified chain. If no chain is specified, all chains are zeroed.

-L [chain]
    Lists the rules in the specified chain. If no chain is specified, all chains are listed.

-v
    Verbose output.

-x
    Expand numbers (don't abbreviate bytes, packets and so on).

-n
    Numeric output. Don't try to resolve hostnames or services.

--line-numbers
    Show line numbers when listing rules.

-N chain
    Creates a new chain with the given name.

-X [chain]
    Deletes the specified empty chain. If no chain is specified, all user-defined chains are deleted.

-P chain target
    Sets the policy for the specified chain to the given target. The target must be one of the built-in targets: ACCEPT, DROP, REJECT, or RETURN.

-E old-chain-name new-chain-name
    Renames the specified chain.

-h|--help
    Displays help information.

DESCRIPTION

iptables is a command-line utility used to configure the IPv4 packet filter ruleset of the Linux kernel's netfilter firewall. It acts as the interface for managing the tables, chains, and rules that govern how network traffic is handled. These rules specify criteria for matching packets and actions to be taken on matching packets, such as accepting, dropping, or modifying them.

Essentially, iptables allows system administrators to define policies for network security, including filtering traffic based on source/destination IP addresses, ports, protocols, and more. It's a powerful tool for creating firewalls, network address translation (NAT), and other network security configurations. It operates by traversing a set of pre-defined tables and chains containing rules, providing a flexible way to manage network traffic flow.

The user interacts with iptables by creating and modifying rules which are stored in the kernel's memory.

CAVEATS

Iptables requires root privileges to run. Rules are not persistent across reboots unless saved (e.g., using `iptables-save` and `iptables-restore`). Iptables can be complex to configure correctly, and misconfigurations can lock you out of the system.

TARGETS

Targets specify what to do with a packet that matches a rule. Common targets include:
ACCEPT: Allow the packet.
DROP: Silently drop the packet.
REJECT: Drop the packet and send an ICMP error message back to the sender.
RETURN: Stop traversing the current chain and resume processing in the previous chain.
Also it is possible to redirect or masquerade a packet.

TABLES

Iptables organizes rules into different tables, each serving a specific purpose:
filter: Default table; used for general packet filtering.
nat: Used for Network Address Translation (NAT).
mangle: Used for altering packet headers (e.g., TTL).
raw: Used for configuring exemptions from connection tracking.
security: For Mandatory Access Control (MAC) networking rules, such as those enabled by SELinux.

HISTORY

iptables replaced ipchains in Linux 2.4 as the primary tool for managing the netfilter firewall. Its development stemmed from the need for a more flexible and extensible firewall framework. Iptables quickly became a standard tool for system administrators, enabling complex network security configurations. Recently, nftables is designed to be the successor to iptables.

SEE ALSO

iptables-save(8), iptables-restore(8), netfilter(3), nft(8)

Copied to clipboard