iptables Command in Linux
The iptables command is an administration tool that configures IPv4 packet filtering and Network Address Translation (NAT). IPv4 packet filtering controls the flow of network packets using predefined rules for enhanced security. Each packet's header includes details like IP addresses, ports, and protocol type, that iptables examines to determine how each packet should be handled.
Network Address Translation (NAT) is a process that modifies the IP address information in the headers of IP packets as they pass through a router or firewall. It allows multiple devices on a private network to share a single public IP address when accessing external networks. The iptables command also manages the NAT.
Table of Contents
Here is a comprehensive guide to the options available with the iptables command −
Syntax of iptables Command
The syntax of the iptables command is as follows −
iptables -t [table] [command] [chain] [options] -j [target]
In the above syntax −
[table] − To specify the filtering tables from filter, nat, mangle, and raw (default is filter)
[command] − To specify commands to append, delete, and insert rules, a list of commands is given below −
| Commands | Description | |
|---|---|---|
| -A | --append | Append a rule to a chain |
| -C | --check | Check if a rule exists in a chain |
| -D | --delete | Delete a matching rule or by rule number |
| -I | --insert | Insert a rule in a chain by position |
| -R | --replace | Replace a rule with a rule number |
| -L | --list | List rules in a chain or all chains |
| -S | --list-rules | Print rules in a chain or all chains |
| -F | --flush | Delete all rules in a chain or all chains |
| -Z | --zero | Reset counters in a chain |
| -N | --new | Create a new chain |
| -X | --delete-chain | Delete a user-defined chain |
| -P | --policy | Set the default policy for a chain |
| -E | --rename-chain | Rename the chain (old-chain new-chain) |
[chain] − To specify the chain that needs to be manipulated from the selected table. A list of chains and their respective tables is given below −
| Chain | Description | Table |
|---|---|---|
| INPUT | Controls the incoming packets destined for the host system | This chain is in Filter, and Mangle tables |
| OUTPUT | Manages packets originating from the host and going out to the network | This chain is in all tables |
| FORWARD | Handles packets passing through the system (not destined for or originating from it) | This chain is in the Filter, Mangle, and Security tables |
| PREROUTING | Alters packets as soon as they come in, before any routing decisions | This chain is in nat, mangle, and raw tables |
| POSTROUTING | Alters packets right before they leave the system | This chain is in nat and mangle tables |
[options] − To specify the options listed in the following section.
[target] − To specify the rule target. The list of targets is given below −
| Target | Description |
|---|---|
| ACCEPT | Permits the packet to pass through the firewall |
| DROP | Discards the packet without notifying the sender |
| REJECT | Discards the packet and sends an error response to the sender |
| LOG | Logs the packet's information to a file |
| SNAT | Source Network Address Translation; modifies the packet's source address |
| DNAT | Destination Network Address Translation; modifies the packet's destination address |
| MASQUERADE | Changes the packet's source address for dynamically assigned IP addresses |
iptables Command Options
The options of the Linux iptables command are listed below −
| Flags | Options | Description |
|---|---|---|
| -p protocol | --protocol protocol | Specify protocol by name or number (tcp) |
| -s address/mask | --source address/mask | Specify source address with optional mask |
| -d address/mask | --destination address/mask | Specify destination address with optional mask |
| --dport port | --destination-port port | Specify the destination port number that the rule will apply to |
| -i name | --in-interface name | Input network interface |
| -j target | --jump target | Target action for the rule |
| -g chain | --goto chain | Jump to the chain without returning |
| -m match | --match match | Use extended match options |
| -n | --numeric | Display numeric output for addresses/ports |
| -o | --out-interface | Output network interface |
| -t | --table | Table to modify (default is filter) |
| -v | --verbose | Enable verbose mode |
| -w | --wait | Wait time to acquire the lock |
| --line-numbers | Show line numbers in the list output | |
| -x | --exact | Show exact counter values |
| -f | --fragment | Match second or further fragments |
| --modprobe=[command] | Command to insert modules | |
| -c pkt bytes | --set-counter pkt bytes | Set packet and byte counters |
| -V | --version | Display version information |
Examples of iptables Command in Linux
This section demonstrates the usage of the iptables command in Linux with examples −
Allowing Incoming SSH Traffic
To append a rule to the INPUT chain that allows incoming TCP packets directed to port 22 (SSH), use the iptables command in the following way −
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
The above command appends the rule to the filter table.
Note − The iptables command typically does not produce any output, however, using the -v or --verbose option can display detailed output.
Blocking Incoming HTTP Traffic
To append a rule to the INPUT chain of the filter table that blocks incoming HTTP traffic directed to port 80 (HTTP), use the DROP target −
sudo iptables -A INPUT -p tcp --dport 80 -j DROP
This can be useful for preventing access to web services if you want to restrict HTTP traffic.
Allowing and Blocking Traffic from a Specific IP
To allow incoming traffic from a specific IP, use the -s option with IP address with ACCEPT as target −
sudo iptables -A INPUT -s 192.168.100.10 -j ACCEPT
Similarly, to blocking traffic from a specific IP, use DROP as a target −
sudo iptables -A INPUT -s 192.168.100.10 -j DROP
Blocking All the Incoming Traffic
To block all the incoming traffic, use the following command −
sudo iptables -P INPUT DROP
The above command sets the default policy for the INPUT chain to DROP, blocking all incoming traffic.
Note that blocking all the incoming traffic also blocks remote SSH access. While blocking the incoming traffic, ensure SSH is allowed −
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
This configuration keeps the server secure while allowing remote access.
Allowing All the Outgoing Traffic
To allow all the outgoing traffic, use the following command −
sudo iptables -A OUTPUT -j ACCEPT
Logging the Incoming Traffic
To log the incoming traffic, use the LOG target command −
sudo iptables -A INPUT -j LOG --log-prefix "Incoming Traffic: "
The --log-prefix option is used to specify prefixes, which can be up to 29 characters long, making it easier to differentiate messages in the logs.
Logging the Dropped Packets
To log the dropped packets, first define a rule to log packets before they are dropped.
sudo iptables -A INPUT -p tcp --dport 80 -j LOG --log-prefix "Dropped Packets: "
Now, define a rule to drop the packets −
sudo iptables -A INPUT -p tcp --dport 80 -j DROP
In summary, the first rule logs incoming HTTP attempts on port 80 as "Dropped Packets," and the second rule drops these packets, blocking HTTP connections.
Listing all the Rules
To list all the rules, use the -L option with the iptables command −
sudo iptables -L
To list all the rules with verbose output, use the -v or --verbose option −
sudo iptables -L -v
To list rules with line numbers, use the --line-numbers option −
sudo iptables -L --line-numbers
To list table-specific rules, use the -t option with the table name −
sudo iptables -t nat -L
To list rules in a chain format, use the -S option −
sudo iptables -S
Flushing all the Rules
To delete all the rules, use the -F option −
sudo iptables -F -v
The above command flushes all rules in all chains, effectively resetting the iptables configuration to its default state. This can be useful when starting over with a clean slate for firewall rules.
Displaying Help
To display the help related to the command, use the -h or --help option with the command −
iptables -h
Conclusion
The iptables command is a handy tool for managing IPv4 packet filtering and Network Address Translation (NAT) in Linux. It allows administrators to control the flow of network packets based on predefined rules, enhancing security and enabling devices on private networks to share a single public IP address. The command's syntax includes options for specifying filtering tables, commands for rule manipulation, chains for directing traffic, and targets for rule actions.
This tutorial discussed the iptables command, its syntax, options, and its usage in Linux through examples.