SEARCH

How-To Geek

Using Iptables on Linux

This guide will attempt to explain how to use iptables on linux in easy to understand language.

Contents

[hide]

Overview

Iptables is a rule-based firewall, which will process each rule in order until it finds one that matches.

Todo: include example here

Usage

The iptables utility is typically pre-installed on your linux distribution, but isn’t actually running any rules. You’ll find the utility here on most distributions:

/sbin/iptables

Blocking a Single IP Address

You can block an IP by using the -s parameter, replacing 10.10.10.10 with the address that you are trying to block. You’ll note in this example that we used the -I parameter (or –insert works too) instead of the append, because we want to make sure this rule shows up first, before any allow rules.

/sbin/iptables -I INPUT -s 10.10.10.10 -j DROP

Allowing All Traffic from an IP Address

You can alternately allow all traffic from an IP address by using the same command as above, but replacing DROP with ACCEPT. You need to make sure that this rule appears first, before any DROP rules.

/sbin/iptables -A INPUT -s 10.10.10.10 -j ACCEPT

Blocking a Port From All Addresses

You can block a port entirely from being accessed over the network by using the the –dport switch and adding the port of the service you want to block. In this example, we’ll block the mysql port:

/sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP

Allowing a Single Port from a Single IP

You can add the -s command along with the –dport command to further limit the rule to a specific port:

/sbin/iptables -A INPUT -p tcp -s 10.10.10.10 --dport 3306 -j ACCEPT

Viewing the Current Rules

You can view the current rules using the following command:

/sbin/iptables -L

This should give you an output similar to the following:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  192.168.1.1/24  anywhere            
ACCEPT     all  --  10.10.10.0/24       anywhere             
DROP       tcp  --  anywhere             anywhere            tcp dpt:ssh 
DROP       tcp  --  anywhere             anywhere            tcp dpt:mysql

The actual output will be a bit longer, of course.

Clearing the Current Rules

You can clear out all the current rules by using the flush parameter. This is very useful if you need to put the rules in the correct order, or when you are testing.

/sbin/iptables --flush

Distribution-Specific

While most Linux distributions include a form of iptables, some of them also include wrappers which make the management a little easier. Most often these “addons” take the form of init scripts which take care of initializing iptables on startup, though some distributions also include full-blown wrapper applications which attempt to simplify the common case.

Gentoo

The iptables init script on Gentoo is capable of handling many common scenarios. For starters, it allows you to configure iptables to load on startup (usually what you want):

rc-update add iptables default

Using the init script, it is possible to load and clear the firewall with an easy-to-remember command:

/etc/init.d/iptables start
/etc/init.d/iptables stop

The init script handles the details of persisting your current firewall configuration on start/stop. Thus, your firewall is always in the state you left it. If you need to manually save a new rule, the init script can handle this as well:

/etc/init.d/iptables save

Additionally, you can restore your firewall to the previous saved state (for the case where you were experimenting with rules and now want to restore the previous working configuration):

/etc/init.d/iptables reload

Finally, the init script can put iptables into a “panic” mode, where all incoming and outgoing traffic is blocked. I’m not sure why this mode is useful, but all Linux firewalls seem to have it.

/etc/init.d/iptables panic

Warning: Don’t initiate the panic mode if you are connected to your server via SSH; you will be disconnected! The only time you should put iptables into panic mode is while you are physically in front of the computer.

Lowell Heddings, better known online as the How-To Geek, spends all his free time bringing you fresh geekery on a daily basis. You can follow him on if you'd like.

  • Published 07/16/10

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!