Quick Links
This guide will attempt to explain how to use iptables on linux in easy to understand language.
Contents[hide] |
Overview
Iptables is a rule-based firewall, which will process each rule in order until it finds one that matches.
Todo: include example here
Usage
The iptables utility is typically pre-installed on your linux distribution, but isn't actually running any rules. You'll find the utility here on most distributions:
/sbin/iptables
Blocking a Single IP Address
You can block an IP by using the -s parameter, replacing 10.10.10.10 with the address that you are trying to block. You'll note in this example that we used the -I parameter (or --insert works too) instead of the append, because we want to make sure this rule shows up first, before any allow rules.
/sbin/iptables -I INPUT -s 10.10.10.10 -j DROP
Allowing All Traffic from an IP Address
You can alternately allow all traffic from an IP address by using the same command as above, but replacing DROP with ACCEPT. You need to make sure that this rule appears first, before any DROP rules.
/sbin/iptables -A INPUT -s 10.10.10.10 -j ACCEPT
Blocking a Port From All Addresses
You can block a port entirely from being accessed over the network by using the the --dport switch and adding the port of the service you want to block. In this example, we'll block the mysql port:
/sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP
Allowing a Single Port from a Single IP
You can add the -s command along with the --dport command to further limit the rule to a specific port:
/sbin/iptables -A INPUT -p tcp -s 10.10.10.10 --dport 3306 -j ACCEPT
Viewing the Current Rules
You can view the current rules using the following command:
/sbin/iptables -L
This should give you an output similar to the following:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.1.1/24 anywhere
ACCEPT all -- 10.10.10.0/24 anywhere
DROP tcp -- anywhere anywhere tcp dpt:ssh
DROP tcp -- anywhere anywhere tcp dpt:mysql
The actual output will be a bit longer, of course.
Clearing the Current Rules
You can clear out all the current rules by using the flush parameter. This is very useful if you need to put the rules in the correct order, or when you are testing.
/sbin/iptables --flush
Distribution-Specific
While most Linux distributions include a form of iptables, some of them also include wrappers which make the management a little easier. Most often these "addons" take the form of init scripts which take care of initializing iptables on startup, though some distributions also include full-blown wrapper applications which attempt to simplify the common case.
Gentoo
The iptables init script on Gentoo is capable of handling many common scenarios. For starters, it allows you to configure iptables to load on startup (usually what you want):
rc-update add iptables default
Using the init script, it is possible to load and clear the firewall with an easy-to-remember command:
/etc/init.d/iptables start
/etc/init.d/iptables stop
The init script handles the details of persisting your current firewall configuration on start/stop. Thus, your firewall is always in the state you left it. If you need to manually save a new rule, the init script can handle this as well:
/etc/init.d/iptables save
Additionally, you can restore your firewall to the previous saved state (for the case where you were experimenting with rules and now want to restore the previous working configuration):
/etc/init.d/iptables reload
Finally, the init script can put iptables into a "panic" mode, where all incoming and outgoing traffic is blocked. I'm not sure why this mode is useful, but all Linux firewalls seem to have it.
/etc/init.d/iptables panic
Warning: Don't initiate the panic mode if you are connected to your server via SSH; you will be disconnected! The only time you should put iptables into panic mode is while you are physically in front of the computer.