10 useful iptables commands in linux

10 Useful iptables Commands in Linux

In this tutorial we are going to explain to you 10 useful iptables commands applicable in any Linux distro.

Iptables on Linux servers are used for controlling the incoming and outgoing web traffic. The traffic is controlled by the iptables rules in the firewall written by system administrators or users familiar with Linux servers. The rules in iptables are stored in tables that have chains for every defined rule. In this blog post, we are going to use Ubuntu 22.04 as OS, but you can choose any distro if you want to try these iptables commands by yourself. Let’s get started!

Prerequisites

  • Fresh install of Ubuntu 22.04 OS
  • User privileges: root or non-root user with sudo privileges

Update the System

Before we start with the basic iptables rules we are going to update the system packages to the latest versions available.

sudo apt update -y && sudo apt upgrade -y

Once, the system is updated we are ready to show you the basic iptables commands in Linux.

Install iptables service

To install the iptables service execute the following command:

sudo apt-get install iptables -y

Once, the iptables service is installed we can proceed with the basic iptables rules in the next paragraphs.

1. Check iptables rules

Since, we installed the iptables service and we did not add any rule, checking the iptables rules should give you empty output.

iptables -nvL

You should receive the following output:

root@host:~# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

2. Whitelist IP Address

Sometimes the users are not able to access the website, or the server thus we need to whitelist their IP address manually with the following command:

iptables -A INPUT -s 192.168.1.1 -j ACCEPT

3. Block IP Address

If there are continuous attacks on the server, or the owner do not want some IP addresses to have access on his server, we can easily block them with the following command:

iptables -A INPUT -s 192.168.0.1 -j DROP

4. Block Host in iptables

Sometimes we need to block the whole host in the iptables rules. For example to block google.com in the iptables rules first you need to find the IP address and the CIDR with the following commands:

host google.com

You should receive the following output:

root@host:~# host google.com
google.com has address 172.217.4.46
google.com has IPv6 address 2607:f8b0:4004:c07::64
google.com has IPv6 address 2607:f8b0:4004:c07::8b
google.com has IPv6 address 2607:f8b0:4004:c07::65
google.com has IPv6 address 2607:f8b0:4004:c07::71
google.com mail is handled by 10 smtp.google.com.

Now, to find the CIDR execute the following command:

whois 172.217.4.46 | grep CIDR

You should receive the following output:

root@host:~# whois 172.217.4.46 | grep CIDR
CIDR:           172.217.0.0/16

We have everything that we need to block the google network. Just execute the following command:

iptables -A OUTPUT -p tcp -d 172.217.0.0/16 -j DROP

5. Block Specific Port

For example if we do not want some specific port to be accessible from outside, we can easily block it. To block outgoing connections on the MySQL 3306 port via iptables rules execute the following command:

iptables -A OUTPUT -p tcp --dport 3306 -j DROP

6. Grant Access to multiple ports

To allow multuple ports for incoming connections execute the following command:

iptables -A INPUT  -p tcp -m multiport --dports 80,443 -j ACCEPT

To allow multuple ports for outgoing connections execute the following command:

iptables -A OUTPUT -p tcp -m multiport --sports 80,443 -j ACCEPT

7. Port Forwarding

To set up port forwarding and forward for example port 80 to port 443 execute the following command:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 443

8. Save iptables rules

For example to save all these iptables commands you need to execute the following command:

iptables-save

You should receive the following output:

root@host:~# iptables-save
# Generated by iptables-save v1.8.7 on Fri Jul 22 23:52:08 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 192.168.0.1/32 -j ACCEPT
-A INPUT -s 192.168.0.1/32 -j DROP
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A OUTPUT -d 172.217.0.0/16 -p tcp -j DROP
-A OUTPUT -p tcp -m tcp --dport 3306 -j DROP
-A OUTPUT -p tcp -m multiport --sports 80,443 -j ACCEPT
COMMIT
# Completed on Fri Jul 22 23:52:08 2022
# Generated by iptables-save v1.8.7 on Fri Jul 22 23:52:08 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 443
COMMIT
# Completed on Fri Jul 22 23:52:08 2022

9. Flush iptables rules

To flush all iptables rules we set in the previuous steps you need to execute the command iptables -F but first check the ouput of iptables -nvL to check the previously set up rules:

iptables -nvL

If you followed the previous commands you should receive the following output:

root@host:~# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       192.168.0.1          0.0.0.0/0
    0     0 DROP       all  --  *      *       192.168.0.1          0.0.0.0/0
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            172.217.0.0/16
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3306
    1    40 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport sports 80,443

Now, you can flush the rules with the following command:

iptables -F

Now, if you execute the command iptables -nvL to list the current rules you should receive an empty output similar in the first step above.

root@host:~# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

10. Man command for iptables

If you want to know, everything about the iptables command and the parameters that can be used, execute the man iptables and you will receive the following output:

root@host:~# man iptables
IPTABLES(8)                                                                iptables 1.8.7                                                               IPTABLES(8)

NAME
       iptables/ip6tables — administration tool for IPv4/IPv6 packet filtering and NAT

SYNOPSIS
       iptables [-t table] {-A|-C|-D} chain rule-specification

       ip6tables [-t table] {-A|-C|-D} chain rule-specification

       iptables [-t table] -I chain [rulenum] rule-specification

       iptables [-t table] -R chain rulenum rule-specification

       iptables [-t table] -D chain rulenum

       iptables [-t table] -S [chain [rulenum]]

       iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]

       iptables [-t table] -N chain

       iptables [-t table] -X [chain]

       iptables [-t table] -P chain target

       iptables [-t table] -E old-chain-name new-chain-name

       rule-specification = [matches...] [target]

       match = -m matchname [per-match-options]

       target = -j targetname [per-target-options]

DESCRIPTION
       Iptables and ip6tables are used to set up, maintain, and inspect the tables of IPv4 and IPv6 packet filter rules in the Linux kernel.  Several different ta‐
       bles may be defined.  Each table contains a number of built-in chains and may also contain user-defined chains.

Congratulations! You successfully practiced the 10 most used iptables in Linux. If you have difficulties understanding the commands all you need to do is sign up for one of our NVMe VPS plans and submit a support ticket. Our admins are available 24/7 and will help you with the request immediately.

If you liked this about 10 useful iptables commands in Linux with an example, please share it with your friends on the social networks using the buttons on the left or simply leave a reply below.

Leave a Reply

Your email address will not be published. Required fields are marked *