In this tutorial we are going to explain to you 10 useful iptables commands applicable in any Linux distro.
Iptables on Linux servers are used for controlling the incoming and outgoing web traffic. The traffic is controlled by the iptables rules in the firewall written by system administrators or users familiar with Linux servers. The rules in iptables are stored in tables that have chains for every defined rule. In this blog post, we are going to use Ubuntu 22.04 as OS, but you can choose any distro if you want to try these iptables commands by yourself. Let’s get started!
Prerequisites
- Fresh install of Ubuntu 22.04 OS
- User privileges: root or non-root user with sudo privileges
Update the System
Before we start with the basic iptables rules we are going to update the system packages to the latest versions available.
sudo apt update -y && sudo apt upgrade -y
Once, the system is updated we are ready to show you the basic iptables commands in Linux.
Install iptables service
To install the iptables service execute the following command:
sudo apt-get install iptables -y
Once, the iptables service is installed we can proceed with the basic iptables rules in the next paragraphs.
1. Check iptables rules
Since, we installed the iptables service and we did not add any rule, checking the iptables rules should give you empty output.
iptables -nvL
You should receive the following output:
root@host:~# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
2. Whitelist IP Address
Sometimes the users are not able to access the website, or the server thus we need to whitelist their IP address manually with the following command:
iptables -A INPUT -s 192.168.1.1 -j ACCEPT
3. Block IP Address
If there are continuous attacks on the server, or the owner do not want some IP addresses to have access on his server, we can easily block them with the following command:
iptables -A INPUT -s 192.168.0.1 -j DROP
4. Block Host in iptables
Sometimes we need to block the whole host in the iptables rules. For example to block google.com in the iptables rules first you need to find the IP address and the CIDR with the following commands:
host google.com
You should receive the following output:
root@host:~# host google.com google.com has address 172.217.4.46 google.com has IPv6 address 2607:f8b0:4004:c07::64 google.com has IPv6 address 2607:f8b0:4004:c07::8b google.com has IPv6 address 2607:f8b0:4004:c07::65 google.com has IPv6 address 2607:f8b0:4004:c07::71 google.com mail is handled by 10 smtp.google.com.
Now, to find the CIDR execute the following command:
whois 172.217.4.46 | grep CIDR
You should receive the following output:
root@host:~# whois 172.217.4.46 | grep CIDR CIDR: 172.217.0.0/16
We have everything that we need to block the google network. Just execute the following command:
iptables -A OUTPUT -p tcp -d 172.217.0.0/16 -j DROP
5. Block Specific Port
For example if we do not want some specific port to be accessible from outside, we can easily block it. To block outgoing connections on the MySQL 3306 port via iptables rules execute the following command:
iptables -A OUTPUT -p tcp --dport 3306 -j DROP
6. Grant Access to multiple ports
To allow multuple ports for incoming connections execute the following command:
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
To allow multuple ports for outgoing connections execute the following command:
iptables -A OUTPUT -p tcp -m multiport --sports 80,443 -j ACCEPT
7. Port Forwarding
To set up port forwarding and forward for example port 80 to port 443 execute the following command:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 443
8. Save iptables rules
For example to save all these iptables commands you need to execute the following command:
iptables-save
You should receive the following output:
root@host:~# iptables-save # Generated by iptables-save v1.8.7 on Fri Jul 22 23:52:08 2022 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -s 192.168.0.1/32 -j ACCEPT -A INPUT -s 192.168.0.1/32 -j DROP -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT -A OUTPUT -d 172.217.0.0/16 -p tcp -j DROP -A OUTPUT -p tcp -m tcp --dport 3306 -j DROP -A OUTPUT -p tcp -m multiport --sports 80,443 -j ACCEPT COMMIT # Completed on Fri Jul 22 23:52:08 2022 # Generated by iptables-save v1.8.7 on Fri Jul 22 23:52:08 2022 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 443 COMMIT # Completed on Fri Jul 22 23:52:08 2022
9. Flush iptables rules
To flush all iptables rules we set in the previuous steps you need to execute the command iptables -F but first check the ouput of iptables -nvL to check the previously set up rules:
iptables -nvL
If you followed the previous commands you should receive the following output:
root@host:~# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 192.168.0.1 0.0.0.0/0
0 0 DROP all -- * * 192.168.0.1 0.0.0.0/0
1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- * * 0.0.0.0/0 172.217.0.0/16
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
1 40 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport sports 80,443
Now, you can flush the rules with the following command:
iptables -F
Now, if you execute the command iptables -nvL to list the current rules you should receive an empty output similar in the first step above.
root@host:~# iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
10. Man command for iptables
If you want to know, everything about the iptables command and the parameters that can be used, execute the man iptables and you will receive the following output:
root@host:~# man iptables
IPTABLES(8) iptables 1.8.7 IPTABLES(8)
NAME
iptables/ip6tables — administration tool for IPv4/IPv6 packet filtering and NAT
SYNOPSIS
iptables [-t table] {-A|-C|-D} chain rule-specification
ip6tables [-t table] {-A|-C|-D} chain rule-specification
iptables [-t table] -I chain [rulenum] rule-specification
iptables [-t table] -R chain rulenum rule-specification
iptables [-t table] -D chain rulenum
iptables [-t table] -S [chain [rulenum]]
iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]
iptables [-t table] -N chain
iptables [-t table] -X [chain]
iptables [-t table] -P chain target
iptables [-t table] -E old-chain-name new-chain-name
rule-specification = [matches...] [target]
match = -m matchname [per-match-options]
target = -j targetname [per-target-options]
DESCRIPTION
Iptables and ip6tables are used to set up, maintain, and inspect the tables of IPv4 and IPv6 packet filter rules in the Linux kernel. Several different ta‐
bles may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.
Congratulations! You successfully practiced the 10 most used iptables in Linux. If you have difficulties understanding the commands all you need to do is sign up for one of our NVMe VPS plans and submit a support ticket. Our admins are available 24/7 and will help you with the request immediately.
If you liked this about 10 useful iptables commands in Linux with an example, please share it with your friends on the social networks using the buttons on the left or simply leave a reply below.
