Cycle Logo

Iptables Basics

Iptables is a command-line utility that interacts with the Linux kernel's netfilter framework, enabling administrators to define rules that control the flow of network traffic. These rules can filter traffic based on criteria like IP address, port, and protocol. With iptables, you can block unwanted traffic, allow specific connections, and even set up complex routing scenarios.

How Iptables Works

Iptables operates using a system of tables and chains:

  • Tables: Collections of chains, each tailored for specific types of rules. The most commonly used table is filter, which decides whether to allow or block traffic.
  • Chains: Sequences of rules that network packets pass through. The default chains in the filter table are:
    • INPUT: Controls incoming packets.
    • FORWARD: Manages packets routed through the system to another network interface.
    • OUTPUT: Handles outgoing packets from the system.

Each chain consists of rules evaluated in order. Once a packet matches a rule, the specified action (e.g., ACCEPT, DROP) is applied, and no further rules in that chain are checked for that packet.

Setting Up Iptables

Viewing Existing Rules

Before adding new rules, it's important to understand your current iptables configuration. To view existing rules, use:

sudo iptables -L -v -n

This command lists all rules in the filter table, displaying details like packet count, byte count, and rule specifics.

Basic Rule Structure

An iptables rule typically consists of a matching condition and a target action. For example, to allow incoming SSH traffic, you might use:

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  • -A INPUT: Appends the rule to the INPUT chain.
  • -p tcp: Specifies the rule applies to TCP packets.
  • --dport 22: Matches packets destined for port 22 (SSH).
  • -j ACCEPT: The action to allow the traffic.

Common Iptables Commands

Here are some essential iptables commands for managing firewall rules:

  • Adding a Rule: Use the -A option to append a rule to a chain.

    sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

    This command allows incoming HTTP traffic on port 80.

  • Inserting a Rule: Use the -I option to insert a rule at a specific position in a chain.

    sudo iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT

    This command inserts the rule at the top of the INPUT chain.

  • Deleting a Rule: Use the -D option to remove a rule by specifying either the rule itself or its position in the chain.

    sudo iptables -D INPUT -p tcp --dport 80 -j ACCEPT

    or

    sudo iptables -D INPUT 2

  • Flushing Rules: To delete all rules in a chain, use the -F option.

    sudo iptables -F INPUT

  • Saving Rules: Iptables rules are not persistent across reboots by default. To save them, use the appropriate command for your distribution:

    • On Debian/Ubuntu: 
      sudo iptables-save > /etc/iptables/rules.v4
    • On CentOS/RHEL: 
      sudo service iptables save

Creating Basic Firewall Rules

Here are some examples of common iptables rules:

  1. Allow All Incoming SSH Traffic

    sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

    This rule permits incoming TCP traffic on port 22, typically used for SSH.

  2. Allow All Incoming HTTP and HTTPS Traffic

    sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

    These rules allow incoming HTTP (port 80) and HTTPS (port 443) traffic.

  3. Block All Incoming Traffic Except SSH, HTTP, and HTTPS

    sudo iptables -P INPUT DROP
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    • -P INPUT DROP: Sets the default policy for the INPUT chain to DROP, blocking all incoming traffic by default.
    • The following rules allow SSH, HTTP, and HTTPS traffic.
    • -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT: Permits traffic that is part of an established or related connection.

  4. Allow Loopback Traffic

    sudo iptables -A INPUT -i lo -j ACCEPT

    This rule permits traffic on the loopback interface (lo), crucial for many local processes.

Advanced Iptables Features

NAT and Port Forwarding

Iptables also handles Network Address Translation (NAT) and port forwarding, typically configured in the nat table.

  • Example: Port Forwarding

    To forward incoming traffic on port 8080 to an internal server on port 80:

    sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.100:80
sudo iptables -A FORWARD -p tcp -d 192.168.1.100 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

Logging Traffic

To log packets matching specific criteria, use the LOG target. This is useful for debugging or monitoring traffic.

sudo iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "SSH attempt: "

This command logs any attempts to connect via SSH, prefixing the log entry with "SSH attempt:".

Rate Limiting

To prevent brute-force attacks, you can limit the number of connections allowed within a specified timeframe.

sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

This configuration allows only 3 SSH connection attempts per minute from a single IP address.

Troubleshooting Iptables

Checking Logs

If you encounter issues with iptables rules, check system logs for dropped packets or other anomalies:

sudo journalctl -f

Testing Rules

To test iptables rules without permanently applying them, use the iptables-restore command in test mode:

sudo iptables-restore --test < /etc/iptables/rules.v4

Backup and Restore

Always back up your iptables configuration before making significant changes:

sudo iptables-save > /etc/iptables/rules.backup

To restore from a backup:

sudo iptables-restore < /etc/iptables/rules.backup

Go deeper with by reading about advanced iptables.