Linux iptables and ip6tables examples

on

Linux iptables is a user-space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.

Few points to note about iptable rules:

  1. First matching rules applies in case multiple rules match.
  2. Rules added using iptables are not persisted automatically. These will be lost if system reboots.

Here are some handy examples using iptables for IPv4 (for IPv6 use ip6tables, iptables-save, iptables-restore)

List iptable rules

  1. List all rules 
    ## -n (numeric) -v (verbose)
$ sudo iptables -L -n -v
Chain INPUT (policy ACCEPT 465 packets, 33446 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4   220 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 345 packets, 74880 bytes)
 pkts bytes target     prot opt in     out     source               destination
  2. List specific chain rules (INPUT/FORWARD/OUTPUT) 
    ## -n (numeric) -v (verbose)
$ sudo iptables -L INPUT -n -v
Chain INPUT (policy ACCEPT 456 packets, 32854 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4   220 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
  3. List all rules with line numbers 
    $ sudo iptables -n -L -v --line-numbers

Save and restore iptables

  1. Save iptables to a file 
    $ sudo iptables-save > iptable_filename
  2. Load iptables frm a file 
    $ sudo iptables-restore < iptable_filename

Add (Append) iptable rules

  1. Port based rules
    Allow only connection to port 22, 80 and 443

    $ sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
$ sudo iptables -A INPUT -j DROP
$ sudo iptables -n -L INPUT -v --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      257 18272 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
2        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
3        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
4        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0
  2. IP based rules
    Allow a port access from an IP

    $ sudo iptables -A INPUT -p tcp --dport 8081 -s 172.30.0.211 -j ACCEPT

Insert a rule before a specific numbered rule

To insert a rule before rule number 4 in INPUT chain

$ sudo iptables -I INPUT 4 -p tcp --dport 8081 -j ACCEPT

Delete iptable rules

  1. Delete a specific numbered rule 
    $ sudo iptables -D INPUT 4
  2. Delete/Flush all rules 
    $ sudo iptables -F

Suggested posts:

  1. Install google camera on Asus m1 max pro
  2. Java – Arrays.sort custom Comparator example
  3. AngularJS ng-if vs ng-hide/ng-show
  4. DIG quick start tutorial for DNS Lookup
  5. WordPress – query to dump all categories
  6. document querySelector examples
  7. Bash check if file begins with a string
  8. How to locally override website domain (or hostname) to IP mapping
Share this article: share on facebook share on linkedin tweet this submit to reddit
Posted in | Tagged , , ,