How does iptables work? Here’s how it works
iptables is a userspace-utility for the Linux-kernel firewall. It is used to modify packet filters and configure the Linux firewall, which monitors traffic to and from the server, using tables. The tables contain rule sets, called chains, that filter incoming and outgoing data packets.
When a packet matches a rule, it is assigned to a destination, which can be another chain or one of these values:
- ACCEPT – lets the package pass.
- DROP – does not allow the package to pass.
- RETURN – prevents the packet from going through a chain and instructs it to return to the previous chain.
This tutorial works with one of the standard tables called filter, consisting of three chains:
- INPUT – directs incoming packets to the server.
- FORWARD – filters incoming packets that are forwarded.
- OUTPUT – Filter the packets coming from the server.
iptables can be used with Linux Uncomplicated Firewall (ufw) as well as with firewalld. iptables rules apply only to IPv4. If the firewall is used for the IPv6 protocol, ip6tables must be used instead.
Create an SSH terminal to the server with root access, or become root with sudo permission, with
sudo su - on Ubuntu/Debian Linux.
iptables comes pre-installed on most Linux distributions. However, if it is not present by default, the following steps must be performed on an Ubuntu/Debian system.
$ sudo apt-get update $ sudo apt-get install iptables
Check the status of the current iptables by run the next command.
$ iptables -vnL
The -L option is used to list all rules, the numeric output of addresses and ports with -n, and -v is used to display in a more verbose format. As shown with this sample output.
Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
At this point, you will notice that all chains are set to ACCEPT and no rules are defined. So the system is not protected because every packet gets through without filtering.
Don’t worry! How to define rules can be learned in the next step of this iptables tutorial.
Defining Chain Rules
Defining a rule means appending it to the chain. To do this, the -A (Append) option must be add directly after the iptables command.
iptables is instructed to append a new rule into the chain. Subsequently, other options can be applied in combination.
|-i (interface)||the network interface whose traffic you want to filter, e.g. eth0, lo, ppp0, etc.|
|-p (protocol)||the network protocol in which the filtering process takes place. It can be either tcp, udp, udplite, icmp, sctp, icmpv6 and so on. Alternatively, type all to select each protocol.|
|-s (source)||the address from which the traffic originates. A host name or IP address can be used.|
|–dport (dest. port)||the destination port number of a protocol, for example: 22 (SSH), 443 (HTTPS), and so on.|
|-j (target)||the target name (ACCEPT / DROP / RETURN). Insert each time a new rule is created.|
The iptables command syntax must be written in this order.
$ sudo iptables -A <chain> -i <interface> -p <protocol (tcp/udp) > -s <source> --dport <port no> -j <destination>
Once you understand the basic syntax, you can start configuring the firewall to give the server more security. Here we use the INPUT chain in this example.
Accept traffic on localhost
For most requirements the localhost is not restricted. To allow traffic on localhost then ran this command.
$ sudo iptables -A INPUT -i lo -j ACCEPT
The lo or loopback interface is used for all connections on the localhost. The above command ensures that the connections between a database and a Web application work correctly on the same system.
Accept connections on HTTP, HTTPS and SSH
Next, we want http (port 80), https (port 443) and ssh (port 22) connections to work as usual. To do this, we need to pass the protocol (-p) and the corresponding port (–dport), ran this command one by one.
$ sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT $ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT $ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
It is now time to check if the rules are appended in iptables.
$ iptables -vnL
Displaying the rules in chains with the List -L option similary like this.
Chain INPUT (1 references) pkts bytes target prot opt in out source destination 2798K 156M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW 114K 5508K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW 65438 2804K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
Filter packets from sources
iptables can filter packets based on an IP address or a range of IP addresses. To do this, you must specify the -s option. For example, to accept packets from 192.168.2.4, the command is.
$ sudo iptables -A INPUT -s 192.168.2.4 -j ACCEPT
It is also possible to reject packets from a specific IP address by replacing the destination ACCEPT with DROP.
$ sudo iptables -A INPUT -s 192.168.2.4 -j DROP
To drop packets from a number of IP addresses, use the -m option and the iprange module. The IP address range is specified with —src-range. Remember that a hyphen should separate the range of IP addresses without spaces, here as follows.
$ sudo iptables -A INPUT -m iprange --src-range 192.168.8.80-192.168.8.90 -j DROP
Drop all other traffic
It is important to use DROP as the destination for all remaining traffic after the –dport rules have been defined. This prevents unauthorized connections from accessing the server through other open ports. To do this, simply enter the following.
$ sudo iptables -A INPUT -j DROP
Now the connection will be rejected following the added filter.
iptables delete rules
If you want to remove all rules and start clean, use option -F (Flush).
$ sudo iptables -F
This command deletes all current rules. However, to delete a specific rule, use the -D option. All available rules are displayed first, as the following command shows.
$ sudo iptables -nL --line-numbers
A list of rules with numbers will see in the output.
Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- 192.168.8.8 anywhere 2 ACCEPT tcp -- anywhere anywhere tcp dpt:https 3 ACCEPT tcp -- anywhere anywhere tcp dpt:http 4 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
To delete a rule, use the corresponding chain and number from the list. For this example, suppose we want to delete rule number one (1) of the INPUT chain. The command to do this is as follows.
$ sudo iptables -D INPUT 1
iptables is a powerful userspace-utility for the Linux firewall that can be used to protect Linux servers. A big benefit is that different rules can be defined based on your own preferences.
In this iptables tutorial you will learn how to install and use the tool. We hope that custom rule sets can be managed to filter incoming and outgoing packets.