How to use iptables and configuring


How does iptables work? Here’s how it works

iptables is a userspace-utility for the Linux-kernel firewall. It iptables chain rule is used to modify packet filters and configure the Linux firewall, which monitors traffic to and from the server, using tables. The tables contain rule sets, called chains, that filter incoming and outgoing data packets.

iptables chain rule and configuring

When a packet matches a iptables rule, it is assigned to a destination, which can be another chain or one of these values:

  • ACCEPT – lets the package pass.
  • DROP – does not allow the package to pass.
  • RETURN – prevents the packet from going through a chain and instructs it to return to the previous chain.

This tutorial works with one of the standard tables called filter, consisting of three iptables chains:

  • INPUT – directs incoming packets to the server.
  • FORWARD – filters incoming packets that are forwarded.
  • OUTPUT – Filter the packets coming from the server.

  iptables can be used with Linux Uncomplicated Firewall (ufw) as well as with firewalld. iptables rules apply only to IPv4. If the firewall is used for the IPv6 protocol, ip6tables must be used instead.

iptables installation

Create an SSH terminal to the server with root access, or become root with sudo permission, with sudo su - on Ubuntu/Debian Linux.

iptables comes pre-installed on most Linux distributions. However, if it is not present by default, the following steps must be performed on an Ubuntu/Debian system.

$ sudo apt-get update
$ sudo apt-get install iptables

Check the status of the current iptables chain rule packet by run the next command.

$ iptables -vnL

The -L option is used to list all rules, the numeric output of addresses and ports with -n, and -v is used to display in a more verbose format. As shown with this sample output.

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in out   source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in out   source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in out   source destination

At this point, you will notice that all chains are set to ACCEPT and no rules are defined. So the system is not protected because every packet gets through without filtering.

Don’t worry! How to define rules can be learned in the next step of this iptables tutorial.

Defining Chain Rules

Defining a rule means appending it to the chain. To do this, the -A (Append) option must be add directly after the iptables command.

iptables is instructed to append a new rule into the chain. Subsequently, other options can be applied in combination.

-i (interface)the network interface whose traffic you want to filter, e.g. eth0, lo, ppp0, etc.
-p (protocol)the network protocol in which the filtering process takes place. It can be either tcp, udp, udplite, icmp, sctp, icmpv6 and so on. Alternatively, type all to select each protocol.
-s (source)the address from which the traffic originates. A host name or IP address can be used.
–dport (dest. port)the destination port number of a protocol, for example: 22 (SSH), 443 (HTTPS), and so on.
-j (target) the target name (ACCEPT / DROP / RETURN). Insert each time a new rule is created.

The iptables command syntax must be written in this order.

$ sudo iptables -A <chain> -i <interface> -p <protocol (tcp/udp) > -s <source> --dport <port no> -j <destination>

Once you understand the basic syntax, you can start configuring the firewall to give the server more security. Here we use the INPUT chain in this example.

Accept traffic on localhost

For most requirements the localhost is not restricted. To allow traffic on localhost then ran this command.

$ sudo iptables -A INPUT -i lo -j ACCEPT

The lo or loopback interface is used for all connections on the localhost. The above command ensures that the connections between a database and a Web application work correctly on the same system.

Accept connections on HTTP, HTTPS and SSH

Next, we want http (port 80), https (port 443) and ssh (port 22) connections to work as usual. To do this, we need to pass the protocol (-p) and the corresponding port (–dport), ran this command one by one.

$ sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

It is now time to check if the rules are appended in iptables.

$ iptables -vnL

Displaying the rules in chains with the List -L option similary like this.

Chain INPUT (1 references)
 pkts bytes target     prot opt in     out    source         destination
2798K  156M ACCEPT     tcp  --  *      *       tcp dpt:22 ctstate NEW
 114K 5508K ACCEPT     tcp  --  *      *       tcp dpt:80 ctstate NEW
65438 2804K ACCEPT     tcp  --  *      *       tcp dpt:443 ctstate NEW

Filter packets from sources

iptables can filter packets based on an IP address or a range of IP addresses. To do this, you must specify the -s option. For example, to accept packets from, the command is.

$ sudo iptables -A INPUT -s -j ACCEPT

It is also possible to reject packets from a specific IP address by replacing the destination ACCEPT with DROP.

$ sudo iptables -A INPUT -s -j DROP

To drop packets from a number of IP addresses, use the -m option and the iprange module. The IP address range is specified with —src-range. Remember that a hyphen should separate the range of IP addresses without spaces, here as follows.

$ sudo iptables -A INPUT -m iprange --src-range -j DROP

Drop all other traffic

It is important to use DROP as the destination for all remaining traffic after the –dport rules have been defined. This prevents unauthorized connections from accessing the server through other open ports. To do this, simply enter the following.

$ sudo iptables -A INPUT -j DROP

Now the connection will be rejected following the added filter.

iptables delete rules

If you want to remove all rules and start clean, use option -F (Flush).

$ sudo iptables -F

This command deletes all current rules. However, to delete a specific rule, use the -D option. All available rules are displayed first, as the following command shows.

$ sudo iptables -nL --line-numbers

A list of rules with numbers will see in the output.

Chain INPUT (policy ACCEPT)
num  target     prot opt source           destination
1    ACCEPT     all --        anywhere
2    ACCEPT     tcp -- anywhere           anywhere tcp dpt:https
3    ACCEPT     tcp -- anywhere           anywhere tcp dpt:http
4    ACCEPT     tcp -- anywhere           anywhere tcp dpt:ssh

To delete a rule, use the corresponding chain and number from the list. For this example, suppose we want to delete rule number one (1) of the INPUT chain. The command to do this is as follows.

$ sudo iptables -D INPUT 1


iptables is a powerful userspace-utility for the Linux firewall that can be used to protect Linux servers. A big benefit is that different rules can be defined based on your own preferences.

In this iptables tutorial you will learn how to install and use the tool. We hope that custom rule sets can be managed to filter incoming and outgoing packets.

The next related post might also be helpful, see in GeoIP Firewall Configuration on Debian and Ubuntu.

How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

No votes so far! Be the first to rate this post.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Reply

Your email address will not be published. Required fields are marked *