iptables command usage

In this blog entry we will give you information on how to use IPTABLES command and different options available as part of the command.

iptables is a command-line firewall utility that uses rules to allow or block traffic. iptables contains rules which will accept or reject the incoming connections. We need to be very careful while editing the firewall rules. iptables is pre-installed on any Linux distribution.

The Linux kernel uses the Netfilter facility to filter packets, allowing some of them to be received by or pass through the system while stopping others. This facility is built in to the Linux kernel, and has three built-in tables or rules lists, as filter, nat & mangle.

We will show about the filter, default table for handling network packets.

Each table has a group of built-in chains, which correspond to the actions performed on the packet by netfilter. The built-in chains for the filter table are INPUT, OUTPUT & FORWARD. Every chain has a default policy to ACCEPT, DROP, REJECT & QUEUE.

From anywhere in the command prompt issue below command,

iptables -L

iptables1

iptables -L -v can also be given which will list you the network usage as first 2 columns (packets and bytes used).

 

 

If you want to view through line numbers,

iptables -L INPUT -t filter  –line-numbers

iptables2

  • Basic command to allow a Port through the network,

iptables -A INPUT -p tcp -m tcp –dport 7800 -j ACCEPT

  • To allow a IP connections,

iptables -A INPUT -p tcp –dport ssh -s 10.0.0.0 -j ACCEPT

  • To drop a IP connection,

iptables -A INPUT -p tcp –dport ssh -s 10.0.0.0 -j DROP

  • To allow for a range of IP Addresses,

iptables -A INPUT -s 10.0.0.0/45 -j ACCEPT

  • To drop a range of IP addresses without mask,

iptables -A INPUT -s 10.0.0.0/255.255.255.0 -j DROP

 

ACCPET and REJECT are two main things to look out for. Make sure that all the ACCEPT related ports which are opened are above REJECT and not after so that they wont get disabled. When we are using Line numbers, it becomes easy for doing the changes by moving the rules above REJECT. A sample rule below for adding a SNMP port, 161 at line number 5 using udp protocol.

iptables -I INPUT 5 -j ACCEPT -p udp –dport 161

 

To save the changes, issue the command,  service iptables save

 

CentOS iptables command information here.

 

Tags:

Archives

Categories