HxHippy

iptables

Administration tool for IPv4 packet filtering and NAT

Overview

Used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Configure firewall rules for security and network traffic control.

Syntax

iptables [-t table] {-A|-C|-D} chain rule-specification

Common Options

-L, --list [chain]

List all rules in the selected chain. If no chain is selected, all chains are listed.

-A, --append chain

Append one or more rules to the end of the selected chain.

-D, --delete chain

Delete one or more rules from the selected chain.

-I, --insert chain [rulenum]

Insert one or more rules in the selected chain at the given rule number.

-F, --flush [chain]

Flush the selected chain (delete all rules).

-P, --policy chain target

Set the policy for the chain to the given target.

-p, --protocol protocol

The protocol of the rule (tcp, udp, icmp, all).

-s, --source address

Source address specification.

-d, --destination address

Destination address specification.

--dport port

Destination port (requires -p tcp or -p udp).

--sport port

Source port (requires -p tcp or -p udp).

-j, --jump target

Target of the rule (ACCEPT, DROP, REJECT, LOG).

-i, --in-interface name

Name of an interface via which a packet was received.

-o, --out-interface name

Name of an interface via which a packet is going to be sent.

-m, --match match

Specifies a match to use (state, multiport, conntrack).

-n, --numeric

Numeric output of addresses and ports.

-v, --verbose

Verbose output.

Examples

$ sudo iptables -L -n -v

List all rules with numeric addresses and packet counters.

$ sudo iptables -P INPUT DROP

Set default policy for INPUT chain to DROP (deny all incoming).

$ sudo iptables -A INPUT -i lo -j ACCEPT

Allow all traffic on loopback interface.

$ sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow established and related connections.

$ sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Allow incoming SSH connections on port 22.

$ sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Allow incoming HTTP connections on port 80.

$ sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Allow incoming HTTPS connections on port 443.

$ sudo iptables -A INPUT -p icmp -j ACCEPT

Allow ICMP (ping) requests.

$ sudo iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT

Allow all traffic from 192.168.1.0/24 subnet.

$ sudo iptables -D INPUT -p tcp --dport 8080 -j ACCEPT

Delete the rule allowing port 8080.

$ sudo iptables -F

Flush (delete) all rules from all chains.

$ sudo iptables-save > /etc/iptables.rules

Save current rules to a file.

$ sudo iptables-restore < /etc/iptables.rules

Restore rules from a file.

iptablesfirewallpacketfilternatsecuritynetfilterrules