iptables Command: Tutorial & Examples
Show and configure the kernel's firewall
iptables is a command-line utility that allows you to configure the Linux kernel's built-in firewall. It is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel.
The Linux kernel's packet filtering capabilities are implemented in the form of tables, each of which contains a set of rules. The iptables command allows you to create, modify, and delete rules in these tables. The tables are organized into chains, and each rule in a chain specifies what action should be taken when a packet matches the rule.
Here are some examples of common iptables commands:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
This command adds a rule to the INPUT chain that allows incoming TCP packets to port 80 (HTTP). The -A option specifies that the rule should be added to the end of the chain, and the -j ACCEPT option specifies that the packet should be accepted if it matches the rule.
iptables -D INPUT -p udp --dport 53 -j ACCEPT
This command deletes a rule from the INPUT chain that allows incoming UDP packets to port 53 (DNS). The -D option specifies that the rule should be deleted, and the rest of the options specify the rule to be deleted.
iptables -L
This command lists all the rules in the iptables firewall. The -L option specifies that the rules should be listed. Typical output might look like this:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DROP all -- anywhere anywhere ctstate INVALID
DROP all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
DROP all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST
DROP all -- anywhere anywhere ADDRTYPE match dst-type ANYCAST
DROP all -- anywhere base-address.mcast.net/4
ACCEPT tcp -- anywhere anywhere multiport dports ssh,10222 tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
DROP udp -- anywhere anywhere multiport dports loc-srv,microsoft-ds
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535
DROP tcp -- anywhere anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere udp dpt:1900
DROP udp -- anywhere anywhere udp spt:domain
REJECT tcp -- anywhere anywhere tcp dpt:auth flags:FIN,SYN,RST,ACK/SYN ctstate NEW reject-with tcp-reset
ACCEPT icmp -- anywhere anywhere icmp echo-reply ctstate NEW
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ctstate NEW
ACCEPT icmp -- anywhere anywhere icmp time-exceeded ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:http flags:FIN,SYN,RST,ACK/SYN ctstate NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:https flags:FIN,SYN,RST,ACK/SYN ctstate NEW
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
To flush all rules in the iptables firewall you can run:
iptables -F
Warning: After this no ports will be blocked anymore, so take care that no databases or important services are exposed to the public internet.
Info: iptables is nowadays kind of outdated. The recommended way to configure the firewall now is to use nft.
