The Serpent

// Cursing the Internet since 1998

Linux iptables

Posted Aug 10, 2019 Updated Dec 27, 2020 Cheatsheet

Linux includes a built-in firewall known as iptables. But it’s rather open by default. Applying some basic rules are recommended to all new installations.

Ensure you have root access first. Let’s take a look at the current state of the firewall:

root@linux:/home/user# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

The firewall by default is very open, with no rules. There are three ‘chains’ available. The three chains relate to the following:

Chain Purpose
INPUT Incoming Packets
FORWARD Packets not specifically addressed to an interface IP. Used for routing\IP forwarding
OUTPUT Outbound Packets

Most commonly, you’ll want both INPUT and FORWARD dropping all traffic, while creating exceptions for packets you require. Outbound traffic is typically allowed on all ports.

By default all chains are set to ACCEPT, meaning all traffic is allowed.

Adding rules

Before we change this, lets add our exceptions in so we don’t lose SSH access. Let’s allow inbound SSH:

iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -m comment –-comment "Allow SSH Access"

This adds a new rule to the INPUT chain, accepting traffic destined for TCP port 22, in a NEW or ESTABLISHED state. We also add a handy comment to the rule.

We’ll also want to allow any ESTABLISHED, or RELATED connections, regardless of port:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

RELATED simply means the incoming packet is expected, because it’s related to another socket already ESTABLISHED on the client which the kernel is tracking.

Changing the defaults

Once we’ve established which connections are allowed, let’s change the default behaviour of the chains to DROP (except OUTPUT):

root@linux:/home/user# iptables -P FORWARD DROP
root@linux:/home/user# iptables -P INPUT DROP
root@linux:/home/user# iptables -P OUTPUT ACCEPT

Now if we check the firewall rules using iptables -L, we’ll see the changes have taken effect immediately.

Deleting rules

If you made a mistake and want to delete a rule, display them with line numbers:

iptables -L --line-numbers

You can then delete the line by referencing it along with the CHAIN:

iptables -D INPUT 2

Making rules persistent

One last thing to note – the changes are not persistent and will be deleted on reboot. To keep them, let’s save the rules somewhere:

iptables-save > /path/to/fwrules.fw

You’ll now have a file with the rules defined. We’ll now need to ensure these rules apply on start up. How we do this depends on your Linux distribution, but iptables includes a handy tool to execute this:

iptables-restore /path/to/fwrules.fw

On Debian based systems, you can place this within /etc/network/interfaces under an up directive for your interface.

Linux iptables
Posted August 10, 2019
Updated Dec 27, 2020
Written by John Payne