Iptables Command Line Tool
Internal
Overview
iptables is a Linux userspace command line tool that manipulates the IPv4 filtering rules. The IPv6 equivalent is ip6tables. The tools can be used to list the rules loaded in memory and add and remove rules. All the changes only reflect in memory and won't survive a reboot, unless the associated service's configuration files are correspondingly updated.
iptables always targets the "filter" table by default. In order to change the target table, use the -t <table-name> options.
Commands
List Rules
Tactical:
iptables -L -v
More details:
iptables -L -nv --line-numbers
The command list all rules in the selected chain. If no chain is selected, all chains are listed.
The command applies to the specified table ("filter" is the default). If you need to list rules from a table other than "filter", use -t (example -t nat).
The command is often used with the -n option, in order to avoid long reverse DNS lookups.
Add a Rule to the Default Table
iptables -A <chain> -i <interface> -p <protocol> -s <source> [-m <module> <module-config>] -j <target>
The rule will only be added in memory
- The rule will only be added in memory and won't survive a reboot. In order to make the rule permanent TODO.
The rule will be added at the bottom of the chain
- By default, the rule will be added at the bottom of the chain, after the last existent rule. This means that all existent rules will be evaluated before a packet reaches the newly added rule, so if there's a previous rule that discards the packet, the newly added rule might never be exercised. For that, you may want to consider inserting the rule at a specific position in the chain. See #Insert_a_Rule_into_the_Default_Table.
The rule will be added to the "filter" table
- The rule will be added to the "filter" table. If you need to add the rule to a different table, use -t.
Chain
The target chain is specified with -A. It can be one of INPUT, OUTPUT, FORWARD, PREROUTING and POSTROUTING.
Interface
The network interface to apply the rule to is specified with -i. It must be one of your existing network interfaces (example "eth0"). If -i is not specified, the rule applies to all interfaces.
Protocol
The protocol to apply the rule to is specified with -p. It must be one of the known protocols, such as "tcp" or "udp". To specify the rule applies to all protocols, use -p all. If -p is not specified, the rule applies to all protocols.
Source
The source specification:
-s, --source address[/mask][,...]
Address can be:
- a network name TODO example
- a hostname TODO example
- a network IP address (with /mask) TODO example
- a plain IP address. TODO example
Hostnames will be resolved once only, before the rule is submitted to the kernel, but specifying any name to be resolved with a remote query such as DNS is a really bad idea.
The mask can be either an ipv4 network mask (for iptables) or a plain number, specifying the number of 1's at the left side of the network mask. Thus, an iptables mask of 24 is equivalent to 255.255.255.0.
A "!" argument before the address specification inverts the sense of the address.
The flag --src is an alias for this option. Multiple addresses can be specified, but this will expand to multiple rules (when adding with -A), or will cause multiple rules to be deleted (with -D).
For usage examples, see an example allowing incoming connections only from host on a specific subnet.
Module Configuration
-m stands for module and it is used to specify module-specific configuration. See the Modules section for more details. TODO.
Target
-j stands for jump and it is used to specify the rule's target: ACCEPT, REJECT, DROP, etc.
Example of allowing external HTTP access on a specific interface:
iptables -A INPUT -i enp0s25 -p tcp -j ACCEPT
--sport
Stands for source port. In order to use matches such as destination or source ports (--dport or --sport), you must first specify the protocol (tcp, udp, icmp, all).
--dport
Stands for destination port. In order to use matches such as destination or source ports (--dport or --sport), you must first specify the protocol (tcp, udp, icmp, all).
Insert a Rule into the Default Table
Use -I instead of -A and also specify the rule number:
iptables -I <chain> <rule-number> ...
If the rule number is 1, the rule or rules are inserted at the head of the chain. This is also the default if no rule number is specified.
Commit
TODO: After adding and testing a rule, must commit, otherwise the rule will be lost upon iptables restart!
Setting the Default Policy of A Chain
iptables -P <chain-name> <default-policy>
Example
iptables -P INPUT DROP
Flushing All Rules
iptables -F
Note this does not change the default policy of the chains.
Delete a rule
iptables -D <chain> <rule-number> ...
Modules
state
Reads the connection state and can be used to express conditions based on the connection's state.
For example, to specify that only the new connections are allowed, use this configuration:
-m state --state NEW
More details are available here:
mac
Reads the MAC address.
tcp
Allows specification of TCP-related configuration.
For example, to identify TCP connections to port 80, use the following configuration:
-m tcp --dport 80