Iptables Command Line Tool
Internal
Overview
iptables is a Linux userspace command line tool that manipulates the IPv4 filtering rules. The IPv6 equivalent is ip6tables. The tools can be used to list the rules loaded in memory and add and remove rules. All the changes only reflect in memory and won't survive a reboot, unless the associated service's configuration files are correspondingly updated.
iptables always targets the "filter" table by default. In order to change the target table, use the -t <table-name> options.
Commands
List Rules
iptables -L -nv --line-numbers
The command list all rules in the selected chain. If no chain is selected, all chains are listed.
The command applies to the specified table ("filter" is the default). If you need to list rules from a table other than "filter", use -t (example -t nat).
The command is often used with the -n option, in order to avoid long reverse DNS lookups.
Add a Rule to the Default Table
iptables -A <chain> -i <interface> -p <protocol> -s <source> [-m <module> <module-config>] -j <target>
The rule will only be added in memory
- The rule will only be added in memory and won't survive a reboot. In order to make the rule permanent TODO.
The rule will be added at the bottom of the chain
- By default, the rule will be added at the bottom of the chain, after the last existent rule. This means that all existent rules will be evaluated before a packet reaches the newly added rule, so if there's a previous rule that discards the packet, the newly added rule might never be exercised. For that, you may want to consider adding the rule at a specific position in the chain.
The rule will be added to the "filter" table
- The rule will be added to the "filter" table. If you need to add the rule to a different table, use -t.
Chain
The target chain is specified with -A. It can be one of INPUT, OUTPUT, FORWARD, PREROUTING and POSTROUTING.
Interface
The network interface to apply the rule to is specified with -i. It must be one of your existing network interfaces (example "eth0"). If -i is not specified, the rule applies to all interfaces.
Protocol
The protocol to apply the rule to is specified with -p. It must be one of the known protocols, such as "tcp" or "udp". If -p is not specified, the rule applies to all protocols.
Source
TODO
Module Configuration
-m stands for module and it is used to specify module-specific configuration. See the #Modules section for more details.
TODO
Target
-j stands for jump and it is used to specify the rule's target: ACCEPT, REJECT, DROP, etc.
Example of allowing external HTTP access on a specific interface:
iptables -A INPUT -i enp0s25 -p tcp -j ACCEPT
Modules
state
Reads the connection state.
mac
Reads the MAC address.