What it is
iptables is a command-line utility for configuring the Linux kernel firewall, allowing you to define rules for filtering and manipulating network packets. You reach for it when you need fine-grained control over network traffic entering, leaving, or passing through your Linux system.
Installation
iptables is typically pre-installed on most Linux distributions. If not:
Debian/Ubuntu:
sudo apt update
sudo apt install iptables
CentOS/RHEL/Fedora:
sudo yum update
sudo yum install iptables
or
sudo dnf update
sudo dnf install iptables
Arch Linux:
sudo pacman -Syu
sudo pacman -S iptables
Windows:
iptables is a Linux-specific tool and cannot be directly installed or used on Windows. For Windows firewall management, use the built-in Windows Defender Firewall with Advanced Security or PowerShell cmdlets like New-NetFirewallRule.
Core Concepts
- Tables:
iptablesorganizes rules into tables. The most common are:filter(default): Used for packet filtering (allowing or denying traffic).nat: Used for Network Address Translation (e.g., masquerading outgoing connections).mangle: Used for altering packet headers (e.g., for Quality of Service).raw: Used for special handling of packets before connection tracking.
- Chains: Within each table, rules are organized into chains. The built-in chains are:
INPUT: For packets destined for the local system.OUTPUT: For packets originating from the local system.FORWARD: For packets passing through the system (routing).PREROUTING: In thenatandmangletables, for packets before routing decisions.POSTROUTING: In thenatandmangletables, for packets after routing decisions.
- Rules: A rule specifies criteria (matches) and a target (action to take).
- Targets: The action to take when a packet matches a rule. Common targets include:
ACCEPT: Allow the packet.DROP: Silently discard the packet.REJECT: Discard the packet and send an error message back to the sender.SNAT: Source Network Address Translation (change source IP).MASQUERADE: A form of SNAT for dynamic IP addresses.DNAT: Destination Network Address Translation (change destination IP).LOG: Log the packet (usually before another target).
- Policy: The default action for a chain if no rule matches.
Commands / Usage
Listing Rules
- List all rules in the
filtertable:
Shows rules in thesudo iptables -LINPUT,FORWARD, andOUTPUTchains. - List rules with line numbers and verbose output:
Useful for identifying specific rules for modification or deletion.sudo iptables -L -v -n --line-numbers-nprevents DNS lookups for IPs. - List rules in a specific table:
Lists rules in thesudo iptables -t nat -L -v -nnattable. - List rules in a specific chain:
Lists rules only in thesudo iptables -L INPUT -v -nINPUTchain.
Adding Rules
- Allow SSH traffic on the INPUT chain:
Appends a rule to thesudo iptables -A INPUT -p tcp --dport 22 -j ACCEPTINPUTchain to accept TCP packets destined for port 22. - Drop all incoming traffic on the INPUT chain (default deny):
Sets the default policy for thesudo iptables -P INPUT DROPINPUTchain toDROP. Use with extreme caution! Ensure you have allowed essential services first. - Allow all outgoing traffic on the OUTPUT chain:
Appends a rule to thesudo iptables -A OUTPUT -j ACCEPTOUTPUTchain to accept all outgoing packets. - Insert a rule at a specific position:
Inserts a rule at positionsudo iptables -I INPUT 1 -i eth0 -p icmp -j ACCEPT1in theINPUTchain to accept ICMP traffic from theeth0interface. - Allow established and related connections:
Crucial for allowing return traffic for outgoing connections.sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT - Block an IP address from accessing the server:
Drops all incoming packets from the source IPsudo iptables -A INPUT -s 192.168.1.100 -j DROP192.168.1.100. - Allow traffic only from a specific internal network:
Accepts incoming traffic on interfacesudo iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j ACCEPTeth0from the192.168.0.0/24subnet. - Allow HTTP and HTTPS traffic:
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT - Masquerade outgoing traffic for a specific interface:
Changes the source IP address of outgoing packets onsudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADEeth0to the IP address ofeth0. Essential for sharing internet connections. - Forward traffic from one interface to another:
Allows traffic to flow fromsudo iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT sudo iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPTeth0toeth1and the corresponding return traffic. Requires IP forwarding to be enabled (sysctl net.ipv4.ip_forward=1). - Log dropped packets (before dropping them):
Logs packets that would be dropped, then drops them.sudo iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: " sudo iptables -A INPUT -j DROP
Deleting Rules
- Delete a rule by its number:
Deletes the 3rd rule in thesudo iptables -D INPUT 3INPUTchain. Useiptables -L --line-numbersto find numbers. - Delete a rule by specifying the exact rule:
Deletes the exact rule that accepts TCP traffic on port 80.sudo iptables -D INPUT -p tcp --dport 80 -j ACCEPT - Flush all rules from a chain:
Removes all rules from thesudo iptables -F INPUTINPUTchain. - Flush all rules from all chains in a table:
Removes all rules from all chains in thesudo iptables -t nat -Fnattable. - Flush all rules from all chains in all tables:
Resets the firewall to a permissive state. Use with extreme caution!sudo iptables -P INPUT ACCEPT && sudo iptables -P FORWARD ACCEPT && sudo iptables -P OUTPUT ACCEPT sudo iptables -F sudo iptables -t nat -F sudo iptables -t mangle -F sudo iptables -t raw -F
Modifying Rules
- Replace a rule:
Replaces the 2nd rule in thesudo iptables -R INPUT 2 -s 10.0.0.5 -j ACCEPTINPUTchain with a new rule allowing traffic from10.0.0.5.
Other Commands
- Zero packet and byte counters:
Resets the counters for all rules.sudo iptables -Z - Zero counters for a specific chain:
sudo iptables -Z INPUT - Save current rules (distribution dependent):
- Debian/Ubuntu (using
iptables-persistent):sudo apt install iptables-persistent sudo netfilter-persistent save - CentOS/RHEL/Fedora:
orsudo service iptables savesudo /sbin/iptables-save > /etc/sysconfig/iptables
- Debian/Ubuntu (using
- Restore saved rules (distribution dependent):
- Debian/Ubuntu: Rules are usually restored automatically on boot if
iptables-persistentis installed. - CentOS/RHEL/Fedora:
orsudo service iptables restoresudo /sbin/iptables-restore < /etc/sysconfig/iptables
- Debian/Ubuntu: Rules are usually restored automatically on boot if
Common Patterns
- Basic Server Firewall (Allow SSH, HTTP, HTTPS, deny all else):
# Flush existing rules sudo iptables -F sudo iptables -X sudo iptables -t nat -F sudo iptables -t nat -X # Set default policies to DROP sudo iptables -P INPUT DROP sudo iptables -P FORWARD DROP sudo iptables -P OUTPUT ACCEPT # Allow loopback traffic sudo iptables -A INPUT -i lo -j ACCEPT # Allow established and related connections sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Allow SSH sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Allow HTTP sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT # Allow HTTPS sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT # Log and drop everything else (optional, for debugging) # sudo iptables -A INPUT -j LOG --log-prefix "IPTables-Denied: " # sudo iptables -A INPUT -j DROP - Internet Connection Sharing (Masquerading):
# Assuming eth0 is the WAN interface and eth1 is the LAN interface # Enable IP forwarding echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward # Allow FORWARD traffic sudo iptables -P FORWARD ACCEPT # Masquerade outgoing traffic from LAN sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Allow established/related traffic back in sudo iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT - Blocking a range of IPs:
(Note:# Block IPs from 192.168.1.100 to 192.168.1.150 sudo iptables -A INPUT -s 192.168.1.100/27 -j DROP/27covers 32 IPs, adjust CIDR as needed). - Rate limiting connections to prevent DoS:
Drops connections if more than 100 simultaneous connections are established to port 80.sudo iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 -j DROP
Gotchas
- Order Matters: Rules are processed sequentially. The first matching rule determines the packet’s fate. Place more specific rules before general ones.
- Default Policies: Setting default policies to
DROPis secure but dangerous if not done carefully. Always ensure you have rules toACCEPTessential services (like SSH) before setting the policy toDROP, or you’ll lock yourself out. - Stateful Firewalling: Always include rules for
ESTABLISHED,RELATEDconnections. Without them, return packets for your own outgoing connections will be blocked. - Saving Rules:
iptablesrules are volatile and disappear on reboot by default. You must use a mechanism likeiptables-persistent(Debian/Ubuntu) orservice iptables save(CentOS/RHEL) to make them permanent. - Interface Specificity: Using
-i <interface>(input interface) and-o <interface>(output interface) makes rules more precise and prevents unintended matches. REJECTvsDROP:DROPsilently discards packets, making your system appear non-existent to probes.REJECTsends an ICMP error back, which can be useful for internal networks but can also provide information to potential attackers.- IPv6:
iptablesonly manages IPv4 traffic. For IPv6, useip6tableswith similar syntax. iptablesvsnftables: Modern Linux systems are transitioning tonftables, which aims to replaceiptables,ip6tables,arptables, andebtableswith a single, more flexible tool. Whileiptablescommands often still work via a compatibility layer, understandingnftablesis recommended for new configurations.- Logging Overhead: Excessive logging can impact performance. Use logging strategically, especially for dropped packets.
- User vs. Root: All
iptablescommands require root privileges (sudo).