Top 10 Useful iptables Commands in Linux

Top 10 Useful iptables Commands in Linux

In this article, we will go over 10 useful iptables commands that are applicable to any Linux distribution.

On Linux servers, iptables is used to control incoming and outgoing web traffic. The iptables rules in the firewall, written by system administrators or users familiar with Linux servers, control the traffic. Iptables rules are stored in tables with chains for each defined rule.

In this article, we will use Ubuntu 22.04 as the operating system, but you can use any distro if you want to try these iptables commands on your own.

Let’s get this party started!

Note:-

  • You need to install Ubuntu 22.04 OS
  • User privileges: root or non-root user with sudo privileges

Update your System

Before we begin with the fundamental iptables rules, we will update the system packages to the most recent versions available.

sudo apt update -y && sudo apt upgrade -y

Once the system has been updated, we will illustrate the fundamental iptables commands in Linux.

Now, Install iptables service

Use the following command to install the iptables service:

sudo apt-get install iptables -y

Since the iptables service is installed, we need to proceed with the basic iptables rules in the next paragraphs.

1. Check out the iptable rules

Once, we have installed the iptable service and we have not added any rules, Read out the iptables rules should give you empty output.

Since, we installed the iptables service and did not add any rules, checking the iptables rules should give you empty output.

iptables -nvL

You will receive the following output:

[email protected]:~# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

2. Whitelist IP Address

Sometimes we are not able to access the website, or the server, for that, we need to whitelist their IP address manually with the following command:

iptables -A INPUT -s 192.168.1.1 -j ACCEPT

3. Block IP Address

If you are facing continuous attacks on the server, or you don’t want some IP addresses to have access to the server, So we can easily block them with the help of the following command:

iptables -A INPUT -s 192.168.0.1 -j DROP

4. Block Host in iptables

Sometimes, we need to block the whole host in the iptables rules. For example, to block Google.com in the iptables. Here, you need to find out the IP address and the CIDR with the following command:

host google.com

You will receive the following output:

[email protected]:~# host google.com
google.com has address 172.217.4.46
google.com has IPv6 address 2607:f8b0:4004:c07::64
google.com has IPv6 address 2607:f8b0:4004:c07::8b
google.com has IPv6 address 2607:f8b0:4004:c07::65
google.com has IPv6 address 2607:f8b0:4004:c07::71
google.com mail is handled by 10 smtp.google.com.

To find out the CIDR execute the following command:

whois 172.217.4.46 | grep CIDR

You will receive the following output:

[email protected]:~# whois 172.217.4.46 | grep CIDR
CIDR:           172.217.0.0/16

We can block the google network, just need to execute the following command:

iptables -A OUTPUT -p tcp -d 172.217.0.0/16 -j DROP

5. How to Block-Specific Port

For Example: If you don’t want specific to be accessible from outside, then you can easily block it. To block the outgoing connections on the MYSQL 3306 port via iptables rules, execute the following command:

iptables -A OUTPUT -p tcp --dport 3306 -j DROP

6. Grant Access to various ports

If you want to allow multiple ports for incoming connections, then execute the following command:

iptables -A INPUT  -p tcp -m multiport --dports 80,443 -j ACCEPT

If you want to allow multiple ports for outgoing connections, then execute the following command:

iptables -A OUTPUT -p tcp -m multiport --sports 80,443 -j ACCEPT

7. Forwarding the Port

To setup port forwarding and forward, For example, port 80 to port 443, execute the following command:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 443

8. How to Save iptables rules

For Example: If you want to save all these iptables commands you need to execute the following command:

iptables-save

You will receive the following output:

[email protected]:~# iptables-save
# Generated by iptables-save v1.8.7 on Fri Jul 22 23:52:08 2022
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 192.168.0.1/32 -j ACCEPT
-A INPUT -s 192.168.0.1/32 -j DROP
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
-A OUTPUT -d 172.217.0.0/16 -p tcp -j DROP
-A OUTPUT -p tcp -m tcp --dport 3306 -j DROP
-A OUTPUT -p tcp -m multiport --sports 80,443 -j ACCEPT
COMMIT
# Completed on Fri Jul 22 23:52:08 2022
# Generated by iptables-save v1.8.7 on Fri Jul 22 23:52:08 2022
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 443
COMMIT
# Completed on Fri Jul 22 23:52:08 2022

9. Check out the Flush iptables rules

If you want to flush all the iptables rules then we set in the previous steps and you need to execute the command iptables -F but first of all check the output of iptable-nvL to check the previously set up rules.

iptables -nvL

If you followed the previous commands you You will receive the following output:

[email protected]:~# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *       192.168.0.1          0.0.0.0/0
    0     0 DROP       all  --  *      *       192.168.0.1          0.0.0.0/0
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 80,443

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            172.217.0.0/16
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:3306
    1    40 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport sports 80,443

Now, you can flush the rules with the following command:

iptables -F

Here, you can execute the command iptable -nvL to list the current rules you should receive an empty output similar to the first step above.

[email protected]:~# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

10. Man command for iptables

If you want to know about the iptable command and the parameters which can been used, execute the man iptables and you will get the following output:

If you want to know, everything about the iptables command and the parameters that can be used, execute the man iptables and you will receive the following output:

[email protected]:~# man iptables
IPTABLES(8)                                                                iptables 1.8.7                                                               IPTABLES(8)
NAME
       iptables/ip6tables — administration tool for IPv4/IPv6 packet filtering and NAT
SYNOPSIS
       iptables [-t table] {-A|-C|-D} chain rule-specification
       ip6tables [-t table] {-A|-C|-D} chain rule-specification
       iptables [-t table] -I chain [rulenum] rule-specification
       iptables [-t table] -R chain rulenum rule-specification
       iptables [-t table] -D chain rulenum
       iptables [-t table] -S [chain [rulenum]]
       iptables [-t table] {-F|-L|-Z} [chain [rulenum]] [options...]
       iptables [-t table] -N chain
       iptables [-t table] -X [chain]
       iptables [-t table] -P chain target
       iptables [-t table] -E old-chain-name new-chain-name
       rule-specification = [matches...] [target]
       match = -m matchname [per-match-options]
       target = -j targetname [per-target-options]
DESCRIPTION
       Iptables and ip6tables are used to set up, maintain, and inspect the tables of IPv4 and IPv6 packet filter rules in the Linux kernel.  Several different ta‐
       bles may be defined.  Each table contains a number of built-in chains and may also contain user-defined chains.

Congratulations! You successfully practiced the 10 most used iptables in Linux. If you have difficulties understanding the commands or if you facing problems with the above outlined, please contact the eTechSupport Team.

Follow us on FacebookTwitter, and LinkedIn for additional information.


Recommended Posts

Get your free trial now