Although iptables is not fresh and new, it is still in use and those in the IT profession should expect to come into contact with it at some point in the future. I will likely be setting up a server in the future with iptables enabled for a homelab project. Therefore, I have decided to put a short post about how to apply a few common rules and variations of them.
The basics
iptables commands are usually structured as such:
root@user# iptables [option][table][options…]
The following is a guide for options that will be used in the commands
iptables leading command -A -append to table -s -source -d -destination -i -in interface -o -out interface -p -port INPUT -packets coming into the system OUTPUT -packets leaving the system FORWARDING -packets being routed through the system
DROP: ignore the packet
ACCEPT: accept the packet
REJECT: Reject the packet and notify the sender that it was rejected
Save/backup iptables
This is the command that will be used to save and back up you rules. The file I named “iptables.rules” can have any name.
[root@localhost ~]# iptables-save > /etc/iptables.rules
Restore iptables rules
Saved rules can be restored from any path
[root@localhost~]# iptables-restore > /etc/iptables.rules
Set the default action of the tables
This portion deals with the INPUT, OUTPUT, and FORWARDING chains. The rules here make it so that, unless there is an exception to the rule, the packets reaching the chain will be dropped.
[root@localhost ~]# iptables -P INPUT DROP [root@localhost ~]# iptables -P OUTPUT DROP [root@localhost ~]# iptables -P FORWARD DROP
Allow incoming and outgoing connections that are established
From the man pages:
ESTABLISHED — meaning that the packet is associated with a connection which has seen packets in both directions,
RELATED — meaning that the packet is starting a new connection, but is associated with an existing connection, such as an FTP data transfer, or an ICMP error.
[root@localhost ~]# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT [root@localhost ~]# iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow traffic to be routed from one interface to another
This is useful if you have two interfaces, such as in a router, because it will let packets traverse from one interface to another. Be sure to specify all the directions in which the packets could travel. The following rule only allows packets to cross from eth1 to eth2 but not the other way around.
[root@localhost ~]# iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
Allow host to use its own loopback device
This rule will allow the host to access its own services. LO indicates the loopback interface.
[root@localhost ~]# iptables -A INPUT -i lo -j ACCEPT [root@localhost ~]# iptables -A OUTPUT -o lo -j ACCEPT
Allow the host to be accessed from the outside, through ssh
In this example, the host is running an ssh server. The server is made accessible from the outside with this set of rules.
[root@localhost ~]# iptables -A INPUT -i eth0 -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT [root@localhost ~]# iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
You can also specify a specific address or set of addresses that can access the host.
[root@localhost ~]# iptables -A INPUT -i eth1 -s 192.168.0.0/24 -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT [root@localhost ~]# iptables -A OUTPUT -o eth1 -d 192.168.0.0/24 -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED-j ACCEPT
Allow HTTP or HTTPS into the host system
HTTP
[root@localhost ~]# iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT [root@localhost ~]# iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
HTTPS
[root@localhost ~]# iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT [root@localhost ~]# iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Blocking IP addresses
Block a specific IP address
This can also be a range of addresses, destination addresses, or ports
[root@localhost ~]# iptables -A INPUT -s <ip_address> -j DROP
Block an IP on a specific interface
[root@localhost ~]# iptables -A INPUT -i eth0 -s <ip_address> -j DROP