Logo

Configure Linux Firewall with iptables

Try this guide with our instant dedicated server for as low as 40 Euros

Imagine a vigilant guard protecting your building. This guard checks each visitor’s ID and purpose before granting or denying entry. iptables, a powerful firewall tool for Linux systems acts like this guard for your systems.

iptables is a Linux firewall software that monitors traffic from and to your server using tables. These tables contain sets of rules, called chains, that filter incoming and outgoing data packets.

By analyzing these incoming packets and applying rules, iptables help keep networks safe, protecting systems from potential threats and attacks.

In this tutorial, we will discuss iptables and how to install and configure the firewall on your system. Let us start by answering the most common question, what is iptables, in detail.

Table Of Contents

  1. What is iptables?
  2. How Does iptables Work?
  3. The Basic iptables Syntax
  4. How to Install and Configure iptables
    1. Install iptables on Ubuntu
    2. Install iptables on CentOS
  5. Configure Linux’s iptables
    1. Verify iptables status
    2. Configuration #1: Enable Loopback Traffic
    3. Configuration #2: Allow Traffic on Specific Ports
    4. Configuration #3: Use an IP address to control traffic
    5. Configuration #4: Drop Unwanted Traffic
    6. Configuration #5: Delete the Rule
    7. Configuration #6: Save The Changes
  6. Conclusion
  7. FAQs

What is iptables? 

iptables is a Linux firewall that tracks traffic to and from your server. Users can use it to view and modify the Linux kernel’s built-in network packet filtering capabilities. Users can use these capabilities to grant or deny access to specific network services (such as SSH and HTTP) and permit or block specific IP addresses from connecting to the server.

How Does iptables Work?

At the basic level, network traffic travels in packets. iptables use a set of rules, called chains, to recognize and examine the received packets and ensure that only authorized packets are delivered within the system.

iptables filter packets based on multiple factors, including:

  • Chains
  • Tables
  • Targets

Chains

Chains are rules used by iptables to decide whether to allow the packet to pass through or not. 

When a packet arrives at the firewall, it is checked against each rule in the chain in the predetermined order until it matches one of the rules. Each chain can perform different actions (known as targets) on packets. 

The primary chains in iptables are:

  • INPUT: This chain is used for packets destined for the host machine.
  • OUTPUT: This chain is used for packets originating from the host machine.
  • FORWARD: This chain is used for packets that are routed through the host machine (not destined for the host)

When a packet matches a rule, it is assigned a target, which can be another chain or one of these special values:

  • ACCEPT – Allows the packet to pass through.
  • DROP – Stops the packet to pass through.
  • RETURN – Stops the packet from transiting through a chain and sends it back to the previous chain.

Tables

Tables are the foundation of iptables that organize rules to govern network traffic flow. 

iptables has several built-in tables, each serving a specific function. 

Now, let us discuss the four default tables along with the chains each table contains.

Table #1: Filter

Filter table is the most common and often the default table for package evaluation. It determines which packet can pass through and leave the network. The default chains in this table are: 

  • INPUT: Handles packets the server receives. 
  • OUTPUT: Controls the packets for outbound traffic.
  • FORWARD: Handles packets routed via the server.

Table #2: NAT (Network Address Translation)

In this table, the Network Address Translation (NAT) rules direct packets to networks that are not directly accessible. 

The iptables systems use the NAT table to modify the source or destination of a packet. The default chains it contains are:

  • PREROUTING: Assigns packets as soon as the server receives them.
  • OUTPUT: Controls the packets for outbound traffic.
  • POSTROUTING: Modifies packets before routing.

Table #3: Mangle

The Mangle table modifies the packets’ IP header features. It is essential for making advanced modifications to packets, such as changing the Type of Service (TOS) field or modifying other packet attributes not typically handled by the Filter or NAT tables.

Its default chains are:

  • PREROUTING: Assigns packets as soon as the server receives them.
  • INPUT: Handles packets the server receives. 
  • FORWARD: Handles packets routed via the server.
  • OUTPUT: Controls the packets for outbound traffic.
  • POSTROUTING: Modifies packets before routing.

Table #4: Raw

Unlike other tables that track connections, the Raw table applies to packets that are exempt from connection tracking. This can improve performance but requires caution, as security measures relying on connection tracking won’t apply to these packets.

The standard chains in Raw are:

  • PREROUTING: Assigns packets as soon as the server receives them.
  • OUTPUT: Controls the packets for outbound traffic.

tables

Targets

What happens when a packet fulfills a rule criteria is called a target. When a packet’s characteristics match a rule’s criteria, the target decides the ultimate action for the packet. There are two main categories of targets:

Terminating Targets

Terminating targets determine what happens to the packet, halting further processing within the current chain.

The terminating targets are:

  • ACCEPT: Allows packets to pass through.
  • DROP: No additional chains are matched with the dropped package. The originating system to connect does not receive an error when Linux iptables drop an inbound connection to the server. 
  • RETURN: The packet is returned to the original chain to be compared to other rules.
  • REJECT: The packet is rejected, and an error message (ICMP unreachable) is sent back to the source device.

Non-Terminating Targets

The non-terminating targets continue to match packets against subsequent rules in the chain even when a rule is matched. 

Some of the non-terminating targets are:

  • LOG: Logs information about the matching packet for monitoring purposes.
  • MARK: Assign a mark (tag) to the packet for further classification or manipulation by later rules.
  • SNAT/DNAT: Used in the NAT table to modify the source or destination address of a packet for routing.
  • REDIRECT: Redirects the packet to a different port or destination on the same server.

The Basic iptables Syntax

The iptables command executes commands to modify the rules of the IP packet filter in the Linux kernel

The basic syntax of iptables is:

# sudo iptables [option] CHAIN_rule [-j target]

iptables provides a range of options. Some of the common iptables options are:

              Options                  Description
-A  –append Add a new rule to the end of a specified chain.
-C  –check Search for existing rules within a chain that meet specific criteria.
-D  –delete  Remove particular rules from a chain.
-F  –flush Delete all rules.
-I  –insert Add a rule to a chain at a specific location.
-L  –list Display every rule as a chain.
-N  –new chain Create new chains within a table
-v  –verbose Provides more detailed information about each listed rule.
-X  –delete-chain Remove a customized chain.

 

Remember, these options are used in conjunction with the chain name, rule specification, and target to define how iptables manages network traffic. By effectively using these options, you can create a robust firewall configuration for your system.

Now that you have a basic understanding of iptables, its syntax, and working, let us understand how to install and configure iptables.

Let us now take a quick look at the prerequisites for the installation. 

The Prerequisites to Working With iptables

Before diving into the iptables installation, ensure you have the following:

  • A system running a popular Linux distribution
  • A user account with root or sudo privileges

How to Install and Configure iptables

By now, you have a good understanding of iptables and their syntax. We will now discuss how to install iptables

We will now quickly run through the installation steps on popular operating systems. Note that iptables is installed on most Linux distributions by default:

Install iptables on Ubuntu

Run the following command to verify that the iptables is installed on your system.

# sudo apt-get install iptables

sudo apt-get install iptables

If the software is already installed, the output confirms the version.

iptables firewall rules switch back to the default form after the system reboot. Therefore, if you wish to save the currently configured iptables firewall rules, install the permanent package.

Run the following command in the terminal to install the permanent package:

# sudo apt-get install iptables-persistent 

Install iptables on CentOS

CentOS 7 and RedHat-based systems have firewalld installed instead of iptables. 

Therefore, before you can install iptables, you should disable firewalld by executing the following commands.

# sudo systemctl stop firewalld

# sudo systemctl disable firewalld

# sudo systemctl mask firewalld

These commands disable the firewalld boot process and stop it from being launched by other services.

sudo systemctl

Next, install and activate iptables by executing the following command to install the iptables services package in CentOS 7.

# sudo yum -y install iptables-services

sudo yum -y install iptables-services

Once installed, enable and launch the iptables by executing these commands:

# sudo systemctl enable iptables

# sudo systemctl start iptables

Once you have installed and enabled iptables, verify if it is successfully implemented via the status command. 

# sudo systemctl status iptables

sudo systemctl status iptables

Configure Linux’s iptables

Now that you have installed iptables in your system, it is necessary to configure iptables to manage and secure the system. 

Verify iptables status 

Before configuring your iptables, it is necessary to understand the current iptables rules.  

Enter the following command to view the existing rules:

# sudo iptables -L

sudo iptables -L

The output displays the default rules (usually ACCEPT) for each chain (INPUT, OUTPUT, FORWARD).

Chain INPUT (policy ACCEPT)

Chain FORWARD (policy ACCEPT)

Chain OUTPUT (policy ACCEPT)

Configuration #1: Enable Loopback Traffic 

Configuring iptables to allow loopback traffic is necessary to maintain the functionality and security of the system. It enables critical internal communications between services and processes running on the same system, ensures efficient system operations, and avoids potential disruptions caused by blocking traffic.

To enable loopback traffic, execute the following command:

# sudo iptables -A INPUT -i lo -j ACCEPT

This command configures the firewall to allow traffic for the localhost (lo) interface (-i). Now, anything arriving from your system will be filtered by your firewall. 

Configuration #2: Allow Traffic on Specific Ports

A port is a communication endpoint designated for a particular data or service. Allowing traffic on specific ports using iptables is crucial for network security and management. It ensures that essential services are accessible while maintaining a secure, efficient, and compliant network environment.

The following commands allow communication on specific ports you designate.

To allow HTTP web traffic (port 80), run:

# sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Restrict access to incoming SSH (Secure Shell) traffic (port 22):

# sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Allow HTTPS internet traffic (port 443):

# sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Here,

  • -p: Verifies if the protocol (TCP) is present.
  • –dport: Indicates the destination port.
  • -j jump: Performs the assigned action (ACCEPT in this case).

Configuration #3: Use an IP address to control traffic

Execute the following command to ACCEPT traffic from a specific IP address.

# sudo iptables -A INPUT -s IP address  -j ACCEPT

Here,

Replace the IP address with the desired IP address.

Next, to block traffic from an IP address, use the following command:

# sudo iptables -A INPUT -s IP address  -j DROP

If you wish to reject traffic from a range of IP addresses, use the following command:

# sudo iptables -A INPUT -m iprange --src-range 192.168.1.1-192.168.1.255 -j REJECT

Here,

  • -m: Match to a specified option.
  • -iprange: Informs the system to expect multiple IP addresses instead of just one.
  • –src-range: Sets the IP address range.

Configuration #4: Drop Unwanted Traffic 

If you set up firewall rules allowing specific ports (dport), it’s essential to drop all traffic arriving from other ports to prevent unauthorized access.

To drop unwanted traffic, run:

# sudo iptables -A INPUT -j DROP

Here,

-A: Adds a new rule to the chain.

Any connection that reaches a port not defined by you will be dropped.

Configuration #5: Delete the Rule

To remove all iptables firewall rules, use the -F option. 

# sudo iptables -F

If you want to remove a specific rule, execute the following command followed by the target rule’s line number

First, list all rules with line numbers:

# sudo iptables -L --line-numbers

Next, find the line in the firewall rule that you wish to remove and execute the following command:

# sudo iptables -D INPUT <Number>

Replace <Number> with the actual line number of the rule you want to delete.

Configuration #6: Save The Changes

iptables rules aren’t persistent by default and disappear after a reboot. Any modifications you make to the iptables configuration in Linux are only effective after the first restart.

To save your configuration changes in systems based on Debian:

# sudo /sbin/iptables–save

Red Hat-based systems:

# sudo /sbin/service iptables save

These commands ensure your firewall rules are automatically reloaded when your system restarts.

Conclusion

Configuring a Linux firewall with iptables provides essential control over network traffic for enhanced security. 

In this tutorial, we have covered the installation and basics of iptables, including how to allow or deny traffic based on IP addresses, tailor rules, and much more. 

Follow this guide to protect your servers and networks from unauthorized access and threats and maintain a secure and efficient network environment.

FAQs

Q. What are iptables?

iptables is a Linux firewall program that monitors traffic from and to your server. It enables users to view and modify the Linux kernel’s built-in network packet filtering capabilities. 

Q. How do I install iptables on my Linux system?

On most Linux distributions, iptables are pre-installed. If it is not, you can install it using your package manager by running sudo yum install iptables on Red Hat-based systems or sudo apt-get install iptables on Debian-based systems. 

Q. What are the basic components of iptables?

The basic components are tables, chains, and rules. Tables contain chains, and chains contain rules defining network packet handling.

Q. How do I check the current iptables rules?

To view the existing rules, run, sudo iptables -L.

Q. How can I add a new rule to allow traffic on a specific port?

You can add a rule by executing sudo iptables -A INPUT -p tcp –dport <port_number> -j ACCEPT, replacing <port_number> with the desired destination port.

Q. How do I delete a specific iptables rule?

Identify the rule’s line number with sudo iptables -L –line-numbers, then delete it using sudo iptables -D <chain> <line_number>.

Q. How can I save my iptables rules so they last after a reboot?

Use sudo apt-get to install iptables-persistent on Debian-based systems and save the rules with sudo netfilter-persistent save. Use service iptables save on systems that are Red Hat-based.

Q. What is the difference between INPUT, OUTPUT, and FORWARD chains?

INPUT controls incoming traffic to the server, OUTPUT controls outgoing traffic from the server, and FORWARD controls traffic passing through the server.

Q. Can iptables be used for NAT (Network Address Translation)?

iptables can perform NAT using the nat table and rules like POSTROUTING for source NAT and PREROUTING for destination NAT.

Q. How do I reset iptables to its default settings?

Use sudo iptables -F to flush all rules and sudo iptables -X to delete all user-defined chains. This resets iptables to their default state.

Q. What are the common uses of iptables?

Common uses include blocking or allowing specific IP addresses, ports, and protocols, logging traffic, and setting up NAT and port forwarding.

Q. How do I log dropped packets using iptables?

Put in a rule similar to sudo iptables -A INPUT. Sudo iptables is followed by -j LOG –log-prefix “iptables dropped: ” –log-level 4. Use -j DROP and -A INPUT to drop and log packets.

Try this guide with our instant dedicated server for as low as 40 Euros