The iptables command in Linux is used to manage the netfilter firewall rules. Netfilter is the packet filtering framework within the Linux kernel that allows you to control and filter network traffic. The iptables command provides a user-friendly interface to interact with netfilter and set up rules for packet filtering, NAT (Network Address Translation), and packet mangling.
Here’s a table explaining some of the main parameters and options of the iptables command:
| Parameter | Description |
|---|---|
-A | Append a new rule to a chain. |
-D | Delete a rule from a chain. |
-P | Set the default policy for a chain. |
-I | Insert a rule at a specific position in a chain. |
-s | Source IP address or network. |
-d | Destination IP address or network. |
-p | Protocol (e.g., tcp, udp, icmp). |
--sport | Source port (only for outgoing packets). |
--dport | Destination port (only for incoming packets). |
-j | Target or action (e.g., ACCEPT, DROP, REJECT). |
-i | Input network interface. |
-o | Output network interface. |
Examples of using iptables:
- Allow SSH (port 22) incoming traffic:
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT- Allow HTTP (port 80) and HTTPS (port 443) incoming traffic:
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT- Allow outgoing DNS (port 53) traffic to specific DNS servers:
sudo iptables -A OUTPUT -p udp --dport 53 -d 8.8.8.8 -j ACCEPT
sudo iptables -A OUTPUT -p udp --dport 53 -d 8.8.4.4 -j ACCEPT- Drop incoming traffic from a specific IP address:
sudo iptables -A INPUT -s 192.168.1.100 -j DROP- Set the default policy to DROP for incoming and outgoing traffic:
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT DROP- Allow established connections:
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT- Enable NAT (Network Address Translation) to allow internet access for local network devices:
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADERemember that iptables rules are stateless by default, so you need to explicitly allow incoming and outgoing traffic for established connections as shown in example 6 above. Additionally, these are just basic examples, and in real-world scenarios, you may need more complex rules to suit your specific network requirements.
After configuring iptables rules, it’s crucial to save them to apply them on system reboot. The specific method to save rules depends on your Linux distribution. Consult your distribution’s documentation for more information.
