September 27, 2020

Iptables rules that Linux administrators should know

7 min read

Managing network traffic is one of the toughest tasks that system administrators must handle. We must specify that users connected to the system meet the firewall’s incoming and outgoing requirements to maximize system protection.

Many users use iptables in Linux as a firewall. From a strict perspective, Iptables are just a command-line tool that helps administrators define rules and communicate with the Linux kernel. It is just a list of incoming and outgoing rules that help administrators configure network traffic. The specific implementation is actually in the Linux kernel.

Iptables include a set of chains of built-in and user-defined rules that administrators can attach to the chain.

FILTER default filter table, built-in chain:
  • INPUT: handling incoming data packets
  • FORWARD: handling packets routed through the system
  • OUTPUT: handling locally outgoing packets
NAT implements a table for network address translation. The built-in chains are:
  • PREROUTING: handling packets to be received
  • OUTPUT: handling locally generated packets
  • POSTROUTING: handling outgoing packets
MANGLE is used to change the data packet, a total of 5 chains:
  • PREROUTING: handling incoming connections
  • OUTPUT: handling locally generated packets
  • INPUT: processing packets
  • POSTROUTING: handling outgoing packets
  • FORWARD: handling packets forwarded through the machine
Below, we will introduce the Iptables rules that are most commonly used by Linux administrators.
Start, stop and restart Iptables
Although IPTables is not a service, it can still be managed like a service in Linux.
  1. Using systemd
    systemctl start iptables
    systemctl stop iptables
    systemctl restart iptables
  2. Using sysvinit
    /etc/init.d/iptables start
    /etc/init.d/iptables stop
    /etc/init.d/iptables restart
View Iptables firewall policy
You can use the following command to view the Iptables firewall policy:
iptables -L -n -v
The above command is to view the default FILTER table. If you only want to view a specific table, you can follow the -t parameter to the table name to be viewed separately. For example, to view only the rules in the NAT table, you can use the following command:

iptables -t nat -L -v –n

Block an IP address

If you identify an IP like an attack or abnormal traffic to the server, you can block its IP address using the following rules:

iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP

Note that you need to change the above xxx to the actual IP address to be masked, where the -A parameter indicates that this rule is appended at the end of the INPUT chain.

If you only want to block TCP traffic, you can use the specified protocol of the -p parameter, for example:

iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx -j DROP

Unblock an IP address
To unblock the IP address, you can use the following command to delete it:

iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP

Where the -D parameter indicates that one or more rules are removed from the chain.
Use Iptables to close a specific port
Many times, we need to block network connections for a particular port, and Iptables can be used to block specific ports.
Block specific outgoing connections:
iptables -A OUTPUT -p tcp –dport xxx -j DROP
Block specific incoming connections:
iptables -A INPUT -p tcp –dport xxx -j ACCEPT
Use Multiport to control multiple ports
Using multiport we can write multiple ports in a single rule at once, for example:
iptables -A INPUT -p tcp -m multiport –dports 22,80,443 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport –sports 22,80,443 -j ACCEPT
Use IP address ranges in rules
The IP address range in IPtables can be expressed directly using CIDR, for example:

iptables -A OUTPUT -p tcp -d 192.168.1.1/24 –dport 22 -j ACCEPT

Configuring port forwarding
Sometimes we need to forward service traffic from a Linux server to another port. In this case, you can use the following command:

iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 22 -j REDIRECT –to-port 2222

The above command will redirect all traffic arriving on the eth0 NIC 22 port to port 2222.
Block HTTP service Flood attacks
Sometimes a user initiates a large number of connection requests on a service, such as HTTP 80, at which point we can enable the following rules:
iptables -A INPUT -p tcp –dport 80 -m limit –limit 100/minute –limit-burst 200 -j ACCEPT
The above command will limit the connection to 100 per minute and the upper limit to 200.

Block Ping

Forbidden PING for Linux, You can use the following rules to mask ICMP incoming connections:

iptables -A INPUT -p icmp -i eth0 -j DROP

Allow Loopback Connections

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Drop or Accept Traffic From Mac Address

iptables -A INPUT -m mac –mac-source 00:0F:EA:91:04:08 -j DROP
iptables -A INPUT -p tcp –destination-port 22 -m mac –mac-source 00:0F:EA:91:04:07 -j ACCEPT

Limit the number of concurrent connections
If you don’t want too many concurrent connections from a particular port, you can use the following rules
iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 3 -j REJECT
The above rules limit no more than 3 connections per client.
Allow related connections to be established
With the ingress and egress of network traffic, to allow the establishment of incoming related connections, you can use the following rules:
iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
Allow rules to establish outgoing connections
iptables -A OUTPUT -m conntrack –ctstate ESTABLISHED -j ACCEPT

Discard invalid packets

Many cyber attacks try to use hacker-defined illegal packets, we can use the following command to discard invalid packets:
iptables -A INPUT -m conntrack –ctstate INVALID -j DROP

Allow All Incoming SSH

iptables -A INPUT -p tcp –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp –sport 22 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow Incoming SSH from Specific IP address or subnet

iptables -A INPUT -p tcp -s 192.168.240.0/24 –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp –sport 22 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow Outgoing SSH

iptables -A OUTPUT -p tcp –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp –sport 22 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow All Incoming HTTP

iptables -A INPUT -p tcp –dport 80 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp –sport 80 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow All Incoming HTTPS

iptables -A INPUT -p tcp –dport 443 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp –sport 443 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow All Incoming HTTP and HTTPS

iptables -A INPUT -p tcp -m multiport –dports 80,443 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -m multiport –dports 80,443 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow MySQL from Specific IP Address or Subnet

iptables -A INPUT -p tcp -s 192.168.240.0/24 –dport 3306 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp –sport 3306 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow MySQL to Specific Network Interface

iptables -A INPUT -i eth1 -p tcp –dport 3306 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth1 -p tcp –sport 3306 -m conntrack –ctstate ESTABLISHED -j ACCEPT

PostgreSQL from Specific IP Address or Subnet

iptables -A INPUT -p tcp -s 192.168.240.0/24 –dport 5432 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp –sport 5432 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow PostgreSQL to Specific Network Interface

iptables -A INPUT -i eth1 -p tcp –dport 5432 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth1 -p tcp –sport 5432 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Block Outgoing SMTP Mail

iptables -A OUTPUT -p tcp –dport 25 -j REJECT

Allow All Incoming SMTP

iptables -A INPUT -p tcp –dport 25 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp –sport 25 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow All Incoming IMAP

iptables -A INPUT -p tcp –dport 143 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp –sport 143 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow All Incoming IMAPS

iptables -A INPUT -p tcp –dport 993 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp –sport 993 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow All Incoming POP3

iptables -A INPUT -p tcp –dport 110 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp –sport 110 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow All Incoming POP3S

iptables -A INPUT -p tcp –dport 995 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp –sport 995 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Flush All Chains

To empty the Iptables chain you can use the following command
iptables -F
To clear a particular table, you can specify it with the -t parameter, for example:
iptables -t nat –F
Save Iptables rules
By default, administrator actions on Iptables rules take effect immediately. However, since the rules are stored in memory, restarting the system will result in configuration loss. To permanently save Iptables rules, use the iptables-save command:
iptables-save > ~/iptables.rules
or
  • Debian Based
    netfilter-persistent save
  • RedHat Based
    service iptables save
Restore Iptables rules
If there is a natural save, there is a restore. You can use the iptables-restore command to restore the saved rules.
iptables-restore < ~/iptables.rules