Linode Library Home
Linode Library RSS Feed
Home :: Security :: Firewalls
Print View View Source

Control Network Traffic with iptables

Published: by

The iptables program is a comprehensive tool for manipulating, filtering, redirecting, and blocking network traffic rules on modern Linux systems. IP tables controls network filtering, which forms the foundation of most advanced firewall solutions and allows administrators to prevent access to a system by way of a network interface with a high degree of granularity and specificity. A basic understanding of using IP tables will allow you to maintain and exercise control over networking for your Linux system.

This document contains a basic overview of the iptables command, and focuses on its form and usage followed by a review of common commands and problems that can be easily solved by common iptables invocations. If you find this guide helpful, please consider our guide to basic administration practices or the rest of the using linux series.


Using iptables

The functionality of IP tables is derived directly from the networking subsystem of the Linux kernel, which accounts for the ability of Linux systems to efficiently process network traffic. The iptables command, which must be used with root privileges, simply provides an interface to this capability. The iptables tool is likely already installed on your Linux system; however, if it is not you can install this interface with your system's package management tool. Nevertheless, the iptables examples in this document are intended to work with iptables running on top of contemporary versions of the Linux 2.6 Kernel.

The iptables Command

The iptables command provides a great deal of functionality; however, the syntax of this command is occasionally abstruse and difficult to comprehend. If you have difficulty understanding the iptables command, attempt to understand the general structure of an iptables directive rather than a deep understanding of the complete syntax. Consider the following example:

iptables -I INPUT -s -j DROP

The -I option specifies the insertion of a rule at the beginning of the specified chain. Rules are applied sequentially so using the -I option will ensure that the above rule will be applied before all other rules. To append a rule to the end of a chain to allow all other rules to be processed first use the -A option in the following form:

iptables -A INPUT -s -j DROP

In both commands, the -s option and the IP that follows specifies a source. The final -j option specifies a "target" or action to perform on the given packet. The target can specify handing the packet off to another chain, or as in this case a predefined action. Possible targets include the DROP target which drops the packet, the ACCEPT target that allows the packet go through as per normal, the RETURN target that allows the packet to continue to be filtered, and the QUEUE target that puts the packet in a queuing mechanism for further user-space manipulation.

At any point you can issue the following command to get a list of all current IP tables rules:

iptables -L

The iptables command is also capable of generating not only a list of the rules active on your system, but the number of packets that each output rule has "caught." You can view this output with the following command:

iptables -L -nv

If you want to "flush" or clear all IP tables rules on your system, you may issue the following command:

iptables -F

Because iptables rules affect networking, it is possible to inadvertently prevent access to your system. If you have removed your ability to access your system directly and are connected to your machine over SSH, you may use an out-of-band console to recover access to your system. Exercise great care when instantiating new firewall rules.

When creating firewall rules, be aware that any rules created will not persist following your system's next boot cycle. If you want to create persistent firewall rules, consider deploying a dedicated firewall package or inserting iptables commands in your system's /etc/rc.local file.

iptables Rules

IP tables rules are processed serially in "chains" according to the kind of packet being processed. The system defines an INPUT chain which filters all incoming packets, a FORWARD chain which processes all packets that need to be redirected elsewhere, and an OUTPUT chain that can filter all outgoing packets. Users may define additional chains that rules in the default chains can filter packets through.

In addition to the chains upon which this document is primarily focused, iptables contains the concept of tables which allows the networking system to process different kinds of packets. The default table is the filter, which is the focus of this document and the core of the most used iptables functionality.

The following sections outline a number of basic approaches to creating a firewall and some common iptables rules. Combining these practical examples with the general knowledge provided above should allow you to construct your own network firewall and filtering system that is tailored directly to the needs of your deployment.

Block All Incoming Traffic on a Port

IP tables contains the capability of blocking all access to a port on a given interface. Consider a command in the following form:

iptables -A INPUT -j DROP -p tcp --destination-port 110 -i eth0

This command adds a rule to the end of the INPUT chain that drops all packets. The "-p tcp" option forces iptables to only drop TCP packets (and does nothing to filter UDP packets). The "--destination-port 110" option forces the rule to only filter packets targeted to port 110. Finally, the "-i eth0" option specifies only packets arriving on the "eth0" interface. If you do not specify an interface, traffic arriving on all interfaces will be filtered.

IP tables has no way to conceptualize interface aliases (virtual IP interfaces; e.g. eth0 and eth0:0). If you have multiple aliases for a single interface, all packets arriving on the eth0 interface and its aliases, you will need to specify the destination address such as "-d" to filter this traffic as in the following example:

iptables -A INPUT -j DROP -p tcp --destination-port 110 -i eth0 -d

To remove rules specifically, prepend --delete or -D to the command as in the following examples:

iptables --delete INPUT -j DROP -p tcp --destination-port 110 -i eth0
iptables -D INPUT -j DROP -p tcp --destination-port 110 -i eth0
iptables --delete INPUT -j DROP -p tcp --destination-port 110 -i eth0 -d
iptables -D INPUT -j DROP -p tcp --destination-port 110 -i eth0 -d

Drop All Traffic from a Specific IP

As described above, in order to drop all incoming traffic from a specific IP address, use an IP tables command that resembles the following:

iptables -I INPUT -s -j DROP

To remove these rules specifically, prepend --delete or -D to the command as in the following examples:

iptables --delete INPUT -s -j DROP
iptables -D INPUT -s -j DROP

Block All Traffic and Allow Traffic on Specific Ports

One common approach to firewall architecture involves blocking all traffic to the system by default and then allowing traffic on specific ports. Consider the following sequence of commands:

iptables -A INPUT -p tcp -m multiport --destination-ports 22,25,53,80,443,465,5222,5269,5280,8999:9003 -j ACCEPT
iptables -A INPUT -p udp -m multiport --destination-ports 53 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

In this example, the first two commands append rules to the INPUT chain to allow access on specific ports. The "-p tcp" and "-p udp" options specify either UDP or TCP packet types. The "-m multiport" function matches packets on the basis of their source or destination ports, and can accept the specification of up to 15 ports. Multiport also accepts ranges such as 8999:9003 which count as 2 of the 15 possible ports, but match ports 8999, 9000, 9001, 9002, and 9003. The next command allows all incoming and outgoing packets that are associated with existing connections so that they will not be inadvertently blocked by the firewall. The final two use the -P option to describe the default policy for these chains. As a result, all packets processed by INPUT and FORWARD will be dropped by default.

This kind of basic firewall can be thought of as an impenetrable wall with the exception of several small "pinholes." This kind of approach to networking may be useful for ensuring a much more tightly controlled network interface. Do note that the rules described above only control incoming packets, and do not limit outgoing connections.

Whitelist Traffic From Specific Addresses

Expanding on the principal of "pinholing" described above, IP tables makes it possible to block all traffic and then only allow traffic from certain IP addresses. Although many applications and servers contain the ability to do access control on the application layer as well, including these kinds of firewall rules is useful for controlling access to specific resources at the networking layer. Consider the following commands:

iptables -A INPUT -s -j ACCEPT
iptables -A INPUT -s -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

In this case, the first command, the "-s" statement specifies that all source IPs (-s) in the address space of 192.168.1. are allowed. You may specify a range of IP address using "CIDR" notation, or individual IP addresses as in the second command. The third invocation allows all incoming and outgoing packets that are associated with existing connections. The final two commands set the default policy for all INPUT and FORWARD chains to drop all packets.

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

Creative Commons License

This guide is licensed under a Creative Commons Attribution-NoDerivs 3.0 United States License.

Last edited by Tim Heckman on Friday, November 18th, 2011 (r2711).