iptables : 12 useful commands

Iptables is a command line firewall in Linux that allows system administrators to manage inbound and outbound traffic through a set of rules.

Managing network traffic is considered one of the most difficult jobs that system administrators face, It has the mission of configuring the firewall in such a way that it meets the security policies of the company for the incoming and outgoing connections, without leaving the system vulnerable to attacks.

In this guide, you will see some useful commands that will help you to properly manage your Linux firewall through iptables.

firewall status/start/restart :

[root@server ~]# systemctl start iptables.service
[root@server ~]# systemctl stop iptables.service
[root@server ~]# systemctl restart iptables.service
[root@server ~]# systemctl status iptables.service

Check all iptables firewall rules :

If you want to check your existing rules, use the following command :

[root@server ~]# iptables -L -n -v 

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes  target prot opt in out source destination
2189 901K   ACCEPT all -- * * ctstate RELATED,ESTABLISHED
3    110    ACCEPT all -- lo *
239  29956  INPUT_direct all -- * *

Chain OUTPUT (policy ACCEPT 281 packets, 29170 bytes)
 pkts bytes target     prot opt in     out     source               destination
    6   304 ACCEPT     all  --  *      lo  
 2044  258K OUTPUT_direct  all  --  *      *  
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      *           ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *  
    0     0 FORWARD_direct  all  --  *      *  
    0     0 FORWARD_IN_ZONES_SOURCE  all  --  *      *  

Block a specific IP address:

Assuming you noticed abnormal activity from an IP address, you can block it with the command below :

[root@server ~]# iptables -A INPUT -s @IP -j DROP

Block TCP traffic from an IP address :

[root@server ~]# iptables -A INPUT -p tcp -s @IP -j DROP

Unblock an IP address :

If after blocking an IP address you believe it is not the source of an attack, you can unblock it with the command :

[root@server ~]# iptables -D INPUT -s @IP -j DROP
ou bien        # iptables --delete INPUT -s @IP -j DROP

Block a specific port :

It is a good security measure to block incoming and outgoing connections at a port level, to do so use the command below :

To block incoming connections on a port (TCP traffic) :

[root@server ~]# iptables -A OUTPUT -p tcp --dport port -j DROP

To block outgoing connections on a port (TCP traffic) :

[root@server ~]# iptables -A INPUT -p tcp --dport port -j ACCEPT

replace tcp with udb if it is UDP traffic.

Allow connections on multiple ports :

With « multiport » you can authorize or block incoming and outgoing connections on several ports at the same time :

[root@server ~]# iptables -A INPUT -p tcp -m multiport --dports 21,25,443 -j ACCEPT
[root@server ~]# iptables -A OUTPUT -p tcp -m multiport --sports 21,25,443 -j ACCEPT

Authorize a range of addresses on a particular port :

The example below allows outgoing connections from the network on port 25 :

[root@server ~]# iptables -A OUTPUT -p tcp -d --dport 25 -j ACCEPT

Block access to a website :

Assuming your company’s security policy prohibits access to social networks like Facebook, to block access use the commands below :

First find the IP address of Facebook.com :

[root@server ~]# host facebook.com
facebook.com has address
facebook.com has IPv6 address 2a03:2880:f104:83:face:b00c:0:25de
facebook.com mail is handled by 10 smtpin.vvv.facebook.com.

Find the CIDR :

[root@server ~]# whois | grep CIDR

You can then block access to Facebook :

[root@server ~]# iptables -A OUTPUT -p tcp -d -j DROP

Forward traffic to another port:

The command below forwards all inbound traffic on the eth1 network interface, from port 21 to port 2021 :

[root@server ~]#  iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j REDIRECT --to-port 2021

Block ping requests :

For security reasons, it is better to block ping requests (icmp), just type the command below :

# iptables -A INPUT -p icmp -i eth0 -j DROP

Block a specific MAC address :

# iptables -A INPUT -m mac --mac-source 2A:FF:05:CE:B3:00 -j DROP

That’s the end of this guide, of course there are other commands that I suggest you take a look at with the man iptables command, or just click here.

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *