Iptables is a command line firewall in Linux that allows system administrators to manage inbound and outbound traffic through a set of rules.
Managing network traffic is considered one of the most difficult jobs that system administrators face, It has the mission of configuring the firewall in such a way that it meets the security policies of the company for the incoming and outgoing connections, without leaving the system vulnerable to attacks.
In this guide, you will see some useful commands that will help you to properly manage your Linux firewall through iptables.
firewall status/start/restart :
[root@server ~]# systemctl start iptables.service [root@server ~]# systemctl stop iptables.service [root@server ~]# systemctl restart iptables.service [root@server ~]# systemctl status iptables.service
Check all iptables firewall rules :
If you want to check your existing rules, use the following command :
[root@server ~]# iptables -L -n -v Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2189 901K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 3 110 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 239 29956 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 281 packets, 29170 bytes) pkts bytes target prot opt in out source destination 6 304 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 2044 258K OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0
Block a specific IP address:
Assuming you noticed abnormal activity from an IP address, you can block it with the command below :
[root@server ~]# iptables -A INPUT -s @IP -j DROP
Block TCP traffic from an IP address :
[root@server ~]# iptables -A INPUT -p tcp -s @IP -j DROP
Unblock an IP address :
If after blocking an IP address you believe it is not the source of an attack, you can unblock it with the command :
[root@server ~]# iptables -D INPUT -s @IP -j DROP ou bien # iptables --delete INPUT -s @IP -j DROP
Block a specific port :
It is a good security measure to block incoming and outgoing connections at a port level, to do so use the command below :
To block incoming connections on a port (TCP traffic) :
[root@server ~]# iptables -A OUTPUT -p tcp --dport port -j DROP
To block outgoing connections on a port (TCP traffic) :
[root@server ~]# iptables -A INPUT -p tcp --dport port -j ACCEPT
replace tcp with udb if it is UDP traffic.
Allow connections on multiple ports :
With « multiport » you can authorize or block incoming and outgoing connections on several ports at the same time :
[root@server ~]# iptables -A INPUT -p tcp -m multiport --dports 21,25,443 -j ACCEPT [root@server ~]# iptables -A OUTPUT -p tcp -m multiport --sports 21,25,443 -j ACCEPT
Authorize a range of addresses on a particular port :
The example below allows outgoing connections from the 192.168.5.0/24 network on port 25 :
[root@server ~]# iptables -A OUTPUT -p tcp -d 192.168.5.0/24 --dport 25 -j ACCEPT
Block access to a website :
Assuming your company’s security policy prohibits access to social networks like Facebook, to block access use the commands below :
First find the IP address of Facebook.com :
[root@server ~]# host facebook.com facebook.com has address 31.13.83.36 facebook.com has IPv6 address 2a03:2880:f104:83:face:b00c:0:25de facebook.com mail is handled by 10 smtpin.vvv.facebook.com.
Find the CIDR :
[root@server ~]# whois 31.13.83.36 | grep CIDR CIDR: 66.220.144.0/20
You can then block access to Facebook :
[root@server ~]# iptables -A OUTPUT -p tcp -d 66.220.144.0/20 -j DROP
Forward traffic to another port:
The command below forwards all inbound traffic on the eth1 network interface, from port 21 to port 2021 :
[root@server ~]# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 21 -j REDIRECT --to-port 2021
Block ping requests :
For security reasons, it is better to block ping requests (icmp), just type the command below :
# iptables -A INPUT -p icmp -i eth0 -j DROP
Block a specific MAC address :
# iptables -A INPUT -m mac --mac-source 2A:FF:05:CE:B3:00 -j DROP
That’s the end of this guide, of course there are other commands that I suggest you take a look at with the man iptables command, or just click here.
Protocole du routage
Comment installer Docker sur Rocky Linux 9
Configurer le bonding réseau avec nmcli sous Linux
tar: Les 14 commandes les plus utilisé
Fail2Ban : How to protect Linux services