How to Configure Iptables Firewall Rules
IPTables is a powerful command-line firewall utility that allows system administrators to configure and manage network traffic rules. This guide provides comprehensive commands for configuring firewalls for both IPv4 and IPv6.
Prerequisites
-
Root or sudo access to the server.
- Basic knowledge of networking and Linux terminal commands.
Basic Structure of IPTables Commands
iptables [OPTIONS] [CHAIN] [CONDITIONS] [TARGET]
ip6tables [OPTIONS] [CHAIN] [CONDITIONS] [TARGET]
Default Chains
-
INPUT: Controls incoming traffic.
-
OUTPUT: Controls outgoing traffic.
- FORWARD: Controls traffic routed through the system.
Key Options
-
-A: Append a rule.
-
-I: Insert a rule.
-
-D: Delete a rule.
-
-L: List rules.
-
-F: Flush rules.
-
-P: Set the default policy.
- -t: Specify the table (default is filter).
IPv4 IPtables Commands
- Set Default Policies
This sets the default policy for the INPUT chain to DROP, blocking all incoming traffic unless explicitly allowed.
iptables -P FORWARD DROP
Sets the FORWARD chain to DROP, preventing traffic from being routed through the server.
iptables -P OUTPUT ACCEPT
Allows all outgoing traffic from the server by setting the OUTPUT chain policy to ACCEPT.
Allow Specific Incoming Connections
- Allow SSH (port 22):
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Allows incoming SSH connections on port 22, critical for remote server management.
Allow HTTP (port 80):
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Enables incoming web traffic on port 80, used for HTTP. Allow HTTPS (port 443):
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
Permits secure web traffic on port 443, used for HTTPS.
Allow ICMP (Ping)
iptables -A INPUT -p icmp -j ACCEPT
Permits ICMP traffic, such as ping requests, useful for network diagnostics.
Deny Specific Traffic
Deny SSH from a specific IP:
iptables -A INPUT -p tcp --dport 22 -s Your_IP_Here -j DROP
Blocks SSH connections from a specific IP address,
Deny ICMP (Ping):
iptables -A INPUT -p icmp -j DROP
Blocks all ICMP traffic, including ping requests.
Block Specific IP Address
iptables -A INPUT -s IP_Address_Here -j DROP
Blocks all traffic from the specified IP address, enhancing security against specific threats.
Allow Traffic from Specific Network
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
Allows traffic from a specific subnet, often used for trusted internal networks.
Masquerade for NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Enables NAT (Network Address Translation) for outgoing traffic on the specified interface, commonly used for internet sharing.
Flush All Rules
iptables -F
iptables -X
Clears all existing rules and user-defined chains.
Save and Restore Rules
Save rules:
iptables-save > /etc/iptables/rules.v4
Saves current rules to a file for persistence across reboots.
Restore rules:
iptables-restore < /etc/iptables/rules.v4
Restores rules from the saved file.
IPv6 Commands
Set Default Policies
ip6tables -P INPUT DROP
Blocks all incoming IPv6 traffic unless explicitly allowed.
ip6tables -P FORWARD DROP
Prevents routed IPv6 traffic through the server.
ip6tables -P OUTPUT ACCEPT
Allows all outgoing IPv6 traffic.
Allow Specific Incoming Connections
Allow SSH (port 22):
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
Permits incoming SSH connections over IPv6. Allow HTTP (port 80):
ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
Enables web traffic over IPv6 on port 80. Allow HTTPS (port 443):
ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT
Allows secure web traffic over IPv6.
Allow ICMPv6
ip6tables -A INPUT -p icmpv6 -j ACCEPT
Permits ICMPv6 traffic, necessary for IPv6 operations like neighbor discovery.
Deny Specific Traffic
Deny SSH from a specific IP:
iptables -A INPUT -p tcp --dport 22 -s IP_Address_Here -j DROP
Blocks SSH connections from a specific IP address.
Deny ICMPv6:
ip6tables -A INPUT -p icmpv6 -j DROP
Blocks all ICMPv6 traffic, including neighbor discovery messages.
Block Specific IPv6 Address
ip6tables -A INPUT -s 2001:db8::1 -j DROP
Blocks traffic from a specific IPv6 address.
Allow Traffic from Specific Network
ip6tables -A INPUT -s 2001:db8::/32 -j ACCEPT
Allows traffic from a trusted IPv6 network.
Flush All Rules
ip6tables -F
ip6tables -X
Clears all IPv6 rules and custom chains.
Save and Restore Rules
Save rules:
ip6tables-save > /etc/iptables/rules.v6
Saves current IPv6 rules to a file.
Restore rules:
ip6tables-restore < /etc/iptables/rules.v6
Restores IPv6 rules from the saved file.
CrownCloud - Get a SSD powered KVM VPS at $4.5/month!
Use the code WELCOME
for 10% off!
1 GB RAM / 25 GB SSD / 1 CPU Core / 1 TB Bandwidth per month
Available Locations: LAX | MIA | ATL | FRA | AMS