How to Configure Iptables Firewall Rules

IPTables is a powerful command-line firewall utility that allows system administrators to configure and manage network traffic rules. This guide provides comprehensive commands for configuring firewalls for both IPv4 and IPv6.

Prerequisites

  • Root or sudo access to the server.

  • Basic knowledge of networking and Linux terminal commands.

Basic Structure of IPTables Commands

iptables [OPTIONS] [CHAIN] [CONDITIONS] [TARGET]
ip6tables [OPTIONS] [CHAIN] [CONDITIONS] [TARGET]

Default Chains

  • INPUT: Controls incoming traffic.

  • OUTPUT: Controls outgoing traffic.

  • FORWARD: Controls traffic routed through the system.

Key Options

  • -A: Append a rule.

  • -I: Insert a rule.

  • -D: Delete a rule.

  • -L: List rules.

  • -F: Flush rules.

  • -P: Set the default policy.

  • -t: Specify the table (default is filter).

IPv4 IPtables Commands

  • Set Default Policies

This sets the default policy for the INPUT chain to DROP, blocking all incoming traffic unless explicitly allowed.

iptables -P FORWARD DROP  

Sets the FORWARD chain to DROP, preventing traffic from being routed through the server.

iptables -P OUTPUT ACCEPT  

Allows all outgoing traffic from the server by setting the OUTPUT chain policy to ACCEPT.

Allow Specific Incoming Connections

  • Allow SSH (port 22):
iptables -A INPUT -p tcp --dport 22 -j ACCEPT  

Allows incoming SSH connections on port 22, critical for remote server management.

Allow HTTP (port 80):

iptables -A INPUT -p tcp --dport 80 -j ACCEPT  

Enables incoming web traffic on port 80, used for HTTP. Allow HTTPS (port 443):

iptables -A INPUT -p tcp --dport 443 -j ACCEPT  

Permits secure web traffic on port 443, used for HTTPS.

Allow ICMP (Ping)

iptables -A INPUT -p icmp -j ACCEPT  

Permits ICMP traffic, such as ping requests, useful for network diagnostics.

Deny Specific Traffic

Deny SSH from a specific IP:

iptables -A INPUT -p tcp --dport 22 -s Your_IP_Here -j DROP

Blocks SSH connections from a specific IP address,

Deny ICMP (Ping):

iptables -A INPUT -p icmp -j DROP

Blocks all ICMP traffic, including ping requests.

Block Specific IP Address

iptables -A INPUT -s IP_Address_Here -j DROP  

Blocks all traffic from the specified IP address, enhancing security against specific threats.

Allow Traffic from Specific Network

iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT

Allows traffic from a specific subnet, often used for trusted internal networks.

Masquerade for NAT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Enables NAT (Network Address Translation) for outgoing traffic on the specified interface, commonly used for internet sharing.

Flush All Rules

iptables -F
iptables -X

Clears all existing rules and user-defined chains.

Save and Restore Rules

Save rules:

iptables-save > /etc/iptables/rules.v4

Saves current rules to a file for persistence across reboots.

Restore rules:

iptables-restore < /etc/iptables/rules.v4

Restores rules from the saved file.

IPv6 Commands

Set Default Policies

ip6tables -P INPUT DROP

Blocks all incoming IPv6 traffic unless explicitly allowed.

ip6tables -P FORWARD DROP

Prevents routed IPv6 traffic through the server.

ip6tables -P OUTPUT ACCEPT

Allows all outgoing IPv6 traffic.

Allow Specific Incoming Connections

Allow SSH (port 22):

ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT

Permits incoming SSH connections over IPv6. Allow HTTP (port 80):

ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT

Enables web traffic over IPv6 on port 80. Allow HTTPS (port 443):

ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT

Allows secure web traffic over IPv6.

Allow ICMPv6

ip6tables -A INPUT -p icmpv6 -j ACCEPT

Permits ICMPv6 traffic, necessary for IPv6 operations like neighbor discovery.

Deny Specific Traffic

Deny SSH from a specific IP:

iptables -A INPUT -p tcp --dport 22 -s IP_Address_Here -j DROP

Blocks SSH connections from a specific IP address.

Deny ICMPv6:

ip6tables -A INPUT -p icmpv6 -j DROP

Blocks all ICMPv6 traffic, including neighbor discovery messages.

Block Specific IPv6 Address

ip6tables -A INPUT -s 2001:db8::1 -j DROP

Blocks traffic from a specific IPv6 address.

Allow Traffic from Specific Network

ip6tables -A INPUT -s 2001:db8::/32 -j ACCEPT

Allows traffic from a trusted IPv6 network.

Flush All Rules

ip6tables -F  
ip6tables -X

Clears all IPv6 rules and custom chains.

Save and Restore Rules

Save rules:

ip6tables-save > /etc/iptables/rules.v6  

Saves current IPv6 rules to a file.

Restore rules:

ip6tables-restore < /etc/iptables/rules.v6

Restores IPv6 rules from the saved file.


CrownCloud - Get a SSD powered KVM VPS at $4.5/month!
Use the code WELCOME for 10% off!

1 GB RAM / 25 GB SSD / 1 CPU Core / 1 TB Bandwidth per month

Available Locations: LAX | MIA | ATL | FRA | AMS