Introduction to Iptables in Linux

Reading Time: 5 minutes

Hello readers, this blog will teach you about iptables and its use with some basic use cases.

What is Iptable?

Iptable is the built-in linux firewall which includes some conditions, known as rules, according to which the traffic is allowed on the machine. It monitors the incoming and outgoing traffic and filter it according to the specified rules.

The incoming and outgoing data is transferred in the form of packets. Linux provide an interface to filter these packets. Here, Iptables comes into picture, which is a command line tool to set-up and configure the firewall. Iptables contain tables to filter packets. These tables contain multiple chains which are nothing, but the set of rules.

Rules and targets in Iptables

The rules defines what to do with the packet if it matches any defined rule. If the rule is matched, it defines a target which can be another chain, or some special values mentioned below:

  • ACCEPT: It means that the packet is allowed to pass through the firewall.
  • DROP: It means that the packet is not allowed to pass through the firewall.
  • RETURN: It means to skip the current rule and jump back to the chain from which it was called.

There are 5 built-in tables in iptables namely filter, nat, mangle, raw, security. For this tutorial, we are going to work only with the default table of iptables which is filter.

The filter table

The filter table is used for normal filter of traffic based on rules defined by the user. This table is very helpful in carrying out normal day to day blocking and filtering of packets. The filter table has three chains:

  • INPUT: This chain is used to control the incoming traffic/packets to the server.
  • FORWARD: This chain is used to filter packets that are incoming to the server but are to be forwarded somewhere else.
  • OUTPUT: This chain is used to filter packets that are going out from the server.

Following is the diagram in reference to the filter table chain.

This image has an empty alt attribute; its file name is image.png

Going through the Iptables command

Starting from scratch, I’ll be covering almost every possible command with some basic use case.

Installation

Check the iptables command installation by checking the version of iptables:

iptables --version

In case, iptables is not installed, follow these steps:

sudo apt-get update
sudo apt-get install iptables

To view the filter table, which is actually the default table of iptables:

sudo iptables -L 

This will bring out the following output which is basically an empty filter table:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 

Here, the INPUT, OUTPUT and FORWARD are the chains which include the rules for configuring the firewall. Every firewall’s has a default policy mentioned as (policy ACCEPT). The default policy for a chain specify the default target of those packets which are not matching any rule of that chain. For example: The default policy for input chain is ACCEPT, which means every incoming packet will be accepted by the firewall.

In case you want to know only the default policy for the tables, you can use the following command:

sudo ifconfig [ -S/--list-rules ]

To change the default policy of table, the command is as follows:

sudo iptables -P <chain> <target>

Here, for example, if we change the default policy of INPUT chain to DROP using the command sudo iptables -P INPUT DROP, then no one will be able to communicate with us as all data packets will be dropped by the firewall.

Modifying rules in Iptable

To add a particular rule inside any chain. We’ll cover the command first, and then some use cases for the same.

sudo iptables [ -A|-S ] <chain> -t <table> -p <protocol> -s<source ip> -d<destination-ip> --sport <source-port> --dport<destination-port>  -j<target> -i<input-interface> -o<output-interface>

In the above command, I’ve used multiple flags. I’ll explain each of them and when they are required.

  • -A: This flag is used to append a rule at the end of the table.
  • -S: This flag is used to insert a rule at specified position in the table. If position is not specified, it will add the rule to top-most position.
  • -t: This flag is used to give the table name. By default, it is filter table.
  • -p: This flag is used to specify the protocol. It can be tcp, udp, icmp or all
  • -s: This flag is used to specify the source from where the packets are coming. Mainly used for to apply a rule on INPUT chain for any specific source ip-address.
  • -d: This flag is used to specify the destination where packets are to be delivered. Mainly used for to apply a rule on OUTPUT chain for any specific destination ip-address.
  • --sport & --dport: This flag is used to specify the source and destination port respectively if the rule is applied on tcp protocol.
  • -j: This flag is used to specify the target to be applied on the matched rule. It can be ACCEPT, REJECT, DROP etc.
  • -i: Input-interface – This flag is used to specify the name of the interface via which a packet will be received.
  • -j: Output-interface – This flag is used to specify the name of the interface via which a packet will be sent.

Adding rules to iptables

1. To block a particular website, let’s say facebook, so that it can’t be accessed from your server.

sudo iptables -I INPUT -t filter -s www.facebook.com -j DROP

2. To block a web any packets from any ip-address, suppose 192.168.0.107

sudo iptables -I INPUT -t filter -s 192.168.0.107 -j DROP

3. To block the loopback address, i.e. your localhost [127.0.0.1]

sudo iptables -A INPUT -i lo -j DROP

4. To disable any port of your, let’s suppose you don’t want to allow anyone to do ssh on your system, then you need to block the port 22, which can be done as follows:

sudo iptables -A INPUT -t filter -p tcp --dport 22 -j DROP

5. We can also set the target to ALLOW or DROP data packets from other ports, like for blocking http and https, we need to block the source port 80 and 443.

sudo iptables -A INPUT -t filter -p tcp --sport 80 -j DROP
sudo iptables -A INPUT -t filter -p tcp --sport 443 -j DROP

Removing rules from iptables

1. To remove a particular rule by its line number.

sudo iptables -D <chain> <line-number>

2. To remove all the rules of a particular chain

sudo iptables -F <chain>

3. To remove all the rules from the iptables

sudo iptables -F/--flush

Now, to get the output of any command with more information, you can run it in verbose mode as:

sudo iptables -L -v

After going through the contents, now you’ll be familiar with iptables and how to add rules to the filter table. Still, if you have any queries, feel free to contact me at yatharth.sharma@knoldus.in.

Thank you for sticking to the end. If you like this blog, please do show your appreciation by giving thumbs ups and share this blog and give me suggestions on how I can improve my future posts to suit your needs. Follow me to get updates on different technologies

Written by 

Yatharth Sharma is a Software Consultant at Knoldus Software LLP. He has done MCA from Bharati Vidyapeeth Institute of Computer Application and Management, Paschim Vihar. He has a decent knowledge of Java Language and currently working on DevOps technologies/tools like Ansible, Jenkins, Docker, Kubernetes. Apart from programming, he loves listening to rap music.