How to configure IPTables

IPTables is a command line utility that is the standard interface for managing the firewall.

Keys for working with chains:
-A – add a new rule.
-D – delete the rule.
-F – remove all rules.
-R – replace the rule.
-L – list all rules.

INPUT – incoming traffic.
OUTPUT – outgoing traffic.
FORWARD – forwarded (transit) traffic.

-p – protocol, can be all, icmp, tcp, udp.
-s – source ip address / host.
-d – destination ip address / host.
-i – interface to which the packet came.
-o – the interface from which the packet leaves.
–sport – source port.
–dport – destination port.

ACCEPT – allow packets.
REJECT – block packets with a failure message.
DROP – block packets (more priority option than REJECT).

Examples of viewing the rules:

iptables -nvL
iptables -n -L -v --line-numbers
iptables -L INPUT -n -v
iptables -L OUTPUT -n -v --line-numbers
iptables -L OUTPUT -n --line-numbers | less
iptables -L OUTPUT -n --line-numbers | grep
iptables -L INPUT --line-numbers

View NAT and mangle rules:

iptables -L -t nat
iptables -L -t mangle

Examples of deleting rules:

iptables -D INPUT 3
iptables -D INPUT -s -j DROP

I will give an example of a simple NAT rule (where is a local area network, and looks on the Internet):

iptables -t nat -I POSTROUTING -s -j SNAT --to-source --persistent

An example of removing and adding NAT rules:

iptables -t nat -D POSTROUTING -s -o eth1 -j SNAT --to-source --persistent
iptables -t nat -A POSTROUTING -s -o eth1 -j SNAT --to-source --persistent

If NAT is configured and you need to forward the port to the local IP (where is the local IP, and looks at eth0 on the Internet):

iptables -t nat -A PREROUTING -d -i eth0 -p tcp -m tcp --dport 81 -j DNAT --to-destination

Suppose NAT for the network is configured through, and must be started through

iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT --to-source

Full reset rules (carefully with this rule):

iptables -F

Service Management:

service iptables stop/start/restart/save

Example of allowing rules for pop3, pop3s:

iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 995 -j ACCEPT

Example for imap, imaps:

iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT

Setting the default INPUT and FORWARD policies to drop (careful with these rules):

iptables -P INPUT DROP
iptables -P FORWARD DROP

To allow ping:

iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

Blocking and unblocking an IP address or network:

iptables -A INPUT -s xx.xx.xx.xx -j DROP
iptables -A INPUT -s xx.xx.xx.xx/24 -j DROP
iptables -D INPUT -s xx.xx.xx.xx -j DROP

Limit the number of connections to 200 per specific port, for example, 443 and 80:

iptables -A INPUT -p tcp -m tcp --dport 443 -m connlimit --connlimit-above 200 --connlimit-mask 32 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

iptables -A INPUT -s -p tcp --dport 80 -m connlimit --connlimit-above 200 -j DROP
iptables -A INPUT -s -p tcp --dport 80 -j ACCEPT

Opening port 80 with connection limits:

iptables -A INPUT -p tcp --dport 80 -m limit --limit 50/second -j ACCEPT

If you need to specify several ports in the rule, then you need to add multiport, for example:

-m multiport --dports 80,8080

An example of labeling packages:

iptables -t mangle -A PREROUTING -s -j MARK --set-mark 38

Option to prohibit port scanning (IP is blocked for 300 seconds, from which packets come in addition to the allowed ports):

iptables -P INPUT DROP
iptables -A INPUT -p all -i eth0 -j ACCEPT
iptables -A OUTPUT -p all -o eth0 -j ACCEPT
iptables -A INPUT -m recent --rcheck --seconds 300 --name STOPSCAN -j DROP
iptables -A INPUT -p tcp -m multiport ! --dports 80,443 -m recent --set --name STOPSCAN -j DROP
iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 443 -j ACCEPT
iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

You can backup the rules to a file, and also restore them from it with the commands:

iptables-save > iptables.dump
iptables-restore < iptables.dump

You can search the text according to the rules as follows:


See also my articles:
IPTables rules for: Accel-ppp, DHCP, DNS, FreeRADIUS, WEB, Asterisk, TFTP, SSH, Samba, FTP, NTP and SNTP, MySQL, ntopng, nprobe, Zabbix
Installing and using ipset
Others tagged with iptables
Logging activity using IPTables
The solution to the error “Another app is currently holding the xtables lock”

Iptables rules for other services are looking for in my articles on installing these services.

Did my article help you? How about buying me a cup of coffee as an encouragement? Buy me a coffe.

Leave a comment

Leave a Reply