How to configure IPTables

IPTables is a command line utility that is the standard interface for managing the firewall.

Keys for working with chains:
-A – add a new rule.
-D – delete the rule.
-F – remove all rules.
-R – replace the rule.
-L – list all rules.

INPUT – incoming traffic.
OUTPUT – outgoing traffic.
FORWARD – forwarded (transit) traffic.

-p – protocol, can be all, icmp, tcp, udp.
-s – source ip address / host.
-d – destination ip address / host.
-i – interface to which the packet came.
-o – the interface from which the packet leaves.
–sport – source port.
–dport – destination port.

ACCEPT – allow packets.
REJECT – block packets with a failure message.
DROP – block packets (less CPU load for mass requests, a higher priority option than REJECT).
RETURN – stop checking the current chain and continue with the parent.
MARK and CONNMARK – labeling packets.
LOG – packet logging in syslog.

Examples of viewing the rules:

iptables -nvL
iptables -nvL | grep 192.168.0
iptables -n -L -v --line-numbers
iptables -L INPUT -n -v
iptables -L OUTPUT -n -v --line-numbers
iptables -L OUTPUT -n --line-numbers | less
iptables -L OUTPUT -n --line-numbers | grep
iptables -L INPUT --line-numbers

ip6tables -nvL
ip6tables -t filter -nvL

View NAT and mangle rules:

iptables -L -t nat
iptables -L -t mangle

Examples of deleting rules:

iptables -D INPUT 3
iptables -D INPUT -s -j DROP

I will give an example of a simple NAT rule (where is a local area network, and looks on the Internet):

iptables -t nat -I POSTROUTING -s -j SNAT --to-source --persistent

An example of removing and adding NAT rules:

iptables -t nat -D POSTROUTING -s -o eth1 -j SNAT --to-source --persistent
iptables -t nat -A POSTROUTING -s -o eth1 -j SNAT --to-source --persistent

If NAT is configured and you need to forward the port to the local IP (where is the local IP, and looks at eth0 on the Internet):

iptables -t nat -A PREROUTING -d -i eth0 -p tcp -m tcp --dport 81 -j DNAT --to-destination

Suppose NAT for the network is configured through, and must be started through

iptables -t nat -A POSTROUTING -s -o eth0 -j SNAT --to-source

Full reset rules (carefully with this rule):

iptables -F

Service Management:

service iptables stop/start/restart/save

Example of allowing rules for pop3, pop3s:

iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 995 -j ACCEPT

Example for imap, imaps:

iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT

Setting the default INPUT and FORWARD policies to drop (careful with these rules):

iptables -P INPUT DROP
iptables -P FORWARD DROP

To allow ping:

iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

Examples of blocking and unblocking an IP address or network:

iptables -A INPUT -s xx.xx.xx.xx -j DROP
iptables -A INPUT -s xx.xx.xx.xx/24 -j DROP
iptables -A INPUT -s xx.xx.xx.xx/24 -j REJECT --reject-with icmp-port-unreachable
iptables -D INPUT -s xx.xx.xx.xx -j DROP

When adding a rule, it is advisable to add a comment, for example:

iptables -A INPUT -s xx.xx.xx.xx -m comment --comment "text" -j DROP

Limit the number of connections to 200 per specific port, for example, 443 and 80 (note that connlimit with very high traffic can heavily load the processor):

iptables -A INPUT -p tcp -m tcp --dport 443 -m connlimit --connlimit-above 200 --connlimit-mask 32 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

iptables -A INPUT -s -p tcp --dport 80 -m connlimit --connlimit-above 200 -j DROP
iptables -A INPUT -s -p tcp --dport 80 -j ACCEPT

Opening port 80 with connection limits:

iptables -A INPUT -p tcp --dport 80 -m limit --limit 50/second -j ACCEPT

If you need to specify several ports in the rule, then you need to add multiport, for example:

-m multiport --dports 80,8080

An example of labeling packages:

iptables -t mangle -A PREROUTING -s -j MARK --set-mark 38

Option to prohibit port scanning (IP is blocked for 300 seconds, from which packets come in addition to the allowed ports):

iptables -P INPUT DROP
iptables -A INPUT -p all -i eth0 -j ACCEPT
iptables -A OUTPUT -p all -o eth0 -j ACCEPT
iptables -A INPUT -m recent --rcheck --seconds 300 --name STOPSCAN -j DROP
iptables -A INPUT -p tcp -m multiport ! --dports 80,443 -m recent --set --name STOPSCAN -j DROP
iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 443 -j ACCEPT
iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

You can backup the rules to a file, and also restore them from it with the commands:

iptables-save > iptables.dump
iptables-restore < iptables.dump

ip6tables-save > ip6tables.dump
ip6tables-restore < ip6tables.dump

You can search the text according to the rules as follows:


Since there may be vulnerabilities through RPC, it is better to close port 111 (and even better to open only the necessary ports and make the default INPUT DROP):

rpcinfo -p localhost
/sbin/iptables -A INPUT -p tcp --dport 111 -j DROP
/sbin/iptables -A INPUT -p udp --dport 111 -j DROP

See also my articles:
IPTables rules for: Accel-ppp, BGP, DHCP, DNS, FreeRADIUS, WEB, Asterisk, TFTP, SSH, Samba, FTP, NTP and SNTP, SNMP, MySQL, ntopng, nprobe, Zabbix
Installing and using ipset
Others tagged with iptables
Logging activity using IPTables
The solution to the error “Another app is currently holding the xtables lock”

Iptables rules for other services are looking for in my articles on installing these services.

Leave a comment

Leave a Reply