Firewall
Content
Linux Firewall Tutorial: IPTables Tables, Chains, Rules
Fundamentals
iptables firewall is used to manage packet filtering and NAT rules. IPTables comes with all Linux
distributions. Understanding how to setup and configure iptables will help you manage your Linux
firewall effectively.
iptables tool is used to manage the Linux firewall rules. At a first look, iptables might look complex
(or even confusing). But, once you understand the basics of how iptables work and how it is
structured, reading and writing iptables firewall rules will be easy.
This article is part of an ongoing iptables tutorial series. This is the 1st article in that series.
This article explains how iptables is structured, and explains the fundamentals about iptables
tables, chains and rules.
On a high-level iptables might contain multiple tables. Tables might contain multiple chains.
Chains can be built-in or user-defined. Chains might contain multiple rules. Rules are defined for
the packets.
So, the structure is: iptables -> Tables -> Chains -> Rules. This is defined in the following diagram.
Just to re-iterate, tables are bunch of chains, and chains are bunch of firewall rules.
I. IPTABLES TABLES and CHAINS
IPTables has the following 4 built-in tables.
1. Filter Table
Filter is default table for iptables. So, if you don’t define you own table, you’ll be using filter table.
Iptables’s filter table has the following built-in chains.
INPUT chain – Incoming to firewall. For packets coming to the local server.
OUTPUT chain – Outgoing from firewall. For packets generated locally and going out of the local
server.
FORWARD chain – Packet for another NIC on the local server. For packets routed through the local
server.
2. NAT table
Iptable’s NAT table has the following built-in chains.
PREROUTING chain – Alters packets before routing. i.e Packet translation happens immediately
after the packet comes to the system (and before routing). This helps to translate the destination ip
address of the packets to something that matches the routing on the local server. This is used for DNAT
(destination NAT).
POSTROUTING chain – Alters packets after routing. i.e Packet translation happens when the
packets are leaving the system. This helps to translate the source ip address of the packets to something
that might match the routing on the desintation server. This is used for SNAT (source NAT).
OUTPUT chain – NAT for locally generated packets on the firewall.
3. Mangle table
Iptables’s Mangle table is for specialized packet alteration. This alters QOS bits in the TCP header.
Mangle table has the following built-in chains.
PREROUTING chain
OUTPUT chain
FORWARD chain
INPUT chain
POSTROUTING chain
4. Raw table
Iptable’s Raw table is for configuration excemptions. Raw table has the following built-in chains.
PREROUTING chain
OUTPUT chain
The following diagram shows the three important tables in iptables.
Fig: IPTables built-in tables
II. IPTABLES RULES
Following are the key points to remember for the iptables rules.
Rules contain a criteria and a target.
If the criteria is matched, it goes to the rules specified in the target (or) executes the special values
mentioned in the target.
If the criteria is not matached, it moves on to the next rule.
Target Values
Following are the possible special values that you can specify in the target.
ACCEPT – Firewall will accept the packet.
DROP – Firewall will drop the packet.
QUEUE – Firewall will pass the packet to the userspace.
RETURN – Firewall will stop executing the next set of rules in the current chain for this packet. The
control will be returned to the calling chain.
If you do iptables –list (or) service iptables status, you’ll see all the available firewall rules on your
system. The following iptable example shows that there are no firewall rules defined on this
system. As you see, it displays the default input table, with the default input chain, forward chain,
and output chain.
# iptables -t filter --list
Chain INPUT (policy ACCEPT)
target
prot opt source
destination
Chain FORWARD (policy ACCEPT)
target
prot opt source
destination
Chain OUTPUT (policy ACCEPT)
target
prot opt source
destination
Do the following to view the mangle table.
# iptables -t mangle --list
Do the following to view the nat table.
# iptables -t nat --list
Do the following to view the raw table.
# iptables -t raw --list
Note: If you don’t specify the -t option, it will display the default filter table. So, both of the
following commands are the same.
# iptables -t filter --list
(or)
# iptables --list
The following iptable example shows that there are some rules defined in the input, forward, and
output chain of the filter table.
# iptables --list
Chain INPUT (policy ACCEPT)
num target
1
prot opt source
destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target
1
prot opt source
destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target
prot opt source
destination
Chain RH-Firewall-1-INPUT (2 references)
num target
prot opt source
1
ACCEPT
all -- 0.0.0.0/0
2
ACCEPT
icmp -- 0.0.0.0/0
3
ACCEPT
esp -- 0.0.0.0/0
0.0.0.0/0
4
ACCEPT
ah -- 0.0.0.0/0
0.0.0.0/0
5
ACCEPT
udp -- 0.0.0.0/0
224.0.0.251
6
ACCEPT
udp -- 0.0.0.0/0
0.0.0.0/0
7
ACCEPT
tcp -- 0.0.0.0/0
8
ACCEPT
all -- 0.0.0.0/0
9
ACCEPT
tcp -- 0.0.0.0/0
10 REJECT
all -- 0.0.0.0/0
destination
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
icmp type 255
udp dpt:5353
udp dpt:631
tcp dpt:631
state RELATED,ESTABLISHED
state NEW tcp dpt:22
reject-with icmp-host-prohibited
The rules in the iptables –list command output contains the following fields:
num – Rule number within the particular chain
target – Special target variable that we discussed above
prot – Protocols. tcp, udp, icmp, etc.,
opt – Special options for that specific rule.
source – Source ip-address of the packet
destination – Destination ip-address for the packet
Let’s Change
“-A” is for append. If it makes it easier for you to remember “-A” as add-rule (instead of appendrule), it is OK. But, keep in mind that “-A” adds the rule at the end of the chain.
Again, it is very important to remember that -A adds the rule at the end.
Typically the last rule will be to drop all packets. If you already have a rule to drop all packets, and
if you try to use “-A” from the command-line to create new rule, you will end-up adding the new
rule after the current “drop all packets” rule, which will make your new rule pretty much useless.
Once you’ve mastered the iptables, and when you are implementing it on production, you should
use a shell script, where you use -A command to add all the rules. In that shell script, your last line
should always be “drop all packets” rule. When you want to add any new rules, modify that shell
script and add your new rules above the “drop all packets” rule.
Syntax:
iptables -A chain firewall-rule
-A chain – Specify the chain where the rule should be appended. For example, use INPUT chain for
incoming packets, and OUTPUT for outgoing packets.
firewall-rule – Various parameters makes up the firewall rule.
If you don’t know what chain means, you better read about iptables fundamentalsfirst.
Firewall Rule Parameters
The following parameters are available for all kinds of firewall rules.
-p is for protocol
Indicates the protocol for the rule.
Possible values are tcp, udp, icmp
Use “all” to allow all protocols. When you don’t specify -p, by default “all” protocols will be used. It is
not a good practice to use “all”, and always specify a protocol.
Use either the name (for example: tcp), or the number (for example: 6 for tcp) for protocol.
/etc/protocols file contains all allowed protocol name and number.
You an also use –protocol
-s is for source
Indicates the source of the packet.
This can be ip address, or network address, or hostname
For example: -s 192.168.1.101 indicates a specific ip address
For network mask use /mask. For example: “-s 192.168.1.0/24″ represents a network mask of
255.255.255.0 for that network. This matches 192.168.1.x network.
When you don’t specify a source, it matches all source.
You can also use –src or –source
-d is for destination
Indicates the destination of the packet.
This is same as “-s” (except this represents destination host, or ip-address, or network)
You can also use –dst or –destination
-j is target
j stands for “jump to target”
This specifies what needs to happen to the packet that matches this firewall rule.
Possible values are ACCEPT, DROP, QUEUE, RETURN
You can also specify other user defined chain as target value.
-i is for in interface
i stands for “input interface”
You might over look this and assume that “-i” is for interface. Please note that both -i and -o are for
interfaces. However, -i for input interface and -o for output interface.
Indicates the interface through which the incoming packets are coming through the INPUT,
FORWARD, and PREROUTING chain.
For example: -i eth0 indicates that this rule should consider the incoming packets coming through
the interface eth0.
If you don’t specify -i option, all available interfaces on the system will be considered for input
packets.
You can also use –in-interface
-o is for out interface
o stands for “output interface”
Indicates the interface through which the outgoing packets are sent through the INPUT,
FORWARD, and PREROUTING chain.
If you don’t specify -o option, all available interfaces on the system will be considered for output
packets.
You can also use –out-interface
Additional Options for Firewall Parameters
Some of the above firewall parameters in turn has it’s own options that can be passed along with
them. Following are some of the most common options.
To use these parameter options, you should specify the corresponding parameter in the firewall
rule. For example, to use “–sport” option, you should’ve specified “-p tcp” (or “-p udp”) parameter
in your firewall rule.
Note: All of these options have two dashes in front of them. For example, there are two hyphens in
front of sport.
–sport is for source port (for -p tcp, or -p udp)
By default all source ports are matched.
You can specify either the port number or the name. For example, to use SSH port in your firewall
rule, use either “–sport 22″ or “–sport ssh”.
/etc/services file contains all allowed port name and number.
Using port number in the rule is better (for performance) than using port name.
To match range of ports, use colon. For example, 22:100 matches port number from 22 until 100.
You can also use –source-port
–dport is for destination port (for -p tcp, or -p udp)
Everything is same as –sport, except this is for destination ports.
You can also use –destination-port
–tcp-flags is for TCP flags (for -p tcp)
This can contain multiple values separated by comma.
Possible values are: SYN, ACK, FIN, RST, URG, PSH. You can also use ALL or NONE
–icmp-type is for ICMP Type (for -p icmp)
When you use icmp protocol “-p icmp”, you can also specify the ICMP type using “–icmp-type”
parameter.
For example: use “–icmp-type 0″ for “Echo Reply”, and “–icmp-type 8″ for “Echo”.
Example Firewall Rule to Allow Incoming SSH Connections
Now that you understand various parameters (and it’s options) of firewall rule, let us build a
sample firewall rule.
In this example, let us allow only the incoming SSH connection to the server. All other connections
will be blocked (including ping).
WARNING: Playing with firewall rules might render your system inaccessible. If you don’t know
what you are doing, you might lock yourself (and everybody else) out of the system. So, do all your
learning only on a test system that is not used by anybody, and you have access to the console to
restart the iptables, if you get locked out.
1. Delete Existing Rules
If you already have some iptables rules, take a backup before delete the existing rules.
Delete all the existing rules and allow the firewall to accept everything. Useiptables flush as we
discussed earlier to clean-up all your existing rules and start from scratch.
Test to make sure you are able to ssh and ping this server from outside.
When we are done with this example, you’ll only be able to SSH to this server. You’ll not be able to
ping this server from outside.
2. Allow only SSH
Allow only the incoming SSH connection to this server. You can ssh to this server from anywhere.
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
The above iptables command has the following 4 components.
“-A INPUT” – This indicates that we are appending a new rule (or adding) to the INPUT chain. So,
this rule is for incoming traffic.
“-i eth0″ – Incoming packets through the interface eth0 will be checked against this rule.
“-p tcp –dport 22″ – This rule is for TCP packets. This has one tcp option called “–dport 22″, which
indicates that the destination port for this rule on the server is 22 (which is ssh).
“-j ACCEPT” – Jump to accept, which just ACCEPTS the packet.
In simple terms the above rule can be stated as: All incoming packets through eth0 for ssh will be
accepted.
3. Drop all Other Packets
Once you’ve specified your custom rules to accept packets, you should also have a default rule to
drop any other packets.
This should be your last rule in the INPUT chain.
To drop all incoming packets, do the following.
iptables -A INPUT -j DROP
4. View the SSH rule and Test
To view the current iptables firewall rules, use “iptables -L” command.
# iptables -L
Chain INPUT (policy ACCEPT)
target
prot opt source
ACCEPT
DROP
tcp -- anywhere
all -- anywhere
destination
anywhere
tcp dpt:ssh
anywhere
As you see from the above output, it has the following two rules in sequence.
Accept all incoming ssh connections
Drop all other packets.
Instead of adding the firewall rules from the command line, it might be better to create a shell
script that contains your rules as shown below.
# vi iptables.sh
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -j DROP
# sh -x iptables.sh
+ iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
+ iptables -A INPUT -j DROP
# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target
ACCEPT
DROP
prot opt source
tcp -- anywhere
all -- anywhere
destination
anywhere
tcp dpt:ssh
anywhere
Similar to iptables append/add command, there are few other commands available for iptables. I’ll
cover them in the upcoming articles in the iptables series. I’ll also provide several practical firewall
rule examples that will be helpful in real life scenarios.
for flushing the all rule:
iptables --flush
Fundamentals
iptables firewall is used to manage packet filtering and NAT rules. IPTables comes with all Linux
distributions. Understanding how to setup and configure iptables will help you manage your Linux
firewall effectively.
iptables tool is used to manage the Linux firewall rules. At a first look, iptables might look complex
(or even confusing). But, once you understand the basics of how iptables work and how it is
structured, reading and writing iptables firewall rules will be easy.
This article is part of an ongoing iptables tutorial series. This is the 1st article in that series.
This article explains how iptables is structured, and explains the fundamentals about iptables
tables, chains and rules.
On a high-level iptables might contain multiple tables. Tables might contain multiple chains.
Chains can be built-in or user-defined. Chains might contain multiple rules. Rules are defined for
the packets.
So, the structure is: iptables -> Tables -> Chains -> Rules. This is defined in the following diagram.
Just to re-iterate, tables are bunch of chains, and chains are bunch of firewall rules.
I. IPTABLES TABLES and CHAINS
IPTables has the following 4 built-in tables.
1. Filter Table
Filter is default table for iptables. So, if you don’t define you own table, you’ll be using filter table.
Iptables’s filter table has the following built-in chains.
INPUT chain – Incoming to firewall. For packets coming to the local server.
OUTPUT chain – Outgoing from firewall. For packets generated locally and going out of the local
server.
FORWARD chain – Packet for another NIC on the local server. For packets routed through the local
server.
2. NAT table
Iptable’s NAT table has the following built-in chains.
PREROUTING chain – Alters packets before routing. i.e Packet translation happens immediately
after the packet comes to the system (and before routing). This helps to translate the destination ip
address of the packets to something that matches the routing on the local server. This is used for DNAT
(destination NAT).
POSTROUTING chain – Alters packets after routing. i.e Packet translation happens when the
packets are leaving the system. This helps to translate the source ip address of the packets to something
that might match the routing on the desintation server. This is used for SNAT (source NAT).
OUTPUT chain – NAT for locally generated packets on the firewall.
3. Mangle table
Iptables’s Mangle table is for specialized packet alteration. This alters QOS bits in the TCP header.
Mangle table has the following built-in chains.
PREROUTING chain
OUTPUT chain
FORWARD chain
INPUT chain
POSTROUTING chain
4. Raw table
Iptable’s Raw table is for configuration excemptions. Raw table has the following built-in chains.
PREROUTING chain
OUTPUT chain
The following diagram shows the three important tables in iptables.
Fig: IPTables built-in tables
II. IPTABLES RULES
Following are the key points to remember for the iptables rules.
Rules contain a criteria and a target.
If the criteria is matched, it goes to the rules specified in the target (or) executes the special values
mentioned in the target.
If the criteria is not matached, it moves on to the next rule.
Target Values
Following are the possible special values that you can specify in the target.
ACCEPT – Firewall will accept the packet.
DROP – Firewall will drop the packet.
QUEUE – Firewall will pass the packet to the userspace.
RETURN – Firewall will stop executing the next set of rules in the current chain for this packet. The
control will be returned to the calling chain.
If you do iptables –list (or) service iptables status, you’ll see all the available firewall rules on your
system. The following iptable example shows that there are no firewall rules defined on this
system. As you see, it displays the default input table, with the default input chain, forward chain,
and output chain.
# iptables -t filter --list
Chain INPUT (policy ACCEPT)
target
prot opt source
destination
Chain FORWARD (policy ACCEPT)
target
prot opt source
destination
Chain OUTPUT (policy ACCEPT)
target
prot opt source
destination
Do the following to view the mangle table.
# iptables -t mangle --list
Do the following to view the nat table.
# iptables -t nat --list
Do the following to view the raw table.
# iptables -t raw --list
Note: If you don’t specify the -t option, it will display the default filter table. So, both of the
following commands are the same.
# iptables -t filter --list
(or)
# iptables --list
The following iptable example shows that there are some rules defined in the input, forward, and
output chain of the filter table.
# iptables --list
Chain INPUT (policy ACCEPT)
num target
1
prot opt source
destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num target
1
prot opt source
destination
RH-Firewall-1-INPUT all -- 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num target
prot opt source
destination
Chain RH-Firewall-1-INPUT (2 references)
num target
prot opt source
1
ACCEPT
all -- 0.0.0.0/0
2
ACCEPT
icmp -- 0.0.0.0/0
3
ACCEPT
esp -- 0.0.0.0/0
0.0.0.0/0
4
ACCEPT
ah -- 0.0.0.0/0
0.0.0.0/0
5
ACCEPT
udp -- 0.0.0.0/0
224.0.0.251
6
ACCEPT
udp -- 0.0.0.0/0
0.0.0.0/0
7
ACCEPT
tcp -- 0.0.0.0/0
8
ACCEPT
all -- 0.0.0.0/0
9
ACCEPT
tcp -- 0.0.0.0/0
10 REJECT
all -- 0.0.0.0/0
destination
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
icmp type 255
udp dpt:5353
udp dpt:631
tcp dpt:631
state RELATED,ESTABLISHED
state NEW tcp dpt:22
reject-with icmp-host-prohibited
The rules in the iptables –list command output contains the following fields:
num – Rule number within the particular chain
target – Special target variable that we discussed above
prot – Protocols. tcp, udp, icmp, etc.,
opt – Special options for that specific rule.
source – Source ip-address of the packet
destination – Destination ip-address for the packet
Let’s Change
“-A” is for append. If it makes it easier for you to remember “-A” as add-rule (instead of appendrule), it is OK. But, keep in mind that “-A” adds the rule at the end of the chain.
Again, it is very important to remember that -A adds the rule at the end.
Typically the last rule will be to drop all packets. If you already have a rule to drop all packets, and
if you try to use “-A” from the command-line to create new rule, you will end-up adding the new
rule after the current “drop all packets” rule, which will make your new rule pretty much useless.
Once you’ve mastered the iptables, and when you are implementing it on production, you should
use a shell script, where you use -A command to add all the rules. In that shell script, your last line
should always be “drop all packets” rule. When you want to add any new rules, modify that shell
script and add your new rules above the “drop all packets” rule.
Syntax:
iptables -A chain firewall-rule
-A chain – Specify the chain where the rule should be appended. For example, use INPUT chain for
incoming packets, and OUTPUT for outgoing packets.
firewall-rule – Various parameters makes up the firewall rule.
If you don’t know what chain means, you better read about iptables fundamentalsfirst.
Firewall Rule Parameters
The following parameters are available for all kinds of firewall rules.
-p is for protocol
Indicates the protocol for the rule.
Possible values are tcp, udp, icmp
Use “all” to allow all protocols. When you don’t specify -p, by default “all” protocols will be used. It is
not a good practice to use “all”, and always specify a protocol.
Use either the name (for example: tcp), or the number (for example: 6 for tcp) for protocol.
/etc/protocols file contains all allowed protocol name and number.
You an also use –protocol
-s is for source
Indicates the source of the packet.
This can be ip address, or network address, or hostname
For example: -s 192.168.1.101 indicates a specific ip address
For network mask use /mask. For example: “-s 192.168.1.0/24″ represents a network mask of
255.255.255.0 for that network. This matches 192.168.1.x network.
When you don’t specify a source, it matches all source.
You can also use –src or –source
-d is for destination
Indicates the destination of the packet.
This is same as “-s” (except this represents destination host, or ip-address, or network)
You can also use –dst or –destination
-j is target
j stands for “jump to target”
This specifies what needs to happen to the packet that matches this firewall rule.
Possible values are ACCEPT, DROP, QUEUE, RETURN
You can also specify other user defined chain as target value.
-i is for in interface
i stands for “input interface”
You might over look this and assume that “-i” is for interface. Please note that both -i and -o are for
interfaces. However, -i for input interface and -o for output interface.
Indicates the interface through which the incoming packets are coming through the INPUT,
FORWARD, and PREROUTING chain.
For example: -i eth0 indicates that this rule should consider the incoming packets coming through
the interface eth0.
If you don’t specify -i option, all available interfaces on the system will be considered for input
packets.
You can also use –in-interface
-o is for out interface
o stands for “output interface”
Indicates the interface through which the outgoing packets are sent through the INPUT,
FORWARD, and PREROUTING chain.
If you don’t specify -o option, all available interfaces on the system will be considered for output
packets.
You can also use –out-interface
Additional Options for Firewall Parameters
Some of the above firewall parameters in turn has it’s own options that can be passed along with
them. Following are some of the most common options.
To use these parameter options, you should specify the corresponding parameter in the firewall
rule. For example, to use “–sport” option, you should’ve specified “-p tcp” (or “-p udp”) parameter
in your firewall rule.
Note: All of these options have two dashes in front of them. For example, there are two hyphens in
front of sport.
–sport is for source port (for -p tcp, or -p udp)
By default all source ports are matched.
You can specify either the port number or the name. For example, to use SSH port in your firewall
rule, use either “–sport 22″ or “–sport ssh”.
/etc/services file contains all allowed port name and number.
Using port number in the rule is better (for performance) than using port name.
To match range of ports, use colon. For example, 22:100 matches port number from 22 until 100.
You can also use –source-port
–dport is for destination port (for -p tcp, or -p udp)
Everything is same as –sport, except this is for destination ports.
You can also use –destination-port
–tcp-flags is for TCP flags (for -p tcp)
This can contain multiple values separated by comma.
Possible values are: SYN, ACK, FIN, RST, URG, PSH. You can also use ALL or NONE
–icmp-type is for ICMP Type (for -p icmp)
When you use icmp protocol “-p icmp”, you can also specify the ICMP type using “–icmp-type”
parameter.
For example: use “–icmp-type 0″ for “Echo Reply”, and “–icmp-type 8″ for “Echo”.
Example Firewall Rule to Allow Incoming SSH Connections
Now that you understand various parameters (and it’s options) of firewall rule, let us build a
sample firewall rule.
In this example, let us allow only the incoming SSH connection to the server. All other connections
will be blocked (including ping).
WARNING: Playing with firewall rules might render your system inaccessible. If you don’t know
what you are doing, you might lock yourself (and everybody else) out of the system. So, do all your
learning only on a test system that is not used by anybody, and you have access to the console to
restart the iptables, if you get locked out.
1. Delete Existing Rules
If you already have some iptables rules, take a backup before delete the existing rules.
Delete all the existing rules and allow the firewall to accept everything. Useiptables flush as we
discussed earlier to clean-up all your existing rules and start from scratch.
Test to make sure you are able to ssh and ping this server from outside.
When we are done with this example, you’ll only be able to SSH to this server. You’ll not be able to
ping this server from outside.
2. Allow only SSH
Allow only the incoming SSH connection to this server. You can ssh to this server from anywhere.
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
The above iptables command has the following 4 components.
“-A INPUT” – This indicates that we are appending a new rule (or adding) to the INPUT chain. So,
this rule is for incoming traffic.
“-i eth0″ – Incoming packets through the interface eth0 will be checked against this rule.
“-p tcp –dport 22″ – This rule is for TCP packets. This has one tcp option called “–dport 22″, which
indicates that the destination port for this rule on the server is 22 (which is ssh).
“-j ACCEPT” – Jump to accept, which just ACCEPTS the packet.
In simple terms the above rule can be stated as: All incoming packets through eth0 for ssh will be
accepted.
3. Drop all Other Packets
Once you’ve specified your custom rules to accept packets, you should also have a default rule to
drop any other packets.
This should be your last rule in the INPUT chain.
To drop all incoming packets, do the following.
iptables -A INPUT -j DROP
4. View the SSH rule and Test
To view the current iptables firewall rules, use “iptables -L” command.
# iptables -L
Chain INPUT (policy ACCEPT)
target
prot opt source
ACCEPT
DROP
tcp -- anywhere
all -- anywhere
destination
anywhere
tcp dpt:ssh
anywhere
As you see from the above output, it has the following two rules in sequence.
Accept all incoming ssh connections
Drop all other packets.
Instead of adding the firewall rules from the command line, it might be better to create a shell
script that contains your rules as shown below.
# vi iptables.sh
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -j DROP
# sh -x iptables.sh
+ iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
+ iptables -A INPUT -j DROP
# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target
ACCEPT
DROP
prot opt source
tcp -- anywhere
all -- anywhere
destination
anywhere
tcp dpt:ssh
anywhere
Similar to iptables append/add command, there are few other commands available for iptables. I’ll
cover them in the upcoming articles in the iptables series. I’ll also provide several practical firewall
rule examples that will be helpful in real life scenarios.
for flushing the all rule:
iptables --flush
