Iptables is a Linux based packet filtering firewall. It is a service (daemon) /etc/init.d/iptables which is reading a rules stored in the file /etc/sysconfig/iptables. Rules are grouped into chains and chains are grouped into tables. There are three built in tables: filter, NAT, mangle.
The filter table contains three chains: INPUT, OUTPUT, FORWARD and used to allow and block traffic.
INPUT chain is used to filter traffic destined to localhost.
OUTPUT chain is used to filter packets generated on localhost
FORWARD chain is used for forwarding packets across interfaces.
The nat table is used to mofify packets and also contains three chains: PREROUTING, POSTROUTING, and OUTPUT. PREROUTING is the chain where packets come to be processed by local routing table. POSTROUTING is the chain where packets goes after processing by local routing table.
Adding rules to iptables can be done with commands or manually append them to file /etc/sysconfig/iptables (not recommended).
iptables -A CHAIN -p tcp [options] -j ACTION
CHAIN is discribed above. "-A INPUT" means append the rule to INPUT chain.
"-p tcp" means apply the rule to tcp connections only. If you want apply it to udp connections you must enter "-p udp" instead.
"[options]" here you specify which packets are applicable to the rile.
"-j ACTION" tells what to do with packets which math the [options]. Action can be "-j DROP" to drop the package, "-j ACCEPT" to accept and "-j LOG" to log it.
View firewall status
iptables -L -n -v
-A: Add the rule a the end of the specified chain.
iptables -A INPUT ...
-D: Delete chain or rule.
iptables -D INPUT 1 iptables -D INPUT --dport 21 -j DROP
-R: Replace the chain.
iptables -R INPUT 1 -s 192.168.0.1 -j DROP
-I Insert the rule to a specific area of global chain.
iptables -I INPUT 1 --dport 21 -j ACCEPT
-L: list. Display the rules.
iptables -L # Display all the rules of the FILTER chains iptables -L INPUT # Display all the INPUT rules (FILTER)
-F: flush. Delete all the rules of a chain.
iptables -F # Delete all the rules iptables -F INPUT # Delete all the rules of the INPUT chain iptables -F OUTPUT # Delete all the rules of the OUTPUT chain iptables -F FORWARD # Delete all the rules of the FORWARD chain
Example to delete all rules include nat table:
iptables -F iptables -t nat -F iptables -t mangle -F
-N Create new chain
iptables -N LOG_DROP
-X Delete a chain
iptables -X LOG_DROP # Delete the LOG_DROP chain iptables -X # Delete the chains
-P policy. Specify to the kernel the default policy of a chain ACCEPT, REJECT, DROP ...
iptables -P INPUT DROP
Rules are stored in /etc/sysconfig/iptables. After adding the rules those must be saved in that file with command:
IPTABLES EXAMPLES: http://wiki.vpsget.com/index.php/Iptables_example_block_all_except_specified
Ubuntu differ a little bit
you need to install iptables-persistent package for Ubuntu:
apt-get install iptables-persistent
After that you able to save/load configs from the next files:
service iptables-persistent restart
service iptables-persistent flush
service iptables-persistent start
For example to save iptables rules under Ubuntu you need to performe the next command:
iptables-save > /etc/iptables/rules.v4
Currently we noted strange bug that appear only on fer ubuntu versions (12.04 LTS) with MASQUERADE - you simply unable to add rule So here is the example of iptables config for Openvpn (with client ip change/masquarading):
# cat /etc/iptables/rules.v4
# Generated by iptables-save v1.4.12 on Wed Mar 4 20:13:19 2015 *raw :PREROUTING ACCEPT [1041:98190] :OUTPUT ACCEPT [629:50218] COMMIT # Completed on Wed Mar 4 20:13:19 2015 # Generated by iptables-save v1.4.12 on Wed Mar 4 20:13:19 2015 *nat :PREROUTING ACCEPT [3:144] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE COMMIT # Completed on Wed Mar 4 20:13:19 2015 # Generated by iptables-save v1.4.12 on Wed Mar 4 20:13:19 2015 *mangle :PREROUTING ACCEPT [1041:98190] :INPUT ACCEPT [1041:98190] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [629:50218] :POSTROUTING ACCEPT [629:50218] COMMIT # Completed on Wed Mar 4 20:13:19 2015 # Generated by iptables-save v1.4.12 on Wed Mar 4 20:13:19 2015 *filter :INPUT ACCEPT [3:144] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3:120] -A INPUT -i tun0 -p tcp -m tcp --dport 1194 -j ACCEPT -A INPUT -i tun0 -p udp -m udp --dport 1194 -j ACCEPT -A INPUT -i venet0 -p gre -j ACCEPT -A FORWARD -i tun+ -o venet0 -j ACCEPT -A FORWARD -i venet0 -o tun+ -j ACCEPT COMMIT # Completed on Wed Mar 4 20:13:19 2015