Iptables is a very flexible firewall software that is built in by default on most Linux operating systems. This guide provides iptables basics; commands you can use in everyday scenarios. Specifically, we will be talking about using the INPUT chain to filter incoming connections. 

 

Checking Current iptables Status 

With the following command, you can list your firewall’s current policy. It is most likely set to the default ACCEPT policy.

sudo iptables –L –v 

 

Example: 

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) 

pkts bytes target     prot opt in     out     source             destination          

 

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) 

pkts bytes target     prot opt in     out     source             destination          

 

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) 

pkts bytes target     prot opt in     out     source             destination 

 

INPUT chain is used to control incoming packets to your server. FORWARD chain is used to filter packets that are coming through to another destination. OUTPUT chain is used to filter. 

 

Defining Rules 

Using the following command structure, we can create chain rules for iptables. Not all options need to be specified when adding a new rule. -A stands for Append and it means a new rule will be added at the end of the chain. -I can be used if you need to Insert instead.

sudo iptables -A  -i <interface> -p <protocol (tcp/udp) > -s <source> –dport <port>  -j <target> 
 

Enable localhost Traffic 

Let’s start with enabling localhost traffic by using the following command. 

sudo iptables -A INPUT -i lo -j ACCEPT 

Here you can see we used the -i option to specify our loopback adapter used in localhost communication. 
 

Enable Connection on HTTP, SSH, and SSL Port 

We usually want our regular connections like HTTP (port 80), HTTPS (port 443) and SSH (default port 22) to be still usable. So, we want to add them to our INPUT chain. Notice that we used –p to specify the protocol and corresponding port. If you’re using a non-default SSH port, change it to the one you are using. 

sudo iptables -A INPUT -p tcp –dport 22 -j ACCEPT 

sudo iptables -A INPUT -p tcp –dport 80 -j ACCEPT 

sudo iptables -A INPUT -p tcp –dport 443 -j ACCEPT 
 

Filter Packets Based on Source 

If you want to accept or reject packets based on originating IP, you can specify it with the –s option. For example, the following command will drop packets from the IP 192.168.1.3.

sudo iptables -A INPUT -s 192.168.1.3 -j DROP 

 

You can also specify a range using CIDR notation.

sudo iptables -A INPUT -s 192.168.1.1/24 -j DROP 

 

Limit the Incoming TCP Connections/Mitigating DDoS

Lately, syn-flood attacks has become an issue. It is used to DDoS another server using your bandwidth by exploiting the TCP protocol. We can mitigate that by using the following command. 

sudo iptables -A INPUT -p tcp –syn -m limit –limit 1/s –limit-burst 3 -j DROP 

 

This makes all incoming connections allowed until the limit is reached: 

  • –limit 1/s: Maximum average matching rate in seconds 
  • –limit-burst 3: Maximum initial number of packets to match 

 

We also want to drop invalid packets by following these commands:

sudo iptables -A INPUT -m state –state INVALID -j DROP 

sudo iptables -A INPUT -p tcp –tcp-flags ALL ACK,RST,SYN,FIN -j DROP 

sudo iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP 

sudo iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP 

sudo iptables -A INPUT -f -j DROP 

sudo iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP 

sudo iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP 
 

Dropping all Other Traffic 

Finally, we can drop all other traffic we don’t need to prevent unauthorized access. 

sudo iptables -A INPUT -j DROP 
 

Deleting Rules 

If you need to remove rules and start from scratch you can use the flush command. It deletes every rule specified in all chains.

sudo iptables -F 

 

If you need to delete a specific rule, you first want to check which line it corresponds to. 

sudo iptables -L –line-numbers 

 

You will get a list of rules with their corresponding number.

Chain INPUT (policy ACCEPT) 

num  target     prot opt source               destination          

1    ACCEPT     all  —  192.168.0.4          anywhere             

2    ACCEPT     tcp  —  anywhere             anywhere             tcp dpt:https 

3    ACCEPT     tcp  —  anywhere             anywhere             tcp dpt:http 

4    ACCEPT     tcp  —  anywhere             anywhere             tcp dpt:ssh 

 

To delete the rule we specify the number in our command.

sudo iptables -D INPUT 2 
 

Saving Changes 

The iptables rules that we have created are stored in memory. That means that when we reboot, all changes will be wiped. To keep them, we execute the following script on Ubuntu/Debian machines. 

sudo /sbin/iptables-save 

CentOS/RHEL command: 

/sbin/service iptables save  

iptables is a flexible tool so feel free to explore different commands to match your specific needs. If you have any questions about iptables basics, feel free to ask us in the comments below.

Good luck!