The iptables Command

The iptables command provides a great deal of functionality; however, the syntax of this command is occasionally abstruse and difficult to comprehend. If you have difficulty understanding the iptables command, attempt to understand the general structure of an iptables directive rather than a deep understanding of the complete syntax. Consider the following example:

iptables -I INPUT -s 12.34.56.78 -j DROP

The -I option specifies the insertion of a rule at the beginning of the specified chain. Rules are applied sequentially so using the -I option will ensure that the above rule will be applied before all other rules. To append a rule to the end of a chain to allow all other rules to be processed first use the -A option in the following form:

iptables -A INPUT -s 12.34.56.78 -j DROP

In both commands, the -s option and the IP that follows specifies a source. The final -j option specifies a «target» or action to perform on the given packet. The target can specify handing the packet off to another chain, or as in this case a predefined action. Possible targets include the DROP target which drops the packet, the ACCEPT target that allows the packet go through as per normal, the RETURN target that allows the packet to continue to be filtered, and the QUEUE target that puts the packet in a queuing mechanism for further user-space manipulation.

At any point you can issue the following command to get a list of all current IP tables rules:

iptables -L

The iptables command is also capable of generating not only a list of the rules active on your system, but the number of packets that each output rule has «caught.» You can view this output with the following command:

iptables -L -nv

If you want to «flush» or clear all IP tables rules on your system, you may issue the following command:

iptables -F

Because iptables rules affect networking, it is possible to inadvertently prevent access to your system. If you have removed your ability to access your system directly and are connected to your machine over SSH, you may use an out-of-band console to recover access to your system. Exercise great care when instantiating new firewall rules.

When creating firewall rules, be aware that any rules created will not persist following your system’s next boot cycle. If you want to create persistent firewall rules, consider deploying a dedicated firewall package or inserting iptables commands in your system’s /etc/rc.local file.

iptables Rules

IP tables rules are processed serially in «chains» according to the kind of packet being processed. The system defines an INPUT chain which filters all incoming packets, a FORWARD chain which processes all packets that need to be redirected elsewhere, and an OUTPUT chain that can filter all outgoing packets. Users may define additional chains that rules in the default chains can filter packets through.

In addition to the chains upon which this document is primarily focused, iptables contains the concept of tables which allows the networking system to process different kinds of packets. The default table is the filter, which is the focus of this document and the core of the most used iptables functionality.

The following sections outline a number of basic approaches to creating a firewall and some common iptables rules. Combining these practical examples with the general knowledge provided above should allow you to construct your own network firewall and filtering system that is tailored directly to the needs of your deployment.

http://library.linode.com/security/firewalls/iptables