How to use the command iptables (with examples)

How to use the command iptables (with examples)

Iptables is a command-line utility that allows users to configure tables, chains, and rules of the Linux kernel IPv4 firewall. It is commonly used for managing firewall rules and network address translation (NAT) settings. In addition to iptables, there is also the ip6tables command for setting rules for IPv6 traffic.

Use case 1: View chains, rules, packet/byte counters and line numbers for the filter table

Code:

sudo iptables --verbose --numeric --list --line-numbers

Motivation: This use case allows users to view all the existing chains, rules, packet/byte counters, and associated line numbers for the filter table. It provides a detailed overview of the current firewall configuration, making it easier to understand and manage the firewall rules.

Explanation:

  • --verbose option: Displays additional information about the rules, including packet and byte counters.
  • --numeric option: Displays IP addresses and port numbers in numeric format instead of resolving them to hostnames.
  • --list option: Lists all the existing rules for all chains.
  • --line-numbers option: Includes line numbers in the output, making it easier to reference specific rules.

Example output:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  0.0.0.0/0            192.168.1.1          tcp dpt:22
2    ACCEPT     tcp  --  0.0.0.0/0            192.168.1.2          tcp dpt:80
3    ACCEPT     all  --  0.0.0.0/0            192.168.1.3         
4    DROP       all  --  0.0.0.0/0            0.0.0.0/0           
...

Use case 2: Set chain [P]olicy rule

Code:

sudo iptables --policy chain rule

Motivation: This use case allows users to set the default policy (accept or drop) for a specific chain. By setting the default policy, users can define the behavior of the firewall when no specific rules match the incoming traffic.

Explanation:

  • --policy option: Specifies that we want to set the policy.
  • chain argument: Specifies the chain for which we want to set the policy.
  • rule argument: Specifies the new policy to be set for the chain (ACCEPT or DROP).

Example:

To set the default policy for the INPUT chain to “DROP”:

sudo iptables --policy INPUT DROP

Use case 3: [A]ppend rule to chain policy for IP

Code:

sudo iptables --append chain --source ip --jump rule

Motivation: This use case allows users to add specific rules to a chain based on the source IP address. By appending rules to a chain policy, users can control the flow of network traffic based on the source IP.

Explanation:

  • --append option: Specifies that we want to add a new rule to the chain.
  • chain argument: Specifies the name of the chain where the rule should be appended.
  • --source option: Specifies the source IP address for which the rule should be applied.
  • ip argument: Specifies the source IP address.
  • --jump option: Specifies the target of the rule (e.g., ACCEPT, DROP, REJECT, etc.).
  • rule argument: Specifies the target rule.

Example:

To append a rule to the INPUT chain to accept traffic from the IP address “192.168.1.100”:

sudo iptables --append INPUT --source 192.168.1.100 --jump ACCEPT

Use case 4: [A]ppend rule to chain policy for IP considering [p]rotocol and port

Code:

sudo iptables --append chain --source ip --protocol tcp|udp|icmp|... --dport port --jump rule

Motivation: This use case extends the previous one by allowing users to specify additional criteria for the rule, such as the protocol and destination port. It allows for more fine-grained control over network traffic based on source IP, protocol, and port.

Explanation:

  • --protocol option: Specifies the protocol for which the rule should be applied (tcp, udp, icmp, etc.).
  • tcp|udp|icmp|... argument: Specifies the protocol.
  • --dport option: Specifies the destination port for which the rule should be applied.
  • port argument: Specifies the destination port number.

Example:

To append a rule to the INPUT chain to accept TCP traffic from the IP address “192.168.1.100” on port 80:

sudo iptables --append INPUT --source 192.168.1.100 --protocol tcp --dport 80 --jump ACCEPT

Use case 5: Add a NAT rule to translate all traffic from the 192.168.0.0/24 subnet to the host’s public IP

Code:

sudo iptables --table nat --append POSTROUTING --source 192.168.0.0/24 --jump MASQUERADE

Motivation: This use case is useful when setting up a network where the hosts in the 192.168.0.0/24 subnet need to access the internet using a single public IP address. The NAT rule allows the translation of source IP addresses, so the internet sees the traffic coming from the public IP of the host.

Explanation:

  • --table nat option: Specifies that we want to work with the NAT table.
  • --append option: Specifies that we want to add a new rule to the chain.
  • POSTROUTING argument: Specifies the chain where the rule should be appended.
  • --source option: Specifies the source IP or subnet for which the rule should be applied.
  • 192.168.0.0/24 argument: Specifies the source subnet.
  • --jump option: Specifies the target of the rule (e.g., MASQUERADE to translate the source IP).
  • MASQUERADE argument: Specifies that the source IP should be masqueraded (translated) to the host’s public IP.

Example:

To add a NAT rule to translate all traffic from the 192.168.0.0/24 subnet to the host’s public IP:

sudo iptables --table nat --append POSTROUTING --source 192.168.0.0/24 --jump MASQUERADE

Use case 6: [D]elete chain rule

Code:

sudo iptables --delete chain rule_line_number

Motivation: This use case allows users to delete a specific rule from a chain. If a rule is no longer needed or needs to be modified, deleting it ensures it no longer affects the network traffic.

Explanation:

  • --delete option: Specifies that we want to delete a rule from the chain.
  • chain argument: Specifies the chain from which the rule should be deleted.
  • rule_line_number argument: Specifies the line number of the rule to be deleted. Line numbers can be obtained using the --line-numbers option.

Example:

To delete the rule on line number 3 from the INPUT chain:

sudo iptables --delete INPUT 3

Conclusion:

Iptables is a powerful command-line tool for configuring the Linux kernel IPv4 firewall. It provides a wide range of options and arguments to manage firewall rules, chains, and tables. By using iptables, users can control network traffic, set default policies, specify rules based on source IP, and perform network address translation (NAT) operations. The examples above demonstrate various use cases of the iptables command, illustrating its versatility in managing network security and connectivity.

Related Posts

How to use the command `mysqlsh` (with examples)

How to use the command `mysqlsh` (with examples)

MySQL Shell is an advanced command-line client for MySQL that supports SQL, JavaScript, and Python.

Read More
How to use the command 'hugo' (with examples)

How to use the command 'hugo' (with examples)

Hugo is a template-based static site generator that is used to create static websites.

Read More
How to use the command assoc (with examples)

How to use the command assoc (with examples)

The ‘assoc’ command is a Windows command-line utility that allows users to view or modify the associations between file extensions and file types.

Read More