How to use the command iptables (with examples)
- Linux
- December 25, 2023
Iptables is a command-line utility that allows users to configure tables, chains, and rules of the Linux kernel IPv4 firewall. It is commonly used for managing firewall rules and network address translation (NAT) settings. In addition to iptables, there is also the ip6tables command for setting rules for IPv6 traffic.
Use case 1: View chains, rules, packet/byte counters and line numbers for the filter table
Code:
sudo iptables --verbose --numeric --list --line-numbers
Motivation: This use case allows users to view all the existing chains, rules, packet/byte counters, and associated line numbers for the filter table. It provides a detailed overview of the current firewall configuration, making it easier to understand and manage the firewall rules.
Explanation:
--verbose
option: Displays additional information about the rules, including packet and byte counters.--numeric
option: Displays IP addresses and port numbers in numeric format instead of resolving them to hostnames.--list
option: Lists all the existing rules for all chains.--line-numbers
option: Includes line numbers in the output, making it easier to reference specific rules.
Example output:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 192.168.1.1 tcp dpt:22
2 ACCEPT tcp -- 0.0.0.0/0 192.168.1.2 tcp dpt:80
3 ACCEPT all -- 0.0.0.0/0 192.168.1.3
4 DROP all -- 0.0.0.0/0 0.0.0.0/0
...
Use case 2: Set chain [P]olicy rule
Code:
sudo iptables --policy chain rule
Motivation: This use case allows users to set the default policy (accept or drop) for a specific chain. By setting the default policy, users can define the behavior of the firewall when no specific rules match the incoming traffic.
Explanation:
--policy
option: Specifies that we want to set the policy.chain
argument: Specifies the chain for which we want to set the policy.rule
argument: Specifies the new policy to be set for the chain (ACCEPT
orDROP
).
Example:
To set the default policy for the INPUT chain to “DROP”:
sudo iptables --policy INPUT DROP
Use case 3: [A]ppend rule to chain policy for IP
Code:
sudo iptables --append chain --source ip --jump rule
Motivation: This use case allows users to add specific rules to a chain based on the source IP address. By appending rules to a chain policy, users can control the flow of network traffic based on the source IP.
Explanation:
--append
option: Specifies that we want to add a new rule to the chain.chain
argument: Specifies the name of the chain where the rule should be appended.--source
option: Specifies the source IP address for which the rule should be applied.ip
argument: Specifies the source IP address.--jump
option: Specifies the target of the rule (e.g.,ACCEPT
,DROP
,REJECT
, etc.).rule
argument: Specifies the target rule.
Example:
To append a rule to the INPUT chain to accept traffic from the IP address “192.168.1.100”:
sudo iptables --append INPUT --source 192.168.1.100 --jump ACCEPT
Use case 4: [A]ppend rule to chain policy for IP considering [p]rotocol and port
Code:
sudo iptables --append chain --source ip --protocol tcp|udp|icmp|... --dport port --jump rule
Motivation: This use case extends the previous one by allowing users to specify additional criteria for the rule, such as the protocol and destination port. It allows for more fine-grained control over network traffic based on source IP, protocol, and port.
Explanation:
--protocol
option: Specifies the protocol for which the rule should be applied (tcp
,udp
,icmp
, etc.).tcp|udp|icmp|...
argument: Specifies the protocol.--dport
option: Specifies the destination port for which the rule should be applied.port
argument: Specifies the destination port number.
Example:
To append a rule to the INPUT chain to accept TCP traffic from the IP address “192.168.1.100” on port 80:
sudo iptables --append INPUT --source 192.168.1.100 --protocol tcp --dport 80 --jump ACCEPT
Use case 5: Add a NAT rule to translate all traffic from the 192.168.0.0/24
subnet to the host’s public IP
Code:
sudo iptables --table nat --append POSTROUTING --source 192.168.0.0/24 --jump MASQUERADE
Motivation: This use case is useful when setting up a network where the hosts in the 192.168.0.0/24
subnet need to access the internet using a single public IP address. The NAT rule allows the translation of source IP addresses, so the internet sees the traffic coming from the public IP of the host.
Explanation:
--table nat
option: Specifies that we want to work with the NAT table.--append
option: Specifies that we want to add a new rule to the chain.POSTROUTING
argument: Specifies the chain where the rule should be appended.--source
option: Specifies the source IP or subnet for which the rule should be applied.192.168.0.0/24
argument: Specifies the source subnet.--jump
option: Specifies the target of the rule (e.g.,MASQUERADE
to translate the source IP).MASQUERADE
argument: Specifies that the source IP should be masqueraded (translated) to the host’s public IP.
Example:
To add a NAT rule to translate all traffic from the 192.168.0.0/24
subnet to the host’s public IP:
sudo iptables --table nat --append POSTROUTING --source 192.168.0.0/24 --jump MASQUERADE
Use case 6: [D]elete chain rule
Code:
sudo iptables --delete chain rule_line_number
Motivation: This use case allows users to delete a specific rule from a chain. If a rule is no longer needed or needs to be modified, deleting it ensures it no longer affects the network traffic.
Explanation:
--delete
option: Specifies that we want to delete a rule from the chain.chain
argument: Specifies the chain from which the rule should be deleted.rule_line_number
argument: Specifies the line number of the rule to be deleted. Line numbers can be obtained using the--line-numbers
option.
Example:
To delete the rule on line number 3 from the INPUT chain:
sudo iptables --delete INPUT 3
Conclusion:
Iptables is a powerful command-line tool for configuring the Linux kernel IPv4 firewall. It provides a wide range of options and arguments to manage firewall rules, chains, and tables. By using iptables, users can control network traffic, set default policies, specify rules based on source IP, and perform network address translation (NAT) operations. The examples above demonstrate various use cases of the iptables command, illustrating its versatility in managing network security and connectivity.