Fli
04-19-2020, 08:00 AM
Note: This is not meant to be complete set of the Linux iptables commands
iptables is a tool to manage Linux firewall. Some distributions though use other tools like a ufw tool.
Basic important commands
- Commands to output/list current firewall rules:
service iptables status
iptables-save (the rules are output the way that it can be easily prefixed by "iptables " and used as a commands)
iptables -L
- Firewall chains and its policy
Topmost rules in the chain has a higher priority which means it will override lower rules.
The firewall has several chains like an INPUT, FORWARD, OUTPUT and each chain has set default policy (ACCEPT, DROP, REJECT)
For example if i want maximum protection, i only add rules for particular ports and set REJECT policy which will cause all other connections be rejected.
- Make a backup of the iptables configuration
iptables-save > /etc/sysconfig/iptables_1.2.2020
- Save current rules to be used on next boot (if you are sure your rules are correct)
A) CentOS/Fedora?
service iptables save
iptables-save > /etc/sysconfig/iptables
B) Debian based/Ubuntu?:
sudo apt install iptables-persistent && sudo iptables-save|tee -a /etc/iptables/rules.v4 && sudo iptables-save|tee -a /etc/iptables/rules.v6
- delete iptables rule
1. list and discover rule number from each line prefix
a) iptables -L
b) iptables -L INPUT --line-numbers
c) service iptables status
2. delete
iptables -D INPUT 5 (delete rule at 5th line of the INPUT chain)
- add/prepend iptables rule
iptables -I INPUT -s 1.2.3.4 -j DROP (add new rule to the first line of INPUT chain to ignore connections from IP 1.2.3.4)
- add/append iptables rule
iptables -A INPUT -s 1.2.3.4 -p tcp --dport 80 -j REJECT (add new rule to the last line of INPUT chain to reject connections from IP 1.2.3.4 port 80 and protocol TCP)
- set chain policy (for example ACCEPT policy means that all connections that does not match any rule are accepted)
iptables -P FORWARD ACCEPT (this time for the FORWARD chain, other option is INPUT and OUTPUT)
- connections logging enable (disable can be done by replacing -I by -D. Do not forget to disable to not fill your logs)
iptables -I INPUT -j LOG (log connections on the INPUT into system log (/var/log/syslog or /var/log/messages usually)
- delete all iptables rules (flush)
iptables -F
(note that on next boot, it can restore rules from /etc/sysconfig/iptables or such similar file. Location of the file by command: locate iptables)
----
If you prefer GUI over CLI, you can install CSF/ConfigServer firewall https://configserver.com/configserver-security-and-firewall/
iptables is a tool to manage Linux firewall. Some distributions though use other tools like a ufw tool.
Basic important commands
- Commands to output/list current firewall rules:
service iptables status
iptables-save (the rules are output the way that it can be easily prefixed by "iptables " and used as a commands)
iptables -L
- Firewall chains and its policy
Topmost rules in the chain has a higher priority which means it will override lower rules.
The firewall has several chains like an INPUT, FORWARD, OUTPUT and each chain has set default policy (ACCEPT, DROP, REJECT)
For example if i want maximum protection, i only add rules for particular ports and set REJECT policy which will cause all other connections be rejected.
- Make a backup of the iptables configuration
iptables-save > /etc/sysconfig/iptables_1.2.2020
- Save current rules to be used on next boot (if you are sure your rules are correct)
A) CentOS/Fedora?
service iptables save
iptables-save > /etc/sysconfig/iptables
B) Debian based/Ubuntu?:
sudo apt install iptables-persistent && sudo iptables-save|tee -a /etc/iptables/rules.v4 && sudo iptables-save|tee -a /etc/iptables/rules.v6
- delete iptables rule
1. list and discover rule number from each line prefix
a) iptables -L
b) iptables -L INPUT --line-numbers
c) service iptables status
2. delete
iptables -D INPUT 5 (delete rule at 5th line of the INPUT chain)
- add/prepend iptables rule
iptables -I INPUT -s 1.2.3.4 -j DROP (add new rule to the first line of INPUT chain to ignore connections from IP 1.2.3.4)
- add/append iptables rule
iptables -A INPUT -s 1.2.3.4 -p tcp --dport 80 -j REJECT (add new rule to the last line of INPUT chain to reject connections from IP 1.2.3.4 port 80 and protocol TCP)
- set chain policy (for example ACCEPT policy means that all connections that does not match any rule are accepted)
iptables -P FORWARD ACCEPT (this time for the FORWARD chain, other option is INPUT and OUTPUT)
- connections logging enable (disable can be done by replacing -I by -D. Do not forget to disable to not fill your logs)
iptables -I INPUT -j LOG (log connections on the INPUT into system log (/var/log/syslog or /var/log/messages usually)
- delete all iptables rules (flush)
iptables -F
(note that on next boot, it can restore rules from /etc/sysconfig/iptables or such similar file. Location of the file by command: locate iptables)
----
If you prefer GUI over CLI, you can install CSF/ConfigServer firewall https://configserver.com/configserver-security-and-firewall/