A Quick Dirty Guide to IPtables.


In this example my Firewall server’s name is Firewall1.

I will type all my rules on this server (Firewall1)

Few useful help Options regarding IPtables are shown below

 [root@Firewall1/]# man iptables

 [root@Firewall1/]# info iptables
 [root@Firewall1/]#iptables –h or - -help

To list the current rules in your IPtables use the following command.

 [root@Firewall1/]#iptables -L

By default all rules are set to Accept.

To Flush all rules from iptalbes, use the following command.

 [root@Firewall1/]#iptables –F

To save iptables permanently, use the following command.

 [root@Firewall1/]iptables-save > /etc/sysconfig/iptables


Lets take an example of blocking any incoming telnet request from the Internet to our server

My Firewall server has two interfaces eth0 and eth1

eth0 is connected with the DSL router and eth1 is connected with the internal network or LAN.

If you are connected with a modem your interface might be ppp0 instead of eth0.

 [root@Firewall1/]# iptables -A INPUT -i eth0 -p tcp --dport 23 -j DROP

In the above example –A stands for Append, it will append or add the rule to the iptables , INPUT states that the rule is applied on the Input chain, -i is used to tell iptables that rule is for incoming traffic which is on the Ethernet eth0, -p is used for protocol in the above case we used tcp so the traffic will be blocked for traffic traveling over tcp protocol , if we want to control udp traffic we need to write –p udp, –-dport stand for destination port, in the above case we used 23 which is a telnet port, -j stand for jump-to and finally DROP means to drop the packet , we can also use REJECT.

The difference between DROP and REJECT is that DROP will drop the packet and without sending the acknowledgement to the machine which requested the connection for telnet to our Firewall server, whereas REJECT will send the acknowledgement to the machine which requested the telnet request saying “Destination unreachable”

Similarly we can now block traffic for ssh or secure shell

 [root@Firewall1/]#iptables –A –INPUT –i eth0 –p tcp –-dport 22 –j  REJECT

Now lets take an example in which we want to Reject everyone but one IP ( to access ssh port i.e 22
For this we add two rules

 [root@Firewall1/]#iptables –A – INPUT –i eth0 –p tcp - - source - -dport 22 –j ACCEPT

Now the second rule to reject everyone

[root@Firewall1/]#iptables –A – INPUT – i eth0 –p tcp - - source 0/0 –j REJECT

In the above example 0/0 means any ip address with any Net mask.

Now lets take another example in which we will allow any web requests to and from the web server. In the below example –o is used which means outgoing interface from where the traffic is going out of the server.

 [root@Firewall1 /]# iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
 [root@Firewall1 /]# iptables -A OUTPUT -o eth0 -p tcp -d 0/0 –dport 80 -j ACCEPT


Lets take another example in which we want to allow any one to access our webserver on port 80, but deny every other port.

 [root@Firewall1 /]# iptables -A INPUT -i eth0 -p tcp -syn --dport !80 -j DROP

For Internet or messenger to work we apply the NAT (Network Address Translation) rule

First we enable IP forwarding , which can be done by:

 [root@Firewall1/]# vi /etc/sysctl.conf

In sysctl.conf configuration file we can enable IP forwarding by replacing 0 with 1 in front of “net.ipv4.ip_forward = “

The above will be a permanent method of IP forwarding, Now we will apply the below rule

 [root@Firewall1/]# iptables -t nat -A POSTROUTING -o eth0 -p tcp -j MASQUERADE

If you are running squid proxy server and you wish that by force every client in your network must go through your proxy server then in addition to setting up transparent proxy you have to apply the following rule via iptables. In the below example I assume that squid is setup on its default port i.e 3128
(For more information about squid server visit www.squid-cache.org)

 [root@Firewall1/]#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128

I would encourage you to read and searchabout DNAT , SNAT and MASQUERADE


Salman Aftab

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.