How to configure iptables? - Heficed (2024)

Table of Contents
Saving and restoring iptables rules Automatic iptables rules loading Allow All Incoming SSH Allow Incoming SSH from Specific IP address or subnet Allow Outgoing SSH Appending Rules Deleting Rules Inserting Rules Replacing Rules FAQs

Iptables is the software firewall that is included with most Linux distributions by default.

When working with firewalls, take care not to lock yourself out of your own server by blocking SSH traffic (port 22, by default). If you lose access due to your firewall settings, you may need to connect to it via the console to fix your access. Once you are connected via the console, you can change your firewall rules to allow SSH access (or allow all traffic). If your saved firewall rules allow SSH access, another method is to reboot your server.

Saving and restoring iptables rules

The actual iptables rules are created and customized on the command line with the command iptables for IPv4 and ip6tables for IPv6.

These can be saved in a file with the command iptables-save for IPv4.

Debian/Ubuntu: iptables-save > /etc/iptables/rules.v4
RHEL/CentOS: iptables-save > /etc/sysconfig/iptables

These files can be loaded again with the command iptables-restore for IPv4.

Debian/Ubuntu: iptables-restore < /etc/iptables/rules.v4
RHEL/CentOS: iptables-restore < /etc/sysconfig/iptables

If you want to use IPv6 rules, these can be stored in a separate file.

Debian/Ubuntu: ip6tables-save > /etc/iptables/rules.v6
RHEL/CentOS: ip6tables-save > /etc/sysconfig/ip6tables

Automatic iptables rules loading

iptables-persistent for Debian/Ubuntu

Since Ubuntu 10.04 LTS (Lucid) and Debian 6 (Squeeze) there is a package with the name “iptables-persistent” which takes over the automatic loading of the saved iptables rules. To do this, the rules must be saved in the file /etc/iptables/rules.v4 for IPv4 and /etc/iptables/rules.v6 for IPv6.

For use, the package must simply be installed.

See Also
Linux firewalls: What you need to know about iptables and firewalldSecure Encrypted Backups on Linux — Cryptsus BlogDocker and firewalls: Are your services protected?What Kinds of Firewalls Are There? | Introduction to Troubleshooting Linux Firewalls

apt-get install iptables-persistent

If the installation fails, please check whether systemd has already had failures before the installation of iptables-persisent. Those systemd errors can cause the iptables-persistent installation to fail.

Older iptables-persistent versions (e.g. like those in Debian Squeeze) still do not support IPv6 rules. There is only one file with the name /etc/iptables/rules for IPv4. Check the Init-Script for which files are loaded in your iptables-persistent version.

Please check that your rules are loaded as desired following the first reboot after configuration.

iptables Service for RedHat Enterprise Linux (RHEL) and CentOS

RHEL/CentOS also offer simple methods to permanently save iptables rules for IPv4 and IPv6.

There is a service called “iptables”. This must be enabled.

chkconfig --list | grep iptables iptables 0:off 1:off 2:on 3:on 4:on 5:on 6:offchkconfig iptables on

The rules are saved in the file /etc/sysconfig/iptables for IPv4 and in the file /etc/sysconfig/ip6tables for IPv6. You may also use the init script in order to save the current rules.

service iptables save

Please check that your rules are loaded as desired following the first reboot after configuration.

Listing Rules

Current running iptables Rules can be viewed with the command:

Service: SSH

If you’re using a cloud server, you will probably want to allow incoming SSH connections (port 22) so you can connect to and manage your server. This section covers how to configure your firewall with various SSH-related rules.

Allow All Incoming SSH

To allow all incoming SSH connections run these commands:

sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTsudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

The second command, which allows the outgoing traffic of established SSH connections, is only necessary if the OUTPUT policy is not set to ACCEPT.

Allow Incoming SSH from Specific IP address or subnet

To allow incoming SSH connections from a specific IP address or subnet, specify the source. For example, if you want to allow the entire 15.15.15.0/24 subnet, run these commands:

sudo iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTsudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

The second command, which allows the outgoing traffic of established SSH connections, is only necessary if the OUTPUT policy is not set to ACCEPT.

Allow Outgoing SSH

If your firewall OUTPUT policy is not set to ACCEPT, and you want to allow outgoing SSH connections—your server initiating an SSH connection to another server—you can run these commands:

sudo iptables -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTsudo iptables -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Appending Rules

The following adds a Rule at the end of the specified chain of iptables:

[root@server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT[root@server ~]# iptables -LChain INPUT (policy DROP)target prot opt source destinationACCEPT all -- anywhere anywhere state RELATED,ESTABLISHEDACCEPT icmp -- anywhere anywhereACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sshACCEPT tcp -- anywhere anywhere tcp dpt:httpChain FORWARD (policy ACCEPT)target prot opt source destinationChain OUTPUT (policy ACCEPT)target prot opt source destination

Notice the last line in chain INPUT. There are now five Rules in that chain.

Deleting Rules

To delete a Rule, you must know its position in the chain. The following example deletes an existing Rule created earlier that is currently in the fifth position:

[root@server ~]# iptables -D INPUT 5[root@server ~]# iptables -LChain INPUT (policy DROP)target prot opt source destinationACCEPT all -- anywhere anywhere state RELATED,ESTABLISHEDACCEPT icmp -- anywhere anywhereACCEPT all -- anywhere anywhereACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sshChain FORWARD (policy ACCEPT)target prot opt source destinationChain OUTPUT (policy ACCEPT)target prot opt source destination

Inserting Rules

Create a Rule at the top (first) position:

[root@server ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT[root@server ~]# iptables -LChain INPUT (policy DROP)target prot opt source destinationACCEPT tcp -- anywhere anywhere tcp dpt:httpACCEPT all -- anywhere anywhere state RELATED,ESTABLISHEDACCEPT icmp -- anywhere anywhereACCEPT all -- anywhere anywhereACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sshChain FORWARD (policy ACCEPT)target prot opt source destination Chain OUTPUT (policy ACCEPT)mtarget prot opt source destination

The number given after the chain name indicates the position before an existing Rule. So, for example, if you want to insert a Rule before the third rule you specify the number 3. Afterward, the existing Rule will then be in the fourth position in the chain.

Replacing Rules

Rules may be specified to replace existing Rules in the chain.

In the example shown previously, the first Rule given allows connections to the HTTP port (port 80) from anywhere. The following replaces this Rule, restricting connections to the standard HTTP port (port 80) only from the network address range 192.168.0.0/24:

[root@server ~]# iptables -R INPUT 1 -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT[root@server ~]# iptables -LChain INPUT (policy DROP)target prot opt source destinationACCEPT tcp -- 192.168.0.0/24 anywhere tcp dpt:httpACCEPT all -- anywhere anywhere state RELATED,ESTABLISHEDACCEPT icmp -- anywhere anywhereACCEPT all -- anywhere anywhereACCEPT tcp -- anywhere anywhere state NEW tcp dpt:sshChain FORWARD (policy ACCEPT)target prot opt source destinationChain OUTPUT (policy ACCEPT)target prot opt source destination
How to configure iptables? - Heficed (2024)

FAQs

How to configure iptables rules? ›

Configuring IPtables
  1. Using SSH, log in to your Linux Server as a root user.
  2. Edit the IPtables file in the following directory: ...
  3. Review the file to determine the IPtables rule you want to log. ...
  4. Insert a matching rule immediately before each rule you want to log:

See Details
How to enable iptables service in Linux? ›

Enable the Linux Firewall iptables
  1. Check the current status of the iptables service. Copy. # systemctl status iptables.
  2. If the firewall is not running, start and enable it. Copy. # systemctl start iptables # systemctl enable iptables.

Find Out More
How do I view iptables configuration? ›

There are two different ways to view your active iptables rules: in a table or as a list of rule specifications. Both methods provide roughly the same information in different formats. To list out all of the active iptables rules by specification, run the iptables command with the -S option: sudo iptables -S.

Discover More Details
What are the configuration files for iptables? ›

The iptables service stores configuration in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables , while firewalld stores it in various XML files in /usr/lib/firewalld/ and /etc/firewalld/ . Note that the /etc/sysconfig/iptables file does not exist as firewalld is installed by default on Red Hat Enterprise Linux.

Tell Me More
How to configure iptables in Linux step by step? ›

Was this helpful to you?
  1. Step 1: Update your system.
  2. Step 2: Install the iptables firewall in Ubuntu.
  3. Step 3: Check the current status of iptables.
  4. Step 4: Allow traffic on localhost.
  5. Step 5: Allow traffic on specific ports.
  6. Step 6: Control traffic by IP address.
  7. Step 7: Delete unwanted traffic.
  8. Step 8: Delete a rule.
Oct 18, 2022

Find Out More
How to check current iptables rules? ›

How to list all iptables rules on Linux
  1. Open the terminal app or login using ssh command: $ ssh user@server-name.
  2. To list all IPv4 rules: $ sudo iptables -S.
  3. Get list of all IPv6 rules: $ sudo ip6tables -S.
  4. To list all tables rules: $ sudo iptables -L -v -n | more.
  5. Just list all rules for INPUT tables:
Mar 14, 2024

View Details
How to enable and disable iptables? ›

Follow these steps:
  1. Log in as root or with a sudo user account.
  2. Run the following commands in a command prompt window: service iptables stop chkconfig iptables off chkconfig --list |grep iptables.

View Details
How to set firewall rules in Linux? ›

Configuration Steps (Web-based Interface)
  1. Navigate to Firewall → Rules → LAN (or whichever interface you wish to set a rule for).
  2. Click the + sign to add a new rule.
  3. Fill out the details, such as source, destination, ports, and action (Allow/Deny).
  4. Click Save and then Apply Changes.

Know More
How do I know if iptables is active Linux? ›

Start iptables and enable it at startup.
  1. Run the following command to start iptables: systemctl start iptables.
  2. Run the following command to check whether iptables is started: systemctl status iptables. ...
  3. Run the following command to set iptables to start at boot.
Dec 28, 2020

Show Me More
How do I install iptables on Linux? ›

Open your terminal and execute the following commands:
  1. sudo apt update sudo apt install iptables.
  2. sudo iptables -A INPUT -p tcp --dport 80 -j DROP.
  3. sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080.
Feb 2, 2024

Learn More

Where do I edit iptables? ›

In this how-to, we will illustrate three ways to edit iptables Rules :
  1. CLI : iptables command line interface and system configuration file /etc/sysconfig/iptables.
  2. TUI (text-based) interface : setup or system-config-firewall-tui.
  3. GUI : system-config-firewall.

Find Out More
How to save iptables configuration? ›

Saving and restoring iptables rules

The actual iptables rules are created and customized on the command line with the command iptables for IPv4 and ip6tables for IPv6. These can be saved in a file with the command iptables-save for IPv4. These files can be loaded again with the command iptables-restore for IPv4.

View Details
What is the iptables service in Linux? ›

Iptables is a user-space utility program for managing firewall rules on a Linux kernel. It is a powerful security tool that keeps your system safe by blocking undesired network traffic, allowing expected traffic, redirecting packets to other TCP/UDP ports, and warding off DDoS attacks among others.

Read On
How to enable iptables in RHEL 7? ›

2 Answers. Make sure you have the iptables-services package installed. This legacy package provides the systemd scripts for the previous iptables invocation. This package is not always installed, depending on your installation choices when you installed (or upgraded).

Discover More Details
How to configure firewall rules in Linux? ›

Configuration Steps (Web-based Interface)
  1. Navigate to Firewall → Rules → LAN (or whichever interface you wish to set a rule for).
  2. Click the + sign to add a new rule.
  3. Fill out the details, such as source, destination, ports, and action (Allow/Deny).
  4. Click Save and then Apply Changes.

Continue Reading
How do I set firewall rules? ›

Create an inbound program or service rule
  1. Open the Windows Firewall with Advanced Security console.
  2. In the navigation pane, select Inbound Rules.
  3. Select Action, and then select New rule.
  4. On the Rule Type page of the New Inbound Rule Wizard, select Custom, and then select Next. ...
  5. On the Program page, select This program path.
Nov 21, 2023

Learn More
What are iptables rules? ›

Iptables is basically a powerful firewall, which can allow a user to set specific rules to control incoming and outgoing traffic. You can use it to block specific port, IP addresses and much more.

Continue Reading
Which GUI tool is used to configure firewall rules in iptables? ›

firewalld (firewall-config) — Daemon and graphical interface for configuring network and firewall zones as well as setting up and configuring firewall rules.

Discover More Details
Top Articles
What is Scheduling, Duties of Maintenance Scheduler Role?
Ask HomeX
Dr. Julie Maughan, MD - Dermatologist in Ogden, UT
SKID STEER - DON'T GET BURNED DOWN - CHINA ATTACHMENTS! WWW.IDIGTX.COM - heavy equipment - by dealer - sale - craigslist
Latest Posts
How to Read Japanese Manga [+ 10 Easy Manga Series for Beginners Learning Japanese]
The Top 16 Tattoo Shops in Toronto [2023 ]
Article information

Author: Dan Stracke

Last Updated:

Views: 5732

Rating: 4.2 / 5 (63 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Dan Stracke

Birthday: 1992-08-25

Address: 2253 Brown Springs, East Alla, OH 38634-0309

Phone: +398735162064

Job: Investor Government Associate

Hobby: Shopping, LARPing, Scrapbooking, Surfing, Slacklining, Dance, Glassblowing

Introduction: My name is Dan Stracke, I am a homely, gleaming, glamorous, inquisitive, homely, gorgeous, light person who loves writing and wants to share my knowledge and understanding with you.