iptables overview
A practical reference guide to Linux firewall management with iptables.
iptables is the standard command-line interface for managing the netfilter firewall built into the Linux kernel. All iptables commands require root privileges.
Get root access before running any of these commands:
sudo -ion Debian-based systems, orsuon others.
Viewing rules and status
Show all rules with detailed output:
iptables -L -n -v
Show rules with line numbers:
iptables -n -L -v --line-numbers
Show only the INPUT or OUTPUT chain:
iptables -L INPUT -n -v
iptables -L OUTPUT -n -v --line-numbers
Flags:
-L— list rules-v— verbose output (interface, options, K/M/G suffixes)-n— show IPs and ports as numbers, skip DNS lookups
Starting and stopping the firewall
Using the system service:
service ufw stop
service ufw start
Flush all rules manually:
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
Flags:
-F— flush (delete) all rules-X— delete a chain-t— select a table (nat, mangle)-P— set the default policy
Adding and removing rules
Delete a rule by line number:
iptables -L INPUT -n --line-numbers # find the line number
iptables -D INPUT 3 # delete line 3
Delete a rule by source IP:
iptables -D INPUT -s 202.54.1.1 -j DROP
Insert a rule between lines 1 and 2:
iptables -I INPUT 2 -s 202.54.1.2 -j DROP
Saving and restoring rules
iptables-save > /etc/iptables.rules # save
iptables-restore < /etc/iptables.rules # restore
Default policies
Drop all traffic (deny everything):
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
Drop unsolicited incoming traffic, allow outgoing:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
Blocking IPs and networks
Block a specific IP:
iptables -A INPUT -s 1.2.3.4 -j DROP
Drop private network ranges on a public interface:
iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
Private address ranges:
10.0.0.0/8(Class A)172.16.0.0/12(Class B)192.168.0.0/16(Class C)224.0.0.0/4(Multicast D)240.0.0.0/5(Class E)127.0.0.0/8(Loopback)
Blocking ports
Block all incoming connections on port 80:
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP
Block port 80 for a specific IP:
iptables -A INPUT -p tcp -s 1.2.3.4 --dport 80 -j DROP
Open a port range:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT
Blocking outbound connections by domain
Look up the IP and CIDR:
host -t a facebook.com
whois 69.171.228.40 | grep CIDR
Block the range:
iptables -A OUTPUT -p tcp -d 69.171.224.0/19 -j DROP
Logging
Log and drop a packet:
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-prefix "IP_SPOOF A: "
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
Log with rate limiting (max 7 entries every 5 minutes):
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP_SPOOF A: "
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
Check the log:
tail -f /var/log/messages
grep -i --color 'IP SPOOF' /var/log/messages
MAC address filtering
iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
::: front-promo-main-services
:::
# Allow only TCP port 22 from a specific MAC
iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT
ICMP (Ping) management
ICMP message types reference:
| Type | Description |
|---|---|
| 0 | Echo reply (ping response) |
| 3 | Destination unreachable |
| 4 | Source quench |
| 5 | Redirect |
| 8 | Echo request (ping) |
| 11 | Time-to-live exceeded |
| 12 | IP header bad |
Recommended — allow only safe ICMP types:
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT
Block all ping requests:
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
Allow ping only from a local subnet:
iptables -A INPUT -s 192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT
Common ports — open or close
Replace ACCEPT with DROP to block a port:
# SSH (port 22)
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# HTTP / HTTPS
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
# SMTP (port 25)
iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
# DNS (port 53)
iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
# POP3 (port 110)
iptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT
# IMAP (port 143)
iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT
# MySQL (port 3306) — local network only
iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
# Samba — local network only
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT
# NTP (port 123)
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT
Connection limits
Allow no more than 3 SSH sessions per IP:
iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
Limit HTTP to 20 concurrent connections per /24 subnet:
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP
Flags:
--connlimit-above N— apply rule when connection count exceeds N--connlimit-mask 24— apply limit per /24 subnet
IP address ranges
Allow access to port 80 from a specific IP range:
iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT
Help
If you have any questions or need assistance, please contact us through the ticket system — we're always here to help!