The following is a brief summary of the most useful iptables commands for easy reference, along with some examples to make the command usage more clear. Bear in mind this is not an exhaustive list of commands; it only represents the most important commands for configuring your firewall. For a complete list, refer to the iptables man page.
■ –A appends a rule to a chain. iptables –A INPUT –p icmp –j ACCEPT will add the rule to permit ICMP at the bottom of the INPUT chain in the FILTER table.
■ –D deletes a rule from a chain. iptables –D INPUT –p icmp –j ACCEPT will delete the matching rule from the INPUT chain. iptables –D INPUT 3 will delete the third rule from the top in the INPUT chain.
■ –I inserts a rule in a chain. iptables –I INPUT 5 –p icmp –j ACCEPT will insert this rule as the fifth rule in the INPUT chain
■ –R replaces a rule in a chain. iptables –R INPUT 4 –p icmp –j ACCEPT will replace the fourth rule in the INPUT chain with this new rule.
■ –L lists the rules. iptables –L will list all rules and iptables –L INPUT will list all rules in the INPUT chain only.
■ iptables –t nat –L would list all the rules in the nat table only.
■ –F will flush (delete) the rules. iptables –F will delete all rules in all chains. It will not delete chains, only the rules inside the chains.
■ –Z will zero the packet and byte counters. iptables –Z will delete all of the counters. iptables –Z FORWARD will delete all of the counters in the FORWARD chain only.
■ –N will create a new chain. iptables –N CUSTOMCHAIN1 will create a new chain named CUSTOMCHAIN1.
■ –X will delete a chain. iptables –X CUSTOMCHAIN1 will delete the custom chain named CUSTOMCHAIN1.
■ –P will change the policy for a chain. iptables –P INPUT ACCEPT will change the policy for the INPUT chain to ACCEPT
The policy for a chain does not need to be limited to ACCEPT or DENY; it could use a custom chain for a target, if desired.
Option Summary
■ –p specifies the protocol to match (works with “!”). iptables –A FORWARD –p tcp will add a rule to match any TCP packet to the FORWARD chain. iptables –A FORWARD –p ! tcp will match any packet that was not TCP.
■ –s specifies the source address to match (works with !). iptables –A FORWARD –s 192.168.1.99 will match any packet with a source address of 192.168.1.99. iptables –A FORWARD –s ! 192.168.1.99 will match any packet that did not have a source address of 192.168.1.99.
■ –d specifies the destination address to match (works with !). iptables –A FORWARD –d 192.168.1.99 will match any packet with a destination address of 192.168.1.99.
■ –i specifies the network interface that the traffic was received on (works with !). iptables –A FORWARD –i eth0 will match any packet entering the eth0 interface.
■ –j specifies the target. iptables –A FORWARD –p tcp –j DENY would create a rule at the bottom of the FORWARD chain that will DENY any TCP packet.
■ –o specifies the network interface that the traffic was sent out of (works with “!”). iptables –A FORWARD –o eth1 would match any packet leaving on the eth1 interface.
■ –t specifies the table to manipulate. iptables –t nat –A OSTROUTING –p tcp –j DENY will add a rule to the bottom of the POSTROUTING chain in the NAT table, to DENY any TCP packet.
If you don’t specify the –t option, iptables assumes you are working with the filter table.
■ –v specifies to be verbose. iptables –L –v lists all of the rules and includes packet counts per chain and per rule.
■ —line-numbers specifies that the rule list should be numbered:
iptables –L –line-numbers
This option makes it easier to know what number to use for the commands that take a rule number as an argument, such as insert, delete, replace, and so on.
■ -m will match packets based on certain protocol-specific criteria. Because the match options are protocol specific, -p (tcp/udp/icmp) must be used with –m. Some common examples include:
■ -m —sport allows you to match packets based on the TCP or User Datagram Protocol (UDP) source port.
■ -m —dport allows you to match packets based on the TCP or UDP destination port.
■ -m multiport allows you to match packets based on multiple port numbers within the same rule. iptables –A FORWARD –p tcp -m multiport —dport 22,25,53 –j DROP would DROP any TCP packet with a destination port of 22, 25, or 53.
■ -m state —state will allow you to match packets based on the state of the connection. iptables –A FORWARD –p tcp –m state —state NEW –j LOG would LOG any TCP packets that were being used to initiate a new connection.
There are four recognized states: NEW, ESTABLISHED, RELATED, and INVALID netfilter and iptables give you powerful packet filtering and manipulation capabilities for free. With Linux distributions available for free download, a firewall is within any company’s reach.Because of this, deploying firewalls internally to protect highly sensitive systems or data is becoming increasingly viable. If you want to obtain a Linux firewall without having to install Linux, try any of the many live CDs that are available. Some excellent choices are be Knoppix or Slax.
