Iptables Basic Commands for Novice
This article is for users who don't have insights into networking or, specifically, iptables command.
Join the DZone community and get the full member experience.
Join For FreeWhile working with customers or while reproducing scenarios where I would have to allow or drop connectivity to certain ports in Linux OS, I have always found iptables command very helpful.
This article is for users who don't have insights into networking or, specifically, iptables command. This article would help such users quickly get a list of all rules and drop or allow traffic to ports.
- I have tested these commands in Ubuntu 22.
$ uname -a
Linux cpandey 5.15.0-57-generic #63-Ubuntu SMP Thu Nov 24 13:43:17 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.1 LTS"
So let us learn together.
1. Let us have a basic understanding of what iptables command is first. It is a standard firewall available with Linux OS. This command(with t switch) can modify any of the network table filters, nat, mangle, raw, and security.
Here the filter is the default table (if the no -t option is passed); it is used for packet filtering. It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).
$ man iptables
SYNOPSIS
iptables [-t table] {-A|-C|-D} chain rule-specification
rule-specification = [matches...] [target]
match = -m matchname [per-match-options]
target = -j targetname [per-target-options]
DESCRIPTION
Iptables and ip6tables are used to set up, maintain, and inspect the tables of IPv4 and IPv6 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also
contain user-defined chains.
Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a `target', which may be a jump to a user-defined chain in the same table.
TARGETS
A firewall rule specifies criteria for a packet and a target. If the packet does not match, the next rule in the chain is examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a
user-defined chain, one of the targets described in iptables-extensions(8), or one of the special values ACCEPT, DROP or RETURN.
ACCEPT means to let the packet through. DROP means to drop the packet on the floor. RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain. If the end of a built-in chain is reached or a rule
in a built-in chain with target RETURN is matched, the target specified by the chain policy determines the fate of the packet.
TABLES
There are currently five independent tables (which tables are present at any time depends on the kernel configuration options and which modules are present).
-t, --table table
This option specifies the packet matching table which the command should operate on. If the kernel is configured with automatic module loading, an attempt will be made to load the appropriate module for that table if it is not al‐
ready there.
The tables are as follows:
filter:
This is the default table (if no -t option is passed). It contains the built-in chains INPUT (for packets destined to local sockets), FORWARD (for packets being routed through the box), and OUTPUT (for locally-generated packets).
nat:
This table is consulted when a packet that creates a new connection is encountered. It consists of four built-ins: PREROUTING (for altering packets as soon as they come in), INPUT (for altering packets destined for local sock‐
ets), OUTPUT (for altering locally-generated packets before routing), and POSTROUTING (for altering packets as they are about to go out). IPv6 NAT support is available since kernel 3.7.
mangle:
This table is used for specialized packet alteration. Until kernel 2.4.17 it had two built-in chains: PREROUTING (for altering incoming packets before routing) and OUTPUT (for altering locally-generated packets before routing).
Since kernel 2.4.18, three other built-in chains are also supported: INPUT (for packets coming into the box itself), FORWARD (for altering packets being routed through the box), and POSTROUTING (for altering packets as they are
about to go out).
raw:
This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It registers at the netfilter hooks with higher priority and is thus called before ip_conntrack, or any other
IP tables. It provides the following built-in chains: PREROUTING (for packets arriving via any network interface) OUTPUT (for packets generated by local processes)
security:
This table is used for Mandatory Access Control (MAC) networking rules, such as those enabled by the SECMARK and CONNSECMARK targets. Mandatory Access Control is implemented by Linux Security Modules such as SELinux. The secu‐
rity table is called after the filter table, allowing any Discretionary Access Control (DAC) rules in the filter table to take effect before MAC rules. This table provides the following built-in chains: INPUT (for packets coming
into the box itself), OUTPUT (for altering locally-generated packets before routing), and FORWARD (for altering packets being routed through the box).
2. Let us start a basic HTTP server using the python utility.
$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
3. How we can list firewall rules using iptables command.
$ sudo iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
# Explanation of switch used
-v, --verbose
Verbose output.
-n, --numeric
Numeric output. IP addresses and port numbers will be printed in numeric format. By default, the program will try to dis‐
play them as host names, network names, or services (whenever applicable).
-L, --list [chain]
List all rules in the selected chain.
4. Access HTTP server listening on 8000 port which we started using python utility.
$ curl -s -D - -o /dev/null http://localhost:8000
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.10.6
Date: Sat, 14 Jan 2023 01:28:02 GMT
Content-type: text/html; charset=utf-8
Content-Length: 2571
Note:
-s hides the progress bar
-D - dump headers to stdout indicated by -
-o /dev/null send output (HTML) to /dev/null essentially ignoring it
# In http server, we can see GET entry.
$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
127.0.0.1 - - [14/Jan/2023 06:00:37] "GET / HTTP/1.1" 200 -
5. Block or Drop incoming traffic to 8000 port.
$ sudo iptables -A INPUT -p tcp --dport 8000 -j DROP
# Check connectivity to port
$ telnet localhost 8000
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection timed out
$ curl -v http://localhost:8000
* Trying 127.0.0.1:8000...
* Trying ::1:8000...
* connect to ::1 port 8000 failed: Connection refused
6. We can again check the list of rules. However, switch -S provides us with a convenient way to list rules. With this switch, we can see rules in the same format as we applied them. This would help us to reuse the rules.
$ sudo iptables -S|grep DROP
-A INPUT -p tcp -m tcp --dport 8000 -j DROP
# We can also list output for only INPUT chain
$ sudo iptables -L INPUT -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
33 1980 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000
# without -n switch
$ sudo iptables -L INPUT -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
33 1980 DROP tcp -- any any anywhere anywhere tcp dpt:8000
# without verbose option
$ sudo iptables -L INPUT -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000
7. We can also list rules with line numbers; this is particularly helpful when deleting specific rules.
$ sudo iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 DROP tcp -- anywhere anywhere tcp dpt:8000
Chain FORWARD (policy DROP)
num target prot opt source destination
1 DOCKER-USER all -- anywhere anywhere
2 DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
3 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
8. Delete Rule.
# Delete 1st rule for INPUT chain.
$ sudo iptables -D INPUT 1
# check connectivity again.
$ telnet localhost 8000
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
$ curl -s -D - -o /dev/null http://localhost:8000
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.10.6
Date: Sat, 14 Jan 2023 02:07:12 GMT
Content-type: text/html; charset=utf-8
Content-Length: 2571
9. We can also delete a rule by specifying the complete rule with the -D switch.
$ sudo iptables -A INPUT -p tcp --dport 8000 -j DROP
$ sudo iptables -S|grep INPUT
-A INPUT -p tcp -m tcp --dport 8000 -j DROP
$ sudo iptables -D INPUT -p tcp -m tcp --dport 8000 -j DROP
$ curl -s -D - -o /dev/null http://localhost:8000
HTTP/1.0 200 OK
Server: SimpleHTTP/0.6 Python/3.10.6
Date: Sat, 14 Jan 2023 02:13:39 GMT
Content-type: text/html; charset=utf-8
Content-Length: 2571
That's it for this article. I hope this article will help you to have a basic understanding of iptables commands.
Opinions expressed by DZone contributors are their own.
Comments