iptables is a powerful command-line tool in Linux for managing network traffic rules within the kernel-level Netfilter firewall. It provides a way to configure rules that govern how incoming and outgoing traffic is handled. iptables is more complex than ufw, but it allows for highly customizable and detailed firewall configurations.

Here’s an overview of using iptables with some basic commands and example outputs.

1. Viewing Current Rules

To view the active rules in iptables, use:

sudo iptables -L

Example Output:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
DROP       all  --  anywhere             anywhere             

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

This output lists the rules in each chain:

• INPUT: Handles incoming connections.
• FORWARD: Handles packets routed through the server.
• OUTPUT: Handles outgoing connections from the server.

Each rule specifies:

• target (e.g., ACCEPT or DROP) – the action taken on matching packets.
• prot – protocol (e.g., TCP, UDP).
• source and destination – IP addresses the rule applies to.

2. Setting Default Policies

Default policies define how packets are handled if they don’t match any specific rule.

Drop All Incoming Traffic by Default

sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT

Example Output:

No output is shown, but these policies set all incoming and forwarded traffic to be dropped unless explicitly allowed, while outgoing traffic is allowed by default.

3. Allowing Specific Traffic

Allow SSH (Port 22)

To allow SSH connections to the server on port 22:

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Example Output:

No output, but running sudo iptables -L again will show the new rule added to the INPUT chain.

Allow HTTP (Port 80) and HTTPS (Port 443)

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

These commands allow web traffic to reach the server.

4. Blocking Specific IP Addresses

To block a specific IP address (e.g., 192.168.1.100):

sudo iptables -A INPUT -s 192.168.1.100 -j DROP

Example Output:

No output, but this rule now drops any incoming traffic from 192.168.1.100.

5. Allowing Specific IP Addresses

To allow traffic from a specific IP (e.g., 192.168.1.101):

sudo iptables -A INPUT -s 192.168.1.101 -j ACCEPT

This rule lets 192.168.1.101 connect to any open port on your server.

6. Logging Dropped Packets

You can log dropped packets for troubleshooting purposes. For example:

sudo iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: " --log-level 4

Example Output:

No terminal output, but dropped packets will be logged in /var/log/syslog with the prefix IPTables-Dropped.

7. Saving and Restoring iptables Rules

iptables rules are not persistent across reboots. To save them, use:

Save Current Rules

On Debian/Ubuntu:

sudo iptables-save > /etc/iptables/rules.v4

On CentOS/RHEL:

sudo service iptables save

Restore Saved Rules

To restore saved rules after a reboot:

sudo iptables-restore < /etc/iptables/rules.v4

8. Deleting Rules

To delete a rule, specify its exact parameters, or use the rule’s line number from the list.

List Rules with Line Numbers

sudo iptables -L --line-numbers

Example Output:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
2    DROP       all  --  192.168.1.100        anywhere             

Delete Rule by Line Number

To delete the second rule in the INPUT chain:

sudo iptables -D INPUT 2

This command deletes the rule blocking 192.168.1.100.

9. Flushing All Rules

To clear all rules and reset iptables, you can flush each chain:

sudo iptables -F

This command removes all rules but keeps the default policies intact.

Summary of Common iptables Commands

• View rules: sudo iptables -L
• Set default policies: sudo iptables -P [CHAIN] [ACTION]
• Add rule to allow traffic: sudo iptables -A [CHAIN] -p [PROTOCOL] --dport [PORT] -j ACCEPT
• Block an IP: sudo iptables -A INPUT -s [IP] -j DROP
• Delete rule by number: sudo iptables -D [CHAIN] [NUMBER]
• Save rules: sudo iptables-save > /etc/iptables/rules.v4
• Flush all rules: sudo iptables -F

iptables provides robust security controls, but requires careful rule management. It’s well-suited for administrators who need detailed, low-level firewall customization on Linux.