iptables
This is a wiki page. Be bold and improve it!
If you have any questions about the content on this page, don't hesitate to open a new ticket and we'll do our best to assist you.
Documentation
Official web site:
http://www.netfilter.org/
Start by getting familiar with the official documentation:
http://www.netfilter.org/documentation/
Wikipedia:
http://en.wikipedia.org/wiki/Iptables
Ubuntu iptables Howto:
https://help.ubuntu.com/community/IptablesHowTo
General concepts
First of all, it is important to understand the following hierarchy:
iptables is a list of tables. Each table contains several chains. Each chain is made of an ordered succession of rules. Rules are matched to traffic packets. Thus we have: iptables -> tables -> chains -> rules.
tables
You don't need to create any table. 3 standard tables come out of the box. For a basic firewall set up, you'll only be dealing with the default 'filter' table.
See the top of the iptables manpage for a description of the standard tables.
To see the list of available tables:
cat /proc/net/ip_tables_names
chains
The table 'filter' comes with three built-in chains: INPUT, FORWARD and OUTPUT. You may create your own custom chains to complement these for a more advanced set-up, but at the beginning, you'll only be adding rules to the INPUT and maybe OUTPUT chains.
Enable/disable firewall
In Red Had and derivative distributions, iptables is set up as a service, which is then easy to start and stop at will. For other distributions (Debian and derivatives, etc.), rules must be saved on file and then flushed from the system to disable the firewall. To enable it again, you must reload the rules from the file. Check the article Setting up your first firewall via SSH to understand how to start/stop the firewall.
If you get something like this:
$ service iptables status
iptables: unrecognized service
it's because iptables is not a service in distributions other than Red Had and its derivatives. See article linked above for details.
See:
https://linux.overshoot.tv/sbin/service
https://linux.overshoot.tv/wiki/init_systems_service_management
Best practice
- The last rule should be to drop all packets.
- -p, --protocol
: When you don’t specify -p, by default “all” protocols will be used. It is not a good practice to use “all”, and always specify a protocol.
Issues related to this page:
Project | Summary | Status | Priority | Category | Last updated | Assigned to |
---|---|---|---|---|---|---|
Linux server | iptables: what are counters? What is being coun… | active | normal | support request | 12 years 4 weeks | |
Linux server | iptables vs. ip6tables. Do I need both? | active | normal | support request | 12 years 5 weeks | |
Linux server | iptables-persistent install fail with monolithi… | active | minor | bug report | 12 years 1 week |