iptables

This is a wiki page. Be bold and improve it!

If you have any questions about the content on this page, don't hesitate to open a new ticket and we'll do our best to assist you.

Documentation

Official web site:
http://www.netfilter.org/
Start by getting familiar with the official documentation:
http://www.netfilter.org/documentation/

Wikipedia:
http://en.wikipedia.org/wiki/Iptables

Ubuntu iptables Howto:
https://help.ubuntu.com/community/IptablesHowTo

General concepts

First of all, it is important to understand the following hierarchy:
iptables is a list of tables. Each table contains several chains. Each chain is made of an ordered succession of rules. Rules are matched to traffic packets. Thus we have: iptables -> tables -> chains -> rules.

tables

You don't need to create any table. 3 standard tables come out of the box. For a basic firewall set up, you'll only be dealing with the default 'filter' table.

See the top of the iptables manpage for a description of the standard tables.
To see the list of available tables:
cat /proc/net/ip_tables_names

chains

The table 'filter' comes with three built-in chains: INPUT, FORWARD and OUTPUT. You may create your own custom chains to complement these for a more advanced set-up, but at the beginning, you'll only be adding rules to the INPUT and maybe OUTPUT chains.

Enable/disable firewall

In Red Had and derivative distributions, iptables is set up as a service, which is then easy to start and stop at will. For other distributions (Debian and derivatives, etc.), rules must be saved on file and then flushed from the system to disable the firewall. To enable it again, you must reload the rules from the file. Check the article Setting up your first firewall via SSH to understand how to start/stop the firewall.

If you get something like this:

$ service iptables status
iptables: unrecognized service

it's because iptables is not a service in distributions other than Red Had and its derivatives. See article linked above for details.

See:
https://linux.overshoot.tv/sbin/service
https://linux.overshoot.tv/wiki/init_systems_service_management

Best practice

- The last rule should be to drop all packets.

- -p, --protocol: When you don’t specify -p, by default “all” protocols will be used. It is not a good practice to use “all”, and always specify a protocol.

Issues related to this page:

ProjectSummaryStatusPriorityCategoryLast updatedAssigned to
Linux serveriptables: what are counters? What is being coun…activenormalsupport request12 years 1 hour
Linux serveriptables vs. ip6tables. Do I need both?activenormalsupport request12 years 1 day
Linux serveriptables-persistent install fail with monolithi…activeminorbug report11 years 48 weeks