Introduction to the IPtables Command

March 29, 2017 | Views: 5148

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

What is IPtables?

Iptables is a firewall that is usually built into Linux. Technically, IPtables is the interface for the kernel module Netfilter. In other words, IPtables resides in userspace and allows the user to enter firewall rules, and Netfilter is the kernel module that does the actual filtering.

Before we get into actually setting up our firewall rules let’s get an idea of the concepts involved. Iptables uses IP addresses, ports, and protocols to filter packets. Rules are placed into predefined chains and IP packets are checked against the rules in a chain for a decision to be made. The actions taken by the rules are known as targets, the most common targets being ACCEPT and DROP.

Predefined Chains

The three chains in the filter table are:

  • INPUT – inbound packets
  • OUTPUT – outbound packets
  • FORWARD – packets that are neither destined for or coming from our host, but rather just passing through (used mainly for routers)

Normally we are concerned with the INPUT chain for protecting our network from external threats, but it may be a good idea to add some filters for outbound traffic as well (blocking outbound internet connections on a subnet with test systems on it for instance).

In summary, rules are added in a list to the chains, packets are checked against each rule, and then an action is taken based on the rules.

If a packet doesn’t match any of the rules then the default action for that chain is applied. This is referred to as the default policy which can be set to either ACCEPT or DROP.

Now we must decide how we are going to organize our firewall. There are two choices; one is to set the default policy to DROP and then add specific rules to ACCEPT packets from a specific host (implicit deny) or you can set the default policy to ACCEPT which will drop that which does not come from a trusted host (explicit deny). Generally, option one is implemented for ease of administration and better overall security.

Working with IPtables

Working with IPtables requires root privileges, so, either use su or sudo before the commands below. IPtables is installed by default on most Linux distros. You can check if the module is loaded with;

lsmod | grep ip_tables

you can list the current rules with;

iptables -L

If not installed use your distro’s package manager to install the iptables package.

You can start IPtables on a host running systemd with;

systemctl start iptables


You can enable it on boot with;

systemctl enable iptables


Writing the rules

Now let’s add some rules to our IPtables that will create a basic SPI (stateful packet inspection) firewall. In your terminal enter;

iptables -P INPUT ACCEPT
iptables -F
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP


What’s going on in the above commands is as follows;

iptables -P INPUT ACCEPT This allows for remote connections by setting the default policy to ACCEPT, which can be important if you’re going to be connecting to the host via SSH.

iptables -F This flushes the current chains.

iptables -A INPUT -m state ESTABLISHED, RELATED -j ACCEPT If you were configuring this host remotely this would allow the connection to persist after the firewall rules are updated.

iptables -A INPUT -i lo -j ACCEPT This accepts connections on the local loopback address.

iptables -A INPUT -p tcp –dport 22 -j ACCEPT This accepts all connections destined for port 22 the default ssh port.

iptables -P OUTPUT ACCEPT This sets the default policy for outbound connections to accept.

iptables -P INPUT DROP This set the default policy for inbound connections to drop.

iptables -P FORWARD DROP This sets the forward default policy to drop.


For further explanation, the -j switch is the jump parameter and takes a target, such as DROP as it’s argument.


You can save your rules with the command;

iptables-save > /etc/iptables.rules


After saving your firewall rules you may restart the IPtables service on systems running systemd with the command;

systemctl reload iptables


Fine tuning IPtables rules

Something like the above example might be fine for some, but others may want to fine tune their rules a littler further to allow or deny access to a certain host or a specific interface. In the example above we do this with the

iptables -A INPUT -i lo -j ACCEPT 

Here we are appending to the INPUT chain the rule that when packets destined for the loopback interface arrive jump to the ACCEPT target. This can be done with other interfaces as well such as eth0.

IP addresses can also be used to fine tune IPtables rules. For example;

iptables -A INPUT -s -p tcp --dport 22 -j DROP


With this rule we append to the INPUT chain that packets with the source address on the /24 subnet destined for tcp port 22 should be dropped.


Logging what your firewall is doing is pretty important so let’s see how we might do that;

iptables -A INPUT -s -p tcp --dport 22-j LOG --log-prefix “[DENIED:INPUT] ” --log-level 7
iptables -A INPUT -s -p tcp --dport 22 -j DROP


In the above example, we create two rules with matching criteria. One pointing to the LOG target and the next to the DROP. The LOG rule tells Netfilter that when a packet with the source address destined for TCP port 22; jump to the LOG chain. As well as prefix [DENIED:INPUT] to the Syslog. The second rule is similar to the example above; drop packets with the specified source address destined for the specified port.

Now what?

It is also possible to create your own chains with the


switch, as well as writing your rules into a script which will make things much easier. Still, with this knowledge, you should be able to get up and running with IPtables.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?