How Iptables works

Network traffic is made up of packets. Data is broken up into smaller pieces (called packets), sent over a network, then put back together. Iptables identifies the packets received and then uses a set of rules to decide what to do with them.

Iptables filters packets based on:

  • Tables: Tables are files that join similar actions. A table consists of several chains.

  • Chains: A chain is a string of rules. When a packet is received, iptables finds the appropriate table, then runs it through the chain of rules until it finds a match.

  • Rules: A rule is a statement that tells the system what to do with a packet. Rules can block one type of packet, or forward another type of packet. The outcome, where a packet is sent, is called a target.

  • Targets: A target is a decision of what to do with a packet. Typically, this is to accept it, drop it, or reject it (which sends an error back to the sender).


Basic Syntax for iptables Commands and Options

In general, an iptables command looks as follows:

sudo iptables [option] CHAIN_rule [-j target]

Here is a list of some common iptables options:

  • -A --append – Add a rule to a chain (at the end).

  • -C --check – Look for a rule that matches the chain’s requirements.

  • -D --delete – Remove specified rules from a chain.

  • -F --flush – Remove all rules.

  • -I --insert – Add a rule to a chain at a given position.

  • -L --list – Show all rules in a chain.

  • -N -new-chain – Create a new chain.

  • -v --verbose – Show more information when using a list option.

  • -X --delete-chain – Delete the provided chain.

Iptables is case-sensitive, so make sure you’re using the correct options.


Enable Loopback Traffic

This command configures the firewall to accept traffic for the localhost (lo) interface (-i). Now anything originating from your system will pass through your firewall. You need to set this rule to allow applications to talk to the localhost interface.

$ iptables -A INPUT -i lo -j ACCEPT

Allow Traffic on Specific Ports

Allow HTTP web traffic with the following command.

$ iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Allow incoming SSH traffic with the following command.

$ iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Allow incoming HTTPS web traffic with the following command.

$ iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Block Traffic on Specific Ports

Dropping unwanted traffic with a specific port.

$ iptables -A INPUT -p tcp --dport 80 -j DROP

The options work as follows:

  • -p Check for the specified protocol (TCP).

  • --dport Specify the destination port.

  • -j (jump) take the specified action.

Control Traffic by IP Address

Use the following command to ACCEPT from a specific IP address.

$ iptables -A INPUT -s -j ACCEPT

Drop traffic from specific IP address.

$ iptables -A INPUT -s -j DROP

Reject traffic from a range IP address

$ iptables -A INPUT -m iprange --src-range -j REJECT

The iptables options we used in the examples work as follows:

  • -m – Match the specified option.

  • -iprange – Tell the system to expect a range of IP addresses instead of a single one.

  • --src-range – Identifies the range of IP addresses.

Delete Rule

$ iptables -L --line-numbers

$ iptables -D INPUT <rule number>