administration tool for IPv4/IPv6 packet filtering and NAT
iptables is a user-space utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.
- filter (default table)
- input
- Controls behaviour of all incoming connections. Example: ssh.
- forward
- used for incoming connections that aren’t actually being delivered locally.
- used mainly for routing, NAT, or generally for forwarding.
- output
- used for outgoing connections.
- input
- nat (consulted when a packet that creates a new connection is encountered)
- prerouting
- output
- postrouting
$ iptables --policy INPUT ACCEPT
$ iptables --policy INPUT DROP- Accept
- Allow the connection
- Drop
- Drop the connection
- Source sees that system does not exist
- Reject
- Don’t allow the connection, but send back an error
- Source sees that firewall blocked them
- configure iptables to allow or block specific addresses, address ranges, and ports.
Block all connections from 10.10.10.10
$ iptables -A INPUT -s 10.10.10.10 -j DROPBlock all connections in IP range 10.10.10.0/24
$ iptables -A INPUT -s 10.10.10.0/24 -j DROP$ iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROPAllow ssh to your server from 10.10.10.10, but ssh to 10.10.10.10 are not permitted. However, the system is permitted to send back information over SSH as long as the session has already been established, which makes SSH communication possible between these two hosts.
$ iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -p tcp --sport 22 -d 10.10.10.10 -m state --state ESTABLISHED -j ACCEPT$ sudo /sbin/iptables-save$ iptables -F