Learn how to use iptables commands in Linode. Our Linode Support team is here to help you with your questions and concerns.
A Guide to the iptables Commands in Linode
The iptables command is a powerful tool for configuring and managing the Linux kernel’s firewall. It allows you to define rules for controlling network traffic using tables and chains, providing fine-grained control over incoming and outgoing connections.
Today we’ll explore key iptables features, including listing chains, setting default policies, and managing connections based on ports and IPs.
An Overview:
- What are Chains in iptables
- How to Set Up Default Policies
- Block and Allow Connections by IP
- Block and Allow Connections by Port
- Save and Persist Rules
- Delete and Clear Rules
- How to Open Ports
- Best Practices for Managing iptables
What are Chains in iptables
Chains are rule lists that match specific network packet subsets. The filter table has three default built-in chains: INPUT, FORWARD, and OUTPUT. To list the rules in these chains, use:
sudo iptables -L
The output may appear as:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
How to Set Up Default Policies
Initially, no rules are set in a fresh configuration. Start by setting the default target policy to define how traffic is handled:
sudo iptables --policy INPUT ACCEPT
sudo iptables --policy FORWARD ACCEPT
sudo iptables --policy OUTPUT ACCEPT
You can change the default policy to DROP or REJECT to block all traffic unless explicitly allowed.
Block and Allow Connections by IP
To block incoming traffic from a specific IP address, use:
sudo iptables -A INPUT -s 192.168.1.1 -j DROP
To block an entire subnet:
sudo iptables -A INPUT -s 192.168.1.1/24 -j DROP
To block outgoing traffic to an IP:
sudo iptables -I OUTPUT -s 192.168.1.1 -j DROP
This sets the default policy for all chains to “ACCEPT”. You can change this to “DROP” or “REJECT” to disable all server access and manually allow only specific services.
Block and Allow Connections by Port
Block specific ports or services by specifying the protocol and destination port.
- Block incoming SSH connections on port 22:
sudo iptables -I INPUT -p tcp --dport 22 -j DROP - Block HTTP traffic on port 80:
sudo iptables -I INPUT -p tcp --dport 80 -j DROP - Block a specific IP from accessing a service on port 80:
sudo iptables -I INPUT -p tcp --dport 80 -s 192.168.1.1 -j DROP
To allow traffic, replace DROP with ACCEPT. You can also open a port in Linode via other methods.
Save and Persist Rules
To save your rules and ensure they persist after a reboot, run:
sudo /sbin/iptables-save
Alternatively, you can use:
sudo service iptables save
Delete and Clear Rules
To delete a specific rule, find its line number:
sudo iptables -L –line-numbers
Then, delete the rule using:
sudo iptables -D INPUT line_number
To clear all rules and start with a clean slate:
sudo iptables -F
How to Open Ports
To open an incoming port, such as 2525:
sudo iptables -A INPUT -p tcp --dport 2525 -j ACCEPT
For outgoing ports, such as 3032:
sudo iptables -A OUTPUT -p tcp --dport 3032 -j ACCEPT
Save the changes to make them persistent:
sudo service iptables save
Best Practices for Managing iptables
- Double-check all rules to avoid mistakes.
- Test new rules to make sure they work as expected before saving them.
- Save your current settings to a file for quick restoration.
sudo iptables-save > /path/to/backup_file
[Need assistance with a different issue? Our team is available 24/7.]
Conclusion
Mastering iptables offers granular control over server traffic, enhancing security and optimizing performance. With careful handling and structured approaches, you can ensure reliable configurations for your Linux server.
To summarize, our Support Experts demonstrated the use of iptables commands in Linode.
