Iptables

Basic command options

Chain manipulation (three default chains, INPUT, FORWARD, OUTPUT, are always present):

• Create a new chain (-N, --new-chain chain)
• Delete an empty chain (-X, --delete-chain [chain])
• Change the policy for a built-in chain (-P, --policy chain target)
• List the rules in a chain (-L, --list [chain])
• Flush the rules out of a chain (-F, --flush [chain])
• Zero the packet and byte counters in all chains (-Z, --zero) (note: It is legal to specify the -L, --list (list) option as well, to see the counters immediately before they are cleared.)

Rule manipulation:

• Append a new rule to a chain (-A, --append chain rule-specification)
• Delete a rule at some position in a chain (-D, --delete chain rule-specification)

Help (-h)

Usage

iptables -[AD] chain rule-specification [options]
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LFZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)

Commands

Either long or short options are allowed.

 --append  -A chain            Append to chain
 --delete  -D chain            Delete matching rule from chain
 --delete  -D chain rulenum
                               Delete rule rulenum (1 = first) from chain
 --insert  -I chain [rulenum]
                               Insert in chain as rulenum (default 1=first)
 --replace -R chain rulenum
                               Replace rule rulenum (1 = first) in chain
 --list    -L [chain]          List the rules in a chain or all chains
 --flush   -F [chain]          Delete all rules in  chain or all chains
 --zero    -Z [chain]          Zero counters in chain or all chains
 --new     -N chain            Create a new user-defined chain
 --delete-chain
           -X [chain]          Delete a user-defined chain
 --policy  -P chain target
                               Change policy on chain to target
 --rename-chain
           -E old-chain new-chain
                               Change chain name, (moving any references)

Options

 --proto       -p [!] proto    protocol: by number or name, eg. `tcp'
 --source      -s [!] address[/mask]
                               source specification
 --destination -d [!] address[/mask]
                               destination specification
 --in-interface -i [!] input name[+]
                               network interface name ([+] for wildcard)
 --jump        -j target
                               target for rule (may load target extension)
 --goto      -g chain
                             jump to chain with no return
 --match       -m match
                               extended match (may load extension)
 --numeric     -n              numeric output of addresses and ports
 --out-interface -o [!] output name[+]
                               network interface name ([+] for wildcard)
 --table       -t table        table to manipulate (default: `filter')
 --verbose     -v              verbose mode
 --line-numbers                print line numbers when listing
 --exact       -x              expand numbers (display exact values)
[!] --fragment  -f             match second or further fragments only
 --modprobe=<command>          try to insert modules using this command
 --set-counters PKTS BYTES     set the counter during insert/append
[!] --version   -V             print package version.

Example script

#!/bin/bash

LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D="224.0.0.0/4"
CLASS_E="240.0.0.0/5"
BROADCAST_SRC="0.0.0.0"
BROADCAST_DEST="255.255.255.255"

########
# flush iptables
iptables -F
iptables -t nat -F
iptables -t mangle -F

########
# loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

########
# policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT

########
# allow related incoming
iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT

########
# programs and stuff (add a line for each service you want to allow)

# SSH on local network
iptables -A INPUT -s $CLASS_A -p tcp --destination-port 22 -j ACCEPT

# apache server (on all interfaces/networks)
iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT

# samba + network share
iptables -A INPUT -s $CLASS_A -p tcp --destination-port 137 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p udp --destination-port 137 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p tcp --destination-port 138 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p udp --destination-port 138 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p tcp --destination-port 139 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p udp --destination-port 139 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p tcp --destination-port 445 -j ACCEPT
iptables -A INPUT -s $CLASS_A -p udp --destination-port 445 -j ACCEPT

External links

• netfilter.org
• Iptables Tutorial 1.2.2 — by Oskar Andreasson
• Linux Networking-concepts HOWTO
• Iptables - Example Firewall Rulesets — by James Stephens
• Iptables On A Linksys-Cisco WRT54GL Broadband Router HOWTO — by James Stephens
• the DD-WRT Wiki — a third party developed firmware for many 802.11g wireless routers based on a Broadcom chip reference design.
• Firewall for Single Host with Iptables
• Netfilter Log Format