Search our site for answers
Help Docs Security Overview Firewall Management Manage your server’s firewall with iptables

Manage your server’s firewall with iptables

iptables can act as your server's gatekeeper, deciding which network traffic is allowed in, out, or through your server.
Firewalls Security Troubleshooting Tutorials
8 min read

iptables is a powerful, command-line firewall utility built into Linux operating systems, allowing you to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Understanding iptables improves your ability to secure your server and manage your network, enabling you to control access to services, block malicious traffic, and ensure your server communicates securely.

Basic concepts: tables and chains

iptables organizes its rules into tables, and within each table, there are chains.

  • Tables: There are three main tables used for basic firewalling:
    • filter (Default): This is the most common table and is used for general packet filtering (allowing or denying traffic). If you don’t specify a table, iptables uses the filter table by default.
    • nat (Network Address Translation): Used for modifying packet addresses (e.g., port forwarding, masquerading).
    • mangle: Used for modifying packet headers (e.g., changing Quality of Service bits).
  • Chains: Within the filter table, there are three built-in chains that define where rules are applied:
    • INPUT: Rules in this chain apply to packets entering the server, destined for a local process. This is the most frequently modified chain for server security.
    • OUTPUT: Rules in this chain apply to packets originating from the server, going to an external destination.
    • FORWARD: Rules in this chain apply to packets that are being routed through the server (i.e., not destined for the server itself, but passing through to another network). This is typically used on routers or gateways.
  • Policies: Each chain has a default policy (e.g., ACCEPT, DROP, REJECT).
    • ACCEPT: Allows the packet to pass.
    • DROP: Silently discards the packet. The sender receives no notification.
    • REJECT: Discards the packet and sends an error message (e.g., ICMP port unreachable) back to the sender.

Rule matching directives

Use various directives when creating iptables rules to specify what kind of traffic the rule should match:

  • [!] -p, --protocol protocol: Specifies the protocol (e.g., tcp, udp, icmp, all). The ! inverts the match.
  • [!] -s, --source address[/mask]: Specifies the source IP address or network from which the packet originates.
  • [!] -d, --destination address[/mask]: Specifies the destination IP address or network where the packet is headed.
  • -j, --jump target: Specifies the action to take if the packet matches the rule. Common targets are ACCEPT, DROP, REJECT, or jumping to a user-defined chain.
  • [!] --dport port: (Used with -p tcp or -p udp) Specifies the destination port number or service name (e.g., 80, ssh).
  • [!] --sport port: (Used with -p tcp or -p udp) Specifies the source port number or service name.
  • [!] -i, --in-interface name: Matches packets received via a specific network interface (e.g., eth0).
  • [!] -o, --out-interface name: Matches packets being sent via a specific network interface.

Common iptables commands

Here are the most frequently used iptables commands for managing your firewall rules:

  • -L (List Rules): Lists all rules in a specified chain or all chains if none is specified.
    • iptables -L INPUT: Lists all rules in the INPUT chain.
    • iptables -L -v -n: Lists all rules in all chains with verbose (detailed) and numeric (IPs instead of hostnames) output. This is very useful for troubleshooting.
  • -F (Flush Rules): Deletes all rules from a specified chain. If no chain is specified, it flushes all rules from all chains.
    • iptables -F INPUT: Flushes all rules from the INPUT chain.
  • -A (Append Rule): Adds a new rule to the end of a specified chain.
    • iptables -A INPUT -p tcp --dport 80 -j ACCEPT:
      Appends a rule to the INPUT chain to accept incoming TCP traffic on port 80.
  • -D (Delete Rule): Deletes a rule from a specified chain. You can specify the rule by its exact description or by its line number (obtained with iptables -L --line-numbers).
    • iptables -D INPUT 5: Deletes the rule at line number 5 from the INPUT chain.
  • -I (Insert Rule): Inserts a new rule at a specific line number in a chain. If no line number is given, it inserts the rule at the top (line 1).
    • iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT: Inserts a rule to accept SSH traffic at the very beginning of the INPUT chain.
  • -P (Set Policy): Sets the default policy for a chain.
    • iptables -P INPUT DROP: Sets the default policy for the INPUT chain to DROP (meaning all incoming traffic is blocked by default unless explicitly allowed by a rule).

Connection tracking states

iptables can track the state of network connections, allowing for more intelligent rule sets. This is managed by the conntrack module.

  • NEW: A packet that is starting a new connection.
  • ESTABLISHED: A packet that belongs to an existing, established connection (traffic has been seen in both directions).
  • RELATED: A packet that is starting a new connection but is related to an existing one (e.g., an FTP data transfer connection opening after a control connection).
  • INVALID: A packet that does not belong to any known connection or is malformed. These are often dropped for security.

Save rules to make them persistent

Rules you add with iptables commands are active immediately but are not persistent across server reboots. To make them permanent, you need to save them.

CentOS/RHEL

  1. Save the current rules to /etc/sysconfig/iptables:
    service iptables save
  2. Ensure iptables starts on boot:
    chkconfig iptables on

Backup and Restore Rules

  • Back up your current iptables rules:
    iptables-save > /root/my_iptables_rules.bak
  • Restore previously backed up rules:
    iptables-restore < /root/my_iptables_rules.bak

Practical iptables examples

Here are common scenarios and how to implement them with iptables.

Port 25 is used in the following example, but any port can be used. The service name can be used (ex. smtp instead of 25) if the service name is in /etc/services.

iptables -A INPUT -p tcp --dport 25 -j DROP

This requires two rules: one to allow the trusted IP, and a second, broader rule to drop all other SSH attempts. The order of rules matters!

The IP address 192.168.1.3 is used in this example, but any IP that is trusted can be used:
iptables -A INPUT -p tcp -s 192.168.1.3 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

Insert a rule at the top of the INPUT chain to immediately drop all traffic from a malicious IP.

The IP address 192.0.2.50 is used in this example, but any potentially malicious IP can be used:
iptables -I INPUT -s 192.0.2.50 -j DROP

Troubleshooting iptables

If you suspect your firewall rules are causing issues, you can temporarily clear them.

Note

Use with extreme caution on production servers, as this opens all ports! Be sure to take a backup.

The following commands will reset your iptables firewall rule set:

iptables -P INPUT ACCEPT    # Set default policy to ACCEPT for incoming
iptables -P OUTPUT ACCEPT   # Set default policy to ACCEPT for outgoing
iptables -P FORWARD ACCEPT  # Set default policy to ACCEPT for forwarding
iptables -F                 # Flush all rules from all chains
iptables -X                 # Delete all user-defined chains
iptables -Z                 # Zero out all packet and byte counters

If you see messages like Starting APF:iptables: Resource temporarily unavailable when restarting your firewall, it often means the server is low on available memory. Check your server’s memory usage. If it’s critically low, temporarily shut down non-essential services, restart the firewall, and then bring your services back online.

Some firewall configurations (especially older ones or those with default rules) might implicitly drop traffic to IP addresses ending in .255 (which are often used as broadcast addresses). If you have a legitimate server IP ending in .255 and experience connectivity issues, you might need to remove these blocking rules.

  1. Find the rule’s line number:
    iptables -L INPUT --line-numbers | grep ".255"
    • You might see output similar to this:
      27 DROP icmp -- anywhere 0.0.0.255/0.0.0.255
      28 DROP all -- anywhere 0.0.0.255/0.0.0.255
  2. Delete the first rule by its line number. Then, delete the next rule, remembering that its line number will have shifted up by one.
    iptables -D INPUT 27 # Deletes the first rule (e.g., original was on line 27)
    iptables -D INPUT 27 # Deletes the new rule at line 27 (original was on line 28)

This will allow traffic to the .255 IP to route properly.

Conclusion

iptables is a fundamental tool for securing and managing network traffic on your Linux server. By understanding its basic concepts, commands, and troubleshooting techniques, you can effectively control access, protect your services, and diagnose connectivity issues. Always exercise caution when modifying firewall rules, and remember to save your changes to ensure they persist across reboots.

Was this article helpful?