The iptables command in Linux: how to configure the system firewall

Posted on by BlockmyIP | Category: Linux terminal commands

Introduction

The firewall is an essential layer of security on any Linux server. iptables is the traditional tool that allows defining packet filtering rules at the kernel level. Although nftables has been gaining ground, iptables remains widely used and understanding its operation is fundamental for system administrators.

What is iptables?

iptables is a user-space interface to the Netfilter packet filtering subsystem of the Linux kernel. It works via tables and chains: each table contains a set of chains (INPUT, OUTPUT, FORWARD, etc.) where packets are evaluated according to the defined rules.

Basic Syntax

The general format of a rule is:

iptables [-t tabla] cadena coincidencia -j acción
  • -t table: specifies the table (default filter). Other useful tables are nat and mangle.
  • chain: indicates in which chain the rule is inserted (INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING).
  • match: criteria such as protocol, port, IP address, connection state, etc.
  • -j action: jump to an action (ACCEPT, DROP, REJECT, LOG, etc.).

Default Policies

Before adding specific rules, it is advisable to set a base policy. For example, for a server that only accepts necessary incoming connections:

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

With this, all incoming traffic is dropped by default and only explicitly allowed traffic will pass.

Common Example Rules

Allow SSH traffic (port 22)

iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow HTTP and HTTPS

iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --sports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Block a specific IP address

iptables -A INPUT -s 203.0.113.5 -j DROP

Limit simultaneous connections (anti-flood)

iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 5 -j ACCEPT

Saving and Restoring Rules

iptables rules are volatile; they are lost when the system reboots. To make them persistent:

  • On Debian/Ubuntu: apt-get install iptables-persistent and then netfilter-persistent save.
  • On RHEL/CentOS: service iptables save or iptables-save > /etc/sysconfig/iptables.
  • Reload at boot: iptables-restore < /etc/sysconfig/iptables.

Verification and Troubleshooting

To list the active rules:

iptables -L -v -n

If the traffic does not behave as expected, check the order of the rules (the first matches stop evaluation) and ensure there is no generic DROP rule before the permissive ones.

Best Practices

  • Document each rule with a comment using -m comment --comment "text".
  • Group related rules in custom chains for greater clarity.
  • Periodically review the log (LOG) to detect unauthorized access attempts.
  • Combine iptables with tools like fail2ban to automatically block IPs after multiple failures.
  • Test changes in a staging environment before applying them to production.

Conclusion

iptables remains a powerful and flexible tool for managing the firewall on Linux. Mastering its syntax, understanding the chain flow, and applying rules with judgment allows effective protection of any server. Although the future points to nftables, knowledge of iptables remains valuable for many environments and serves as a solid foundation for learning the new filtering systems.

This post is also available in ESPAÑOL.

Leave a Reply

Your email address will not be published. Required fields are marked *

Esta obra está bajo una Licencia Creative Commons Atribución 4.0 Internacional para Francesc Roig francesc@vivaldi.net .