Get Started with Iptables: Keep Bad People (and Bots) Out of Your Server

Iptables is a Linux user-space application program used for configuring IPv4 tables used by the Linux kernel firewall. Iptables is included in most Linux distributions running on kernel 2.4.x or later.

Iptables is an extremely flexible command-line firewall utility, using policy chains to allow or block traffic. It is clearly targeted towards system administrators, since it requires elevated privileges to run, and must be executed by the user root.

Brief History

Development on the iptables project started in 1998, spearheaded by Rusty Russell, an Australian software developer. Iptables was created as a successor to ipchains, an earlier Linux firewall utility also created by Russell.

As the project expanded, Rusty Russell founded the Netfilter Core Team in 1999. It produced the Netfilter Linux framework and iptables, and released them under the GNU General Public License. In March 2000, Netfilter and iptables were merged into the Linux kernel mainline.

Iptables Features and Design

Different kernel modules are used for different protocols — iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.

Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel.

Several different tables may be defined, with each table containing a number of built-in chains or user-defined chains. Each chain is a set of rules which can match a set of packets, while each rule specifies what to do with a packet that matches. This is called a target.

If a packet matches the rule, its fate is determined by the value of the target: ACCEPT lets the packet through, DROP drops the packet, QUEUE passes the packet to userspace, RETURN resumes the next rule in the previous calling chain.

Up to five independent tables are available, depending on kernel configuration and active modules:

• Filter is the default table, containing the built-in chains INPUT, FORWARD and OUTPUT.
• Nat is used when a packet that creates a new connection is encountered, containing the built-in chains PREROUTING, OUTPUT and POSTROUTING.
• Mangle – is used for specialized packet alteration, containing the built-in chains PREROUTING, INPUT, OUTPUT, FORWARD, and POSTROUTING.
• Raw is used for configuring exemptions from connection tracking combined with the NOTRACK target, providing built-in chains PREROUTING and OUTPUT.
• Security is used for Mandatory Access Control (MAC) networking rules, with INPUT, OUTPUT, and FORWARD built-in chains.

The options recognized by iptables are divided into commands, parameters, and other options.

Using Iptables

Iptables is a command line utility preinstalled on most Linux distributions. In case you need to update or install iptables, you can use the following command:

sudo apt-get install iptables

You should be extremely careful if you are logged in to a remote server, and you are configuring its iptables rules, because one wrong command can lock you out for good, and may have to be manually fixed at the server.

We will demonstrate a few common and simple commands used in configuring iptables rules. If you plan on using advanced features of iptables, you should check some of the resources on iptables we provide out below.

You can list the currently configured iptables rules using:

iptables -L

In most cases, you will want your system to accept connections by default, using these commands:

iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT

After this, you can use iptables to deny connections from specific IP addresses or ports, like so:

iptables -A INPUT -s 192.168.10.10 -j DROP

Or you can block connections from a range of IP addresses like this:

iptables -A INPUT -s 192.168.10.0/24 -j DROP

In some specific cases, you could use the opposite approach to the one described above. You could deny all connections and manually specify the ones you want to allow to connect. This setup could be used for servers with sensitive data, that are connected to a unique IP address.

iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD DROP
iptables -A INPUT -s 192.168.10.10 -j ACCEPT

It is important to note that all changes made to the iptables rules will not be saved automatically. You need to save the changes manually using a command which can differ depending on your distribution. This is the Ubuntu command:

sudo /sbin/iptables-save

In case you forgot to save the changes you made to the iptables, they will be lost the next time the iptables service is restarted.

You can also use the flush command to clear all the configured rules:

iptables -F

Iptables Resources

There are many resources for iptables online, which is understandable since iptables is included in most Linux distributions. Learning and using iptables should not be a problem, especially if you rely on quality resources like these:

• Iptables Official Manual is detailed and provides a useful reference for iptables commands and parameters.
• Linux 2.4 Packet Filtering HOWTO Documentation is a very detailed description of packet filtering written by Rusty Russell. Of particular interest is the Using Iptables section.
• Iptables How To is a nice walkthrough of iptables.

Iptables Books

There is not an abundance of books dealing with iptables, although iptables are mentioned in many books written on Linux networking and firewalls.

With lots of quality online resources, it is no wonder there aren’t more books dealing with iptables. Therefore, we singled out just one book on iptables:

• Linux Iptables Pocket Reference by Gregor Purdy: This pocket reference will help you at those critical moments when someone asks you to open or close a port in a hurry, either to enable some important traffic or to block an attack. The book will keep the subtle syntax straight and help you remember all the values you have to enter in order to be as secure as possible.

Conclusion

Iptables is a widely used utility, so it’s definitely worth mastering if a lot of your work revolves around Linux-based servers. Luckily, its popularity means iptables is still being actively developed, and new versions are introduced periodically.

It also means there’s no shortage of quality iptables resources online, but if you enjoy the crinkle of paper, you’ll have a hard time finding iptables books. Still, the sheer volume of digital iptables resources more than makes up for the lack of paperback resources.

Iptables is a powerful, yet easy to use utility. Every aspiring Linux guru should master it.

Further Reading and Resources

We have more guides, tutorials, and infographics related to computer use:

• Linux Programming Introduction and Resources: this deep dive into Linux programming gets down into the kernel where all the action is.
• Network Programming with Internet Sockets: learn all about networking on the internet.

Unix Programming Resources

If you really get into Linux and want to start creating programs for it, we have a great place for you to start learning: Unix Programming Resources.

Unix Programming Resources