Find knowledge base article(s) by searching for keywords in the title e.g. type linux in the search box below
Find knowledge base article(s) by browsing the subject categories of articles
Technology quick references, cheatsheets, user manuals etc.
Shop Online through ShopifyLite
Tutorials on various IT applications.
Search Title    (UL:0 |SS:f)

Software >> OS >> Unix >> Linux >> iptables >> Cheatsheet and examples

 

DISPLAYING RULES

## List out all active iptables rules verbosely

iptables -n -L -v
 

## List out all active iptables rrules verbosely and with line numbers

iptables -n -L -v --line-numbers
 

## List out rules for a specific chain e.g. INPUT chain

[root@rh6 ~]# iptables -L INPUT

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

 

## List out rules for a specific chain e.g. INPUT chain but with numeric output (numeric source/destination addresses & port numbers)
[root@rh6 ~]# iptables -L INPUT -n

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:53
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:67
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:67
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
 

## Print out rules for a specific chain showing the rule specification (the same as used with iptables command)
[root@rh6 ~]# iptables -S INPUT

-P INPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
 

 

SAVING RULES

## Saving iptables rules

## For Red Hat based systems :-

[root@rh6 ~]# service iptables save

iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
 

 

BACKUP/RESTORE TO/FROM A FILE

## Backup to a file
[root@rh6 ~]# iptables-save > /var/tmp/iptables-backup.txt
 

## Restore from backup file
[root@rh6 ~]# iptables-restore < /var/tmp/iptables-backup.txt

 

 

DELETE/INSERT RULES

 

## Delete a rule for a chain by it's line number
## First note the line number of the rule to be deleted by listing with line numbers

[root@rh6 ~]# iptables -L INPUT --line-numbers

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination        
1    ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
2    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
3    ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
4    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
5    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
6    ACCEPT     icmp --  anywhere             anywhere           
7    ACCEPT     all  --  anywhere             anywhere           
8    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
9    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited


## Delete by line enumber

[root@rh6 ~]# iptables -D INPUT 6


## Verify

[root@rh6 ~]# iptables -L INPUT --line-numbers

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination        
1    ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
2    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
3    ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
4    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
5    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
6    ACCEPT     all  --  anywhere             anywhere           
7    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
8    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
 

## Insert a rule at a specific line number
## Insert at line 6

[root@rh6 ~]# iptables -I INPUT 6 -p icmp -j ACCEPT


## Verify by listing with line numbers

[root@rh6 ~]# iptables -L INPUT --line-numbers

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination        
1    ACCEPT     udp  --  anywhere             anywhere            udp dpt:domain
2    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:domain
3    ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootps
4    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:bootps
5    ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
6    ACCEPT     icmp --  anywhere             anywhere           
7    ACCEPT     all  --  anywhere             anywhere           
8    ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
9    REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited


## Verify by listing with rule specifications

[root@rh6 ~]# iptables -S INPUT
-P INPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
 

## Delete a rule by the specification
## Print the rule specifications for the chain, note the rule specification to be deleted e.g. as highlighted

[root@rh6 ~]# iptables -S INPUT

-P INPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited


## Delete by replacing -A with -D

[root@rh6 ~]# iptables -D INPUT -p icmp -j ACCEPT

## Verify

[root@rh6 ~]# iptables -S INPUT

-P INPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited

 

 REPLACING (MODIFYING) existing rule

## For example to replace rule and change the source IP range
## Identify the line number of the rule to be replaces, in this case it is at line 6

[root@rh6 ~]# iptables -S INPUT

-P INPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited


## Replace it

[root@rh6 ~]# iptables -R INPUT 6 -s 192.168.0.0/24 -p icmp -j ACCEPT


## Verify

[root@rh6 ~]# iptables -S INPUT

-P INPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited

 

 ALLOW (ACCEPT) rules

## e.g. Allow loopback connections in INPUT and OUTPUT chain
[root@rh6 ~]# iptables -A INPUT -i lo -j ACCEPT

[root@rh6 ~]# iptables -A OUTPUT -o lo -j ACCEPT
 

## e.g. Allow Established and Related Incoming Connections
[root@rh6 ~]# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 

## e.g. Allow Established Outgoing Connections
[root@rh6 ~]# iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
 

## Allow Incoming packets to a specific port
## assuming there is a default ACCEPT policy for OUTPUT chain:-

[root@rh6 ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT


## if default policy is DROP for OUTPUT chain, then  :-

[root@rh6 ~]# iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

[root@rh6 ~]# iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
 

## Allow incoming packets to multiple ports in one rule
## assuming there is a default ACCEPT policy for OUTPUT chain:-

[root@rh6 ~]# iptables -A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT


## if default policy is DROP for OUTPUT chain, then  :-

[root@rh6 ~]# iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

[root@rh6 ~]# iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
 
 

 

DENY (DROP/REJECT) RULES

## Block a specific IP address

[root@rh6 ~]# iptables -A INPUT -s 192.168.1.10 -j DROP

## DROP - drops the packet and does NOT send any response back to the source
 

## Block a specific IP address at a specific network interface
[root@rh6 ~]# iptables -A INPUT -i eth0 -s 192.168.1.10 -j DROP
 

## Block and Reject a specific IP address
[root@rh6 ~]# iptables -A INPUT -s 192.168.1.10 -j REJECT

## REJECT - drops the packet and sends an ICMP destination-unreachable back to the source

 

 ## Flush all rules

 
# flush all chains
iptables -F
iptables -t nat -F
iptables -t mangle -F
# delete all chains
iptables -X
 
 
 
 

 

 

 
 
 
 
 

 

References:

  1. https://www.andreafortuna.org/2019/05/08/iptables-a-simple-cheatsheet/
  2. https://www.crybit.com/how-to-save-current-iptables-rules/
  3. http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject
  4. https://www.thegeekstuff.com/2011/06/iptables-rules-examples/
[ © 2008-2021 myfaqbase.com - A property of WPDC Consulting ]