Reduce Production Outages

Self-Hosted AI Code Reviewer

Hexmos LiveReview AI-Powered Code Review
Live Review
AI-Powered Code Review

Iptables Command Examples - Network Firewall Rules

Learn essential iptables commands for network firewall management. Explore examples for blocking ports, adding comments, and managing rules with auto-refresh and line numbers.

Iptables Command Examples

Iptables is a powerful command-line utility for configuring the Linux kernel firewall. It allows administrators to define rules for packet filtering, network address translation (NAT), and other packet mangling operations. Mastering iptables is crucial for securing Linux-based systems and managing network traffic effectively.

Monitor Firewall Rule Hits

Understanding how often your firewall rules are being hit is essential for performance tuning and security analysis. The watch command combined with iptables -nvL provides a dynamic view of packet and byte counters for each rule.

# To show hit counts for rules with auto-refresh:
watch --interval 0 'iptables -nvL | grep -v "0     0"'

# To show hit counts for rules with auto-refresh and highlight any changes:
watch -d -n 2 iptables -nvL

Block Specific Ports and Hide from Scans

Blocking unwanted incoming connections is a fundamental security practice. Iptables can be used to reject traffic to specific ports. Using the --reject-with icmp-port-unreachable option not only blocks the port but also makes it appear closed to port scanners like Nmap, enhancing stealth.

# To block port 902 on eth0 and hide this port from nmap:
iptables -A INPUT -i eth0 -p tcp --dport 902 -j REJECT --reject-with icmp-port-unreachable

# Explanation of --reject-with options:
# icmp-net-unreachable: Network unreachable
# icmp-host-unreachable: Host unreachable
# icmp-port-unreachable: Port unreachable (hides port from nmap)
# icmp-proto-unreachable: Protocol unreachable
# icmp-net-prohibited: Network prohibited
# icmp-host-prohibited: Host prohibited
# icmp-admin-prohibited: Administratively prohibited
# tcp-reset: Sends a TCP RST packet

Add Comments to Firewall Rules

As your firewall configuration grows, it becomes increasingly important to document the purpose of each rule. Iptables allows you to add comments to rules, making them easier to understand and manage.

# To add a comment to a rule:
iptables ... -m comment --comment "This rule is here for this specific reason"

Manage Firewall Rules by Line Number

Modifying existing rules or inserting new ones at specific positions is often necessary. Iptables provides options to list rules with line numbers and to delete or insert rules based on these numbers.

# 1) Show all rules in the INPUT chain with line numbers:
iptables -L INPUT --line-numbers
# Alternatively, use the -n option for numeric output:
iptables -nL --line-numbers

# Example output:
# Chain INPUT (policy ACCEPT)
#     num  target prot opt source destination
#     1    ACCEPT     udp  --  anywhere  anywhere             udp dpt:domain
#     2    ACCEPT     tcp  --  anywhere  anywhere             tcp dpt:domain
#     3    ACCEPT     udp  --  anywhere  anywhere             udp dpt:bootps
#     4    ACCEPT     tcp  --  anywhere  anywhere             tcp dpt:bootps

# 2.a) REMOVE (-D) a rule by its line number (e.g., remove rule number 2 from INPUT chain):
iptables -D INPUT 2

# 2.b) INSERT a rule at a specific line number.
# Example: Insert a rule at line 3 in the INPUT chain to accept TCP traffic on port 21 from a specific IP address:
iptables -I INPUT 3 -i eth1 -p tcp --dport 21 -s 123.123.123.123 -j ACCEPT -m comment --comment "Allow FTP from specific IP"

Further Reading on Network Security

For a deeper understanding of network security and firewall best practices, consult the following resources:

← Back to cmd cheatsheets All cheatsheets 🙏  Credits & Acknowledgments