Iptables – basic examples

Linux iptables (netfilter) is built-in firewall inside kernel

Check current iptables rules:

$ iptables –list

Check current iptables rules on NAT table:

$ iptables -t nat –list

Open tcp port 80 on iptables:

$ iptables -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT

Open tcp port 80 only for IP: 123.123.123.123

$ iptables -A INPUT -s 123.123.123.123 -p tcp -m tcp –dport 80 -j ACCEPT

Forwarding tcp port 8080 to IP 120.120.120.120 adddress:

$ iptables -t nat -A PREROUTING -p tcp –dport 8080 -j DNAT –to-destination 120.120.120.120:8080
$ iptables -A FORWARD -p tcp -d 120.120.120.120 –dport 8080 -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

Please remember to enable ip forwarding inside Linux by using:

$ echo 1 > /proc/sys/net/ipv4/ip_forward

Enable ip forwarding permanently, please edit /etc/sysctl.conf, and add following line:

net.ipv4.ip_forward=1

Drop access to port 80:

$ iptables -A INPUT -p tcp -m tcp 80 -j DROP

Reject access with host unreachable:

$ iptables -A INPUT -p tcp -m tcp 80 -j REJECT –reject-with icmp-host-unreachable

You can also reject with different responses, like:
icmp-net-unreachable, icmp-port-unreachable, icmp-proto-unreachable, icmp-net-prohibited and icmp-host-prohibited

You can also create rate limit for connections, like protecing against ICMP flood for example:

$ iptables -A INPUT -p icmp –icmp-type echo-request -m limit –limit 60/minute –limit-burst 120 -j ACCEPT
$ iptables -A INPUT -p icmp –icmp-type echo-request -j DROP