Summary: A small howto on using IP Tables
Date: Around 2015
Refactor: 1 March 2025: Checked links and formatting.

This is a small howto on using IP Tables. It's mostly from Internet sources like this one. I just modified and extended it to my specific knowledge and experience.

Since the IP tables are within the linux kernel changes to the rules are implemented immediately. This could lock you out if you don't know what you're doing, so make sure you have access to the console before you start experimenting.

Iptables is made up of CHAINS, each chain holds RULES.

The default chains are:

• INPUT (Incoming traffic to this machine)
• FORWARD (Traffic going to or from a machine on the other side of this firewall)
• OUTPUT (Outgoing traffic from this machine).

Rules are then placed inside these chains in order to allow or deny specific traffic. There are three basic “ACTIONS” that a rule can take. Other rules exist, but these are the basic and most commonly used actions:

• ACCEPT (Allows the traffic through the firewall)
• DROP (The packet is dropped with no reply to sender)
• REJECT (Packet is dropped and an appropriate message is sent back to the sender.)

Listing the current IP Tables can be done with the command iptables -L:

[sjoerd@redhatbox /]$ sudo iptables -L -v
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

You can add statistics to the output by adding -v:

[sjoerd@redhatbox /]$ sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 3642 1590K ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    1    60 ACCEPT     icmp --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    3   697 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh
13083 1218K REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited
 
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited
 
Chain OUTPUT (policy ACCEPT 3503 packets, 480K bytes)
 pkts bytes target     prot opt in     out     source               destination

Adding a single port can be done like this:

iptables -I INPUT -p tcp --dport 80 -j ACCEPT

More information:

• -I : insert: This will insert the rule at the top of the chain. You can also use -A for append, which will place the new rule at the end of the chain.
• INPUT: insert the rule into the CHAIN INPUT
• -p tcp : only match tcp packets
• –dport 80 : only match packets headed for port 80 (destination port)
• -j ACCEPTS : jump to the ACCEPT RULE

You can also allow specific sources like a single host or network:

iptables -I INPUT -p tcp -s pcsjoerd.getshifting.local --dport 80 -j ACCEPT

iptables -I INPUT -p tcp -s 192.168.1.0/24 --dport 80 -j ACCEPT

After adding ports you need to save settings with this command service iptables save:

[sjoerd@redhatbox/]$ sudo service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]