Basic and most common iptables rules

Giedrius

Iptables is basically a powerful firewall, which can allow a user to set specific rules to control incoming and outgoing traffic. You can use it to block the specific port, IP addresses and much more. In this article, we present the most common uses of iptables.

The iptables rules can be specified with 3 blocks, which are used for a specific purpose (called Chains):

INPUT - All packets destined for the host computer.
OUTPUT - All packets originating from the host computer.
FORWARD - All packets neither destined for nor originating from the host computer, but passing through (routed by) the host computer. This chain is used if you are using your computer as a router.

The first command we present is used to flush the existing iptables rules, this can be useful if we want to start with new rules or if we have accidentally blocked ourselves (Our Clients Area has a button for this case specifically - "Flush iptables"):

iptables -F

Note. If you want to flush a single Chain, specific rules. You can use this:

sudo iptables -F INPUT

Next commands are used to check current rules that are active within your server:

iptables -L

iptables -S

Note. You can add specific words, like INPUT, FORWARD OR OUTPUT. For example:

iptables -L INPUT

This will let you specify the rules by their purpose (Chains).

Note. You can also add "-v" to your command (iptables -L -v), this will let you check the packets and their size matched with each rule.

Now we can continue with more specific rules to make some simple rules. Usually, a Firewall is used to block something first, and only then to allow something. So here are some rules which help you to block the connections.

In order to block a connection from the specific IP address you can use this:

iptables -A INPUT -s 1.1.1.1 -j DROP 

iptables -A OUTPUT -s 1.1.1.1 -j DROP

iptables -A INPUT -s 1.1.1.1 -j REJECT

Note. REJECT is used to give a response that the connection is not blocked and sends a message "connection refused".

If you want to block a specific port, for example, SMTP port 25, you can use this:

iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -I OUTPUT -p tcp --dport 25 -j DROP

Allow Incoming SSH connection only from a specific IP:

iptables -A INPUT -i venet0 -p tcp -s 1.1.1.1 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

This actually allows only specific IP to connect to the server using 22 port. Also, every time it happens, it establishes a status, which will be used in the second rule to allow the same IP the outgoing traffic.

Following sets of rules are for HTTP and HTTPS connections:

iptables -A INPUT -i venet0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i venet0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

The first set of rules allows HTTP and the second set of rules allows HTTPS connection using the default ports 80 and 443

Next rules allow outside users to ping to your server:

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

The same applies to block it:

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP

To allow loopback access to your server, for example using localhost:

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Allowing MySQL connection from specific IP address:

iptables -A INPUT -i venet0 -p tcp -s 1.1.1.1 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

Allowing POP3 or IMAP traffic:

iptables -A INPUT -i venet0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i venet0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT

Also, this can be applied for POP3/IMAP using a secure connection:

iptables -A INPUT -i venet0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i venet0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT

Note. When you describe network interface in the rules, for example, venet0, do not forget to change it, if your server uses different network interfaces, for example, eth0 or other.

One last use of iptables  is that it can be used to prevent the DDoS as well, by limiting the connections per minute:

iptables -A INPUT -p tcp --dport 80 -m limit --limit 10/minute --limit-burst 100 -j ACCEPT

More details about this one:

-m limit: This uses the limit iptables extension
–limit 25/minute: This limits only a maximum of 10 connections per minute.
–limit-burst 100: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level.

You can change the details based on your requirements, to prevent some attacks.