blog posts

Introduction to Iptables in Linux

If you have been using a computer for some time, you must be familiar with the word firewall. We know it all sounds complicated, but this tutorial will explain the basics of IPTable and how to use the utility commands in Linux so that even if you’re a networking student or want to dive into networking, You can benefit from it.

IPTables is a firewall that is mostly used in Linux. To use it, there are some concerns that we express.

What are IPTables?

How the firewall works are very simple. A firewall creates a barrier between trusted and untrusted networks to protect your system from malicious packets.

But how can we tell what is safe and what is not? With a firewall installed by default, you get the privilege to set rules for your firewall, but you need IPTable to monitor incoming and outgoing packets more closely.

IPTables can be used for individual calculations or applied to the entire network. Using IPTables, we define rules to monitor, allow, or block incoming or outgoing network packets.

Instead of focusing on the whole theory part, we only discuss what matters in the practical world. So let’s start by understanding the basic concepts of IPTables.
Understanding the concept of IPTables

When discussing IPTables, we need to understand three terms: tables, chains, and rules. Since these are important sections, we are going to discuss each of them.

So let’s start with the tables.

Tables in IPTables

There are five types of tables in IPTables, and each applies different rules. Let’s start with the most common “Filer” table.

Filter table – This is the default table when using IPTables. This means that whenever you do not specify a specific table when applying rules, they will be applied to the filter table. As the name suggests, the role of the filter table is to decide whether the packets should reach the destination or reject their request.

NAT (Network Address Translation): As the name suggests, this table allows users to specify the translation of network addresses. The role of this determination table is to determine whether the packet’s source and destination address should be changed.

Mangle Table: This table allows us to change the IP header of packets. For example, you can set the TTL (Time to Live or abbreviated TTL is the time a packet is valid at the network level) to increase or decrease the number of network hops the packet can sustain. Similarly, other IP headers can be changed according to your preference.

RAW table: The main use of this table is to track connections; it provides a mechanism for marking packets to view packets as part of an ongoing session.

Security Table: Users can apply internal SELinux security context flags to network packets using the security table.

RAW and Security tables are not used much, and the first three options are usually calculated as the main table.

We passed the topic of tables; now it’s time to talk about chains.
Chains in IPTables

Chains behave at points along the network path where we can apply rules. In IPTables, we have five types of chains, and we will discuss each. Note that not every chain type is available for every table type.

Pre-routing: This chain is applied to every incoming packet after it enters the network stack. This chain is processed before a routing decision is made about the packet’s final destination.

Input Chain: It is the point where a packet enters the network stack.

Forward Chain: The point at which the packet is sent through your system.

Output Chain: The output chain is applied to the packet as it originates and exits through your system.

Post-routing: This is the exact opposite of the pre-routing chain and is applied after routing decisions have been made for incoming or outgoing packets.

Now, the only thing left to discuss is the rules, which is the easiest of the three discussed here. So let’s complete what is left in the theoretical part.

Rules in IPTables

Rules are nothing but sets or individual commands by which users manipulate network traffic. The packet is checked against the defined rules when each chain is executed.

If a rule does not satisfy the condition, it jumps to the next rule, and if it does, the next rule is specified by the target value.

Each rule has two components: compliance component and target component.

The matching Component is a set of conditions for defining rules matching protocol, IP address, port address, interfaces, and headers.

The target Component is an action that is activated after the conditions are met.

This part was an explanation, and now we will cover the basic commands related to IPTables on Linux.

Installing IPTables firewall on Linux

In modern Linux distributions such as Pop!_OS, this firewall is already installed, but if your system does not have the IPTables package, you can easily install it with the given instructions:

To install IPTables on RHEL-based Linux distributions such as Rocky Linux, AlmaLinux, and CentOS Stream, use the following dnf command.

sudo dnf install iptables-services

Important: If you are using a firewall, you must disable it before installing it. To completely stop the firewall, you must use the following commands:

sudo systemctl stop firewalld
sudo systemctl disable firewalld
sudo systemctl mask firewalld

To install IPTables on Debian-based Linux distributions such as Ubuntu and Kali Linux, use the apt command below.

sudo apt install iptables

After installing IPTables, you can enable the firewall with the given commands:

sudo systemctl enable iptables
sudo systemctl start iptables

To monitor the status of the IPTable service, you can use the following command:

sudo systemctl status iptables

Basics of the IPTables command in Linux

Once the installation is complete, we can proceed with the IPTables syntax, which allows you to change the defaults and allows you to configure as per your needs.

The basic syntax of IPTables is as follows:

# iptables -t {type of table} -options {chain points} {condition or matching component} {action}

Let’s understand the explanation of the above command:
Tables

The first part is t-, we can choose from all 5 available table options, and if you remove the t-part from the command, it will use the filter table because it is the default table type.
Chain options

The second part is related to the chain. Here you can choose from different chain point options; The options are given below:

A- Adds a new rule to the chain at the end of the chain.

C- Checks the rule to determine whether it meets the requirements of the chain or not.

D- Allows users to remove an existing rule from the chain.

F- Removes any user-defined rules.

I- Allows users to add a new rule at the specified position.

N- creates a completely new chain.

v- When used with the list option, it brings detailed information.

Removes the X-chain.

Matching Component

Matching options are the requirement check chain. You can choose from various options, and some of them are given below:

Protocols -p

Source IP -s

Destination IP -d

IN interface -i

OUT interface -o

For TCP, they are as follows:

-sport
– dport
–tcp-flags

Action Component

Now, if we consider the action part, the available options depend on the table type, such as NAT, and the mangle table has more options than the others. You can also target a specific table or chain using an action.

The most used action is Jump (-j), which provides us with several options, such as:

ACCEPT: Used to accept packets and end the pass.

DROP: Used to drop packages and end navigation.

REJECT: This is quite similar to DROP but forwards rejected packets to the source.

RETURN: This stops the packet from passing down the subchain and forwards the particular packet to the upstream chain unaffected.

Once we’re done with the syntax, we’ll show you how to use IPTables, including basic configuration.

List the current set of IPTables rules

If you want to check what passes through your firewall by default, listing a set of current rules is a great way. To list the applied rules, use the given command:

sudo iptables -L

Allow/deny network traffic on specific ports

In this section we will show you how to allow or deny network traffic for specific ports. We will show you some known ports to be helpful.

If you want to allow HTTPS network traffic, we need to allow port number 443 using the given command:

sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Similarly, you can also disable HTTP web traffic with the following command:

$ sudo iptables -A INPUT -p tcp --dport 80 -j REJECT

Explanation of command options used:

  • p- is used to check the specified protocol, and in our case it is TCP.
  • dport – used to specify the destination port.
  • j- is used for action (accept or let go).

Traffic control by IP address

Yes, you can also monitor network traffic via an IP address. Control not just one or two but a range of IP addresses, and we’ll show you how.

To allow a specific IP address, use the command structure:

sudo iptables -A INPUT -s 69.63.176.13 -j ACCEPT

Similarly, to drop packets from a specific IP, you should use the command structure:

sudo iptables -A INPUT -s 192.168.0.27 -j DROP

If desired, you can control the range of IP addresses using the command structure:

sudo iptables -A INPUT -m range --src-range 192.168.0.1-192.168.0.255 -j REJECT

Delete a user-defined rule.

Sometimes we may end up making mistakes when creating rules, and the best way to overcome these mistakes is to remove them. Deleting defined rules is the easiest process throughout this guide, and to delete them, we need to list them first.

To list the rules defined by numbers, use the following command:

sudo iptables -L --line-numbers

To remove the rules, we must follow the command structure:

sudo iptables -D <INPUT/FORWARD/OUTPUT> <Number>

Let’s say I want to remove the tenth rule from INPUT, so I’ll use the given command:

sudo iptables -D INPUT 10

To check if we have successfully removed the rule, we need to list the rules in the following order:

sudo iptables -L –line-numbers

As you can see, we have successfully removed the tenth rule.
Save defined IPTables rules.

You may wonder why we need to save after applying the rules where they work fine. The problem is that all defined rules that have not been saved will be deleted after restarting your system, so it’s important for us.

To save rules on RHEL-based distributions:

sudo /sbin/service iptables save

To save rules in Debian derivatives:

sudo /sbin/iptables–save

Conclusion

Throughout this article, we have tried to put everything simply so that all beginners and professionals can use it. Enabling a firewall can increase security, which is why many people like to use Linux on their servers.