< Previous | Contents | Next >
Rules
Each rule is expressed as conditions -j action action_options. If several conditions are described in the same rule, then the criterion is the conjunction (logical AND) of the conditions, which is at least as restrictive as each individual condition.
The -p protocol condition matches the protocol field of the IP packet. The most common values are tcp, udp, icmp, and icmpv6. This condition can be complemented with conditions on the TCP ports, with clauses such as --source-port port and --destination-port port.
Negating Conditions Prefixing a condition with an exclamation mark negates the condition. For example, negating a condition on the -p option matches “any packet with a different protocol than the one specified.” This negation mechanism can be applied to all other condi- tions as well.
Negating Conditions Prefixing a condition with an exclamation mark negates the condition. For example, negating a condition on the -p option matches “any packet with a different protocol than the one specified.” This negation mechanism can be applied to all other condi- tions as well.
The -s address or -s network/mask condition matches the source address of the packet. Corre- spondingly, -d address or -d network/mask matches the destination address.
The -i interface condition selects packets coming from the given network interface. -o interface
selects packets going out on a specific interface.
The --state state condition matches the state of a packet in a connection (this requires the ipt_ conntrack kernel module, for connection tracking). The NEW state describes a packet starting a new connection, ESTABLISHED matches packets belonging to an already existing connection, and RELATED matches packets initiating a new connection related to an existing one (which is useful for the ftp-data connections in the “active” mode of the FTP protocol).
There are many available options for iptables and ip6tables and mastering them all requires a great deal of study and experience. However, one of the options you will use most often is the one to block malicious network traffic from a host or range of hosts. For example, to silently block incoming traffic from the IP address 10.0.1.5 and the 31.13.74.0/24 class C subnet:
# iptables -A INPUT -s 10.0.1.5 -j DROP
# iptables -A INPUT -s 31.13.74.0/24 -j DROP
# iptables -n -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 10.0.1.5 0.0.0.0/0 DROP all -- 31.13.74.0/24 0.0.0.0/0
Another commonly-used iptables command is to permit network traffic for a specific service or port. To allow users to connect to SSH, HTTP, and IMAP, you could run the following commands:
# iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
# iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT
# iptables -n -L INPUT
Chain INPUT (policy ACCEPT)
target | prot | opt | source | destination | ||||
DROP | all | -- | 10.0.1.5 | 0.0.0.0/0 | ||||
DROP | all | -- | 31.13.74.0/24 | 0.0.0.0/0 | ||||
ACCEPT | tcp | -- | 0.0.0.0/0 | 0.0.0.0/0 | state | NEW | tcp | dpt:22 |
ACCEPT | tcp | -- | 0.0.0.0/0 | 0.0.0.0/0 | state | NEW | tcp | dpt:80 |
ACCEPT | tcp | -- | 0.0.0.0/0 | 0.0.0.0/0 | state | NEW | tcp | dpt:143 |
It is considered to be good computer hygiene to clean up old and unnecessary rules. The easiest way to delete iptables rules is to reference the rules by line number, which you can retrieve with
the --line-numbers option. Be wary though: dropping a rule will renumber all the rules appearing further down in the chain.
# iptables -n -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 | DROP | all | -- | 10.0.1.5 | 0.0.0.0/0 | |
2 | DROP | all | -- | 31.13.74.0/24 | 0.0.0.0/0 | |
3 | ACCEPT | tcp | -- | 0.0.0.0/0 | 0.0.0.0/0 | state NEW tcp dpt:22 |
4 | ACCEPT | tcp | -- | 0.0.0.0/0 | 0.0.0.0/0 | state NEW tcp dpt:80 |
5 | ACCEPT | tcp | -- | 0.0.0.0/0 | 0.0.0.0/0 | state NEW tcp dpt:143 |
# iptables -D INPUT 2
# iptables -D INPUT 1
# iptables -n -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 | ACCEPT | tcp | -- | 0.0.0.0/0 | 0.0.0.0/0 | state NEW tcp dpt:22 |
2 | ACCEPT | tcp | -- | 0.0.0.0/0 | 0.0.0.0/0 | state NEW tcp dpt:80 |
3 | ACCEPT | tcp | -- | 0.0.0.0/0 | 0.0.0.0/0 | state NEW tcp dpt:143 |
There are more specific conditions, depending on the generic conditions described above. For more information refer to iptables(8) and ip6tables(8)