iptables can be used to manage firewalls in Linux.
Chain management
A chain contains a list of rules.
Creating a new chain
# iptables --new USER-FOO
The -N switch can be used instead of --new
Listing rules in a chain
# iptables --list USER-FOO
The -L switch can be used instead of --list
It will return 1 if the chain does not exist.
iptables: No chain/target/match by that name.
# echo $?
1
If the chain is empty it will return 0.
Chain USER-FOO (0 references)
target prot opt source destination
# echo $?
0
To display more details, add --numeric or -n for numeric IPs, add --verbose or -v to show packet and byte counts.
# iptables --list USER-FOO --numeric --verbose
Deleting a chain’s rules
To delete all rules in a chain, flush the chain.
# iptables --flush USER-FOO
The -F switch can be used instead of --flush
Deleting a chain
# iptables --delete-chain USER-FOO
The -X switch can be used instead of --delete-chain
Rules
A chain consists of an ordered list of rules. Each rule can be referred by its ordinal or rulenum within a chain.
Rules are numbered starting from 1.
Each rule has a specification.
For a packet to match a rule and perform an action, the packet is matched against the rule-specification.
Rule-specification can include tests such as
-p,--protocolto match a protocol. Examples includetcpandudp.-s,--sourcefor source address/mask.-d,--destinationfor destination address/mask.--source-port,--sportsource port.--destination-port,--dportdestination port.
Rule-specifications can include an action such as
-j,--jumpto jump to a target. Valid targets includeRETURNto exit this chain and continue the previous / calling chainDROPto silently drop the packet. The caller will not see a response.REJECTto actively reject the packet.ACCEPTallow the packet through.- a chain. Processing will move to the specified chain, and continue in the current chain if a
RETURNis matched.
-g,--gotoa chain. Processing will move to the specified chain, but continue in the previous chain if aRETURNis matched. This effectively stops any further processing in the current chain.
conntrack: connection tracking module
The conntrack module is useful for packets that have already been NATed, such as those seen in DOCKER-USER after
docker is installed.
To enable this module on a rule, -m conntrack must be added to the rule specification.
Rule-specification now has additional options available when using this module.
--ctstateconnection statuses to match, e.g.NEW,RELATED,ESTABLISHED--ctorigdstoriginal destination address/mask
To exit the chain when a packet matches 333.333.333.333:25
iptables -A DOCKER-USER -j RETURN -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED --ctorigdst 333.333.333.333 --dport 25
See the man page iptables-extensions for more details.
reply
Packets flow in the original or reply direction. Rules usually block packets in the original direction only.
To append a rule allowing reply packets in the DOCKER-USER chain, run:
iptables -A DOCKER-USER -j RETURN -p tcp -m conntrack --ctdir REPLY
Chain and Rule Ordering - Whitelist
To configure a chain to behave like a whitelist
- Add rules that jump to
RETURNif the packet matches. The previous chain should be configured toACCEPTthe packets. - Add a final rule in the chain that
DROPs the packet
Port Redirection
In this example we have a tomcat web server running port on port 8080 and 8443, and would like it to also appear on port 80 and 443.
iptables -t nat -A OUTPUT -d localhost -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A OUTPUT -d 10.0.0.20 -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A PREROUTING -d 10.0.0.20 -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A OUTPUT -d localhost -p tcp --dport 443 -j REDIRECT --to-ports 8443
iptables -t nat -A OUTPUT -d 10.0.0.20 -p tcp --dport 443 -j REDIRECT --to-ports 8443
iptables -t nat -A PREROUTING -d 10.0.0.20 -p tcp --dport 443 -j REDIRECT --to-ports 8443
References
iptables --helpman iptablesman iptables-extensions