• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

The Geek Diary

CONCEPTS | BASICS | HOWTO

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • Linux Services
    • VCS
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
    • Data Guard
  • DevOps
    • Docker
    • Shell Scripting
  • Interview Questions
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

Linux OS Service ‘iptables’

By admin

Service Name

iptables

Description

The iptables utility controls the network packet filtering code in the Linux kernel. If you need to set up firewalls and/or IP masquerading, you should install this tool. The /sbin/iptables application is the userspace command line program used to configure the Linux IPv4 packet filtering rules. Since Network Address Translation (NAT) is also configured from the packet filter rules, /sbin/iptables is used for this, too. There is a similar tool for IPv6 networks aka iptables-ipv6.

The iptables feature is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.

Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a target, which may be a jump to a user-defined chain in the same table.

RPM package name

iptables

Service Control

Start & Stop examples

# service iptables start
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]
# service iptables stop
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]

Usage

# service iptables
Usage: /etc/init.d/iptables {start|stop|restart|condrestart|status|panic|save}
# service iptables start
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]
# service iptables stop
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
# service iptables restart
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]
# service iptables condrestart
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]
Applying iptables firewall rules:                          [  OK  ]
Loading additional iptables modules: ip_conntrack_netbios_n[  OK  ]
# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination         
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255 
3    ACCEPT     esp  --  0.0.0.0/0            0.0.0.0/0           
4    ACCEPT     ah   --  0.0.0.0/0            0.0.0.0/0           
5    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353 
6    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:631 
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:631 
8    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
9    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
10   ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
11   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited
# service iptables panic
Flushing firewall rules:                                   [  OK  ]
Setting chains to policy DROP: filter                      [  OK  ]
# service iptables save
Saving firewall rules to /etc/sysconfig/iptables:          [  OK  ]

Daemon

/sbin/iptables

Modules

nfnetlink
ip_conntrack
ip_conntrack_netbios_ns

Configuration

Configuration File

/etc/sysconfig/iptables          - iptables rules
/etc/sysconfig/iptables-config   - iptables configuration

Example Configuration File

# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Wed Feb  3 12:54:50 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [254737803:197953409382]
-A INPUT -p tcp -m tcp --dport 162 -j ACCEPT 
-A INPUT -p udp -m udp --dport 162 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 14545 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 14161 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 5634 -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
COMMIT
# Completed on Wed Feb  3 12:54:50 2016

Example of how to set up NAT with iptables

1. Delete existing rules from every iptables table

# iptables -F
# iptables -t nat -F
# iptables -t mangle -F

2. Enable NAT

# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# iptables -A FORWARD -i eth1 -j ACCEPT

3. Save iptables rules

# service iptables save

Note: It is required to enable IP forwarding before set up NAT.

# echo 1 > /proc/sys/net/ipv4/ip_forward

Example of how to open specified port with iptables

1. To allow incoming traffic on the default SSH port (22), you could tell iptables to allow all TCP traffic on that port to come in

# iptables -A INPUT -p tcp --dport ssh -j ACCEPT

2. To allow all incoming web traffic, you could tell iptables to allow all TCP traffic on that port to come in

# iptables -A INPUT -p tcp --dport 80 -j ACCEPT

3. Save iptables rules

# service iptables save

Filed Under: Linux, Linux Services

Some more articles you might also be interested in …

  1. The System Continuously Displayed the Error Message from the “avahi-demon” in /var/log/messages
  2. How to check rpm package integrity in Linux
  3. How to Set External Network For Containers in Linux Containers (LXC)
  4. Command ntpstat Shows unsynchronised (CentOS/RHEL)
  5. CentOS / RHEL : How to Disable / Enable direct root and non-root user ssh login
  6. Understanding How Umask Controls the Initial File / Directory Permissions in Linux
  7. How to Enable FTP in CentOS/RHEL 5 and 6
  8. CentOS / RHEL 5 : How to rebuild Initial Ramdisk Image
  9. Understanding /etc/hosts file in Linux
  10. How to Run SCP Without Password Prompt Interruption in Linux

You May Also Like

Primary Sidebar

Recent Posts

  • How to Disable IPv6 on Ubuntu 18.04 Bionic Beaver Linux
  • How to Capture More Logs in /var/log/dmesg for CentOS/RHEL
  • Unable to Start RDMA Services on CentOS/RHEL 7
  • How to rename a KVM VM with virsh
  • Archives
  • Contact Us
  • Copyright

© 2021 · The Geek Diary