IPTables Primer

Basic Uses

The most common use of iptables is to simply block and allow traffic.

Allow Traffic

Iptables allows you to allow traffic based on a number of different conditions such as Ethernet adapter, IP Address, port, and protocol.

Allow incoming TCP traffic on port 22 (ssh) for adapter eth0

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

Allow incoming TCP traffic on port 80 (HTTP) for the IP range 192.168.0.1 – 192.168.0.254.

iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 80 -j ACCEPT

Block Traffic

Iptables can block traffic on the same conditions that traffic can be allowed.

Blocks inbound TCP traffic port 22 (ssh)

iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP

Blocks inbound TCP traffic on port 80 (HTTP) from the IP 192.168.1.100

iptables -A INPUT -s 192.168.1.100 -p tcp -m tcp --dport 80 -j DROP

Limit Traffic

Along with allowing and denying traffic IP tables can be used to limit the number of connections allowed over time thresholds.

iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --set
iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m sshbrute --update --seconds 60 --hitcount 4 -j DROP

[:p:] this is a common set of rules used to block brute force ssh attacks. The first rule makes sure the IP connecting is added to the sshbrute list. The second rule tells iptables to check the sshbrute list and if the packet threshold is exceeded to drop the traffic.

Common Options and Switches

-A -- adds a rule at the end of the chain
-I -- inserts the rule at the given rule number. If no rule number is given the rule is inserted at the head of the chain.
-p -- protocol of the rule
--dport the destination port to check on the rule
-i -- interface on which the packet was received.
-j -- what to do if the rule matches
-s -- source IP address of packet
-d -- destination IP address of packet