Service Name
iptables
Description
The iptables utility controls the network packet filtering code in the Linux kernel. If you need to set up firewalls and/or IP masquerading, you should install this tool. The /sbin/iptables application is the userspace command line program used to configure the Linux IPv4 packet filtering rules. Since Network Address Translation (NAT) is also configured from the packet filter rules, /sbin/iptables is used for this, too. There is a similar tool for IPv6 networks aka iptables-ipv6.
The iptables feature is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.
Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a target, which may be a jump to a user-defined chain in the same table.
RPM package name
iptables
Service Control
Start & Stop examples
# service iptables start Applying iptables firewall rules: [ OK ] Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]
# service iptables stop Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ]
Usage
# service iptables
Usage: /etc/init.d/iptables {start|stop|restart|condrestart|status|panic|save}
# service iptables start Applying iptables firewall rules: [ OK ] Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]
# service iptables stop Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ]
# service iptables restart Applying iptables firewall rules: [ OK ] Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]
# service iptables condrestart Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: filter [ OK ] Unloading iptables modules: [ OK ] Applying iptables firewall rules: [ OK ] Loading additional iptables modules: ip_conntrack_netbios_n[ OK ]
# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) num target prot opt source destination 1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255 3 ACCEPT esp -- 0.0.0.0/0 0.0.0.0/0 4 ACCEPT ah -- 0.0.0.0/0 0.0.0.0/0 5 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353 6 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:631 7 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:631 8 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 9 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:80 11 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
# service iptables panic Flushing firewall rules: [ OK ] Setting chains to policy DROP: filter [ OK ]
# service iptables save Saving firewall rules to /etc/sysconfig/iptables: [ OK ]
Daemon
/sbin/iptables
Modules
nfnetlink ip_conntrack ip_conntrack_netbios_ns
Configuration
Configuration File
/etc/sysconfig/iptables - iptables rules /etc/sysconfig/iptables-config - iptables configuration
Example Configuration File
# cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Wed Feb 3 12:54:50 2016 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [254737803:197953409382] -A INPUT -p tcp -m tcp --dport 162 -j ACCEPT -A INPUT -p udp -m udp --dport 162 -j ACCEPT -A INPUT -p tcp -m tcp --dport 14545 -j ACCEPT -A INPUT -p tcp -m tcp --dport 14161 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5634 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Wed Feb 3 12:54:50 2016
Example of how to set up NAT with iptables
1. Delete existing rules from every iptables table
# iptables -F # iptables -t nat -F # iptables -t mangle -F
2. Enable NAT
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # iptables -A FORWARD -i eth1 -j ACCEPT
3. Save iptables rules
# service iptables save
Note: It is required to enable IP forwarding before set up NAT.
# echo 1 > /proc/sys/net/ipv4/ip_forward
Example of how to open specified port with iptables
1. To allow incoming traffic on the default SSH port (22), you could tell iptables to allow all TCP traffic on that port to come in
# iptables -A INPUT -p tcp --dport ssh -j ACCEPT
2. To allow all incoming web traffic, you could tell iptables to allow all TCP traffic on that port to come in
# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
3. Save iptables rules
# service iptables save