Learn the configuration of iptables policies in Linux. Know how to add, delete, save Linux native firewall rules in iptables.
In our last article about iptables, we have seen the basics of iptables, iptables chains, and chain policy strategy. In this article we will walk through how to define iptables policies.
Defining iptables policies means allowing or blocking connections based on their direction of travel (incoming, outgoing or forward), IP address, range of IP addresses, and ports. Rules are scanned in order for all connections until iptables gets a match. Hence you need to decide and accordingly define rule numerically so that it gets match first or later than other rules.
In newer versions like RHEL7, the firewall is still powered by iptables only the management part is being handled by a new daemon called
iptables is the command you need to use to define policies. With below switches –
- -A: To append rule in an existing chain
- -s: Source
- -p: Protocol
- –dport: service port
- -j : action to be taken
Lets start with examples with commands.
Block/Allow single IP address
To block or allow a single IP address follow below command where we are adding a rule
-A to input chain (
INPUT) for blocking (
# iptables -A INPUT -s 172.31.1.122 -j REJECT # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination REJECT all -- ip-172-31-1-122 anywhere reject-with icmp-port-unreachable ----- output clipped -----
In the above command we are blocking incoming connections from IP 172.31.1.122. If you see the output of rules listing, you can see our rule is defined properly in iptables. Since we didn’t mention protocol, all protocols are rejected in the rule.
Here chain can be any of the three: input (incoming connection), output (outgoing connection), or forward (forwarding connection). Also, action can be accepted, reject, or drop.
Block/Allow single IP address range
Same as single IP address, whole address range can be defined in rule too. The above command can be used only instead of IP address you need to define range there.
# iptables -A INPUT -s 172.31.1.122/22 -j REJECT # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination REJECT all -- 172.31.0.0/22 anywhere reject-with icmp-port-unreachable # iptables -A INPUT -s 172.31.1.122/255.255.254.0 -j REJECT # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination REJECT all -- 172.31.0.0/22 anywhere reject-with icmp-port-unreachable REJECT all -- 172.31.0.0/23 anywhere reject-with icmp-port-unreachable
I have shown two different notation types to define the IP address range/subnet. But if you observe while displaying rules iptables shows you in /X notation only.
Again action and chain can be any of the three of their types as explained in the previous part.
Block/Allow specific port
Now, if you want to allow/block specific port then you need to specify protocol and port as shown below :
# iptables -A INPUT -p tcp --dport telnet -s 172.31.1.122 -j DROP # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- 172.31.1.122 anywhere tcp dpt:telnet
Here in this example we blocked the telnet port using TCP protocol from specified source IP. You can choose the chain and action of your choice depending on which rule you want to configure.
Saving iptables policies
All the configuration done above is not permanent and will be washed away when iptable services restarted or server reboots. To make all these configured rules permanent you need to write these rules. This can be done by supplying save argument to iptables service (not command!)
# /sbin/service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
You can also use
If you open up
/etc/sysconfig/iptables file you will see all your rules saved there.
# cat /etc/sysconfig/iptables # Generated by iptables-save v1.4.7 on Tue Jun 13 01:06:01 2017 *filter :INPUT ACCEPT [32:2576] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [48:6358] -A INPUT -s 172.31.1.122/32 -j REJECT --reject-with icmp-port-unreachable -A INPUT -s 172.31.0.0/22 -j REJECT --reject-with icmp-port-unreachable -A INPUT -s 172.31.0.0/23 -j REJECT --reject-with icmp-port-unreachable -A INPUT -s 172.31.1.122/32 -p tcp -m tcp --dport 23 -j DROP COMMIT # Completed on Tue Jun 13 01:06:01 2017
Deleting rule in iptables
We have seen how to add a rule, how to delete the existing rules. You can use the same commands used above only change is to add
-D switch instead of
# iptables -D INPUT -s 172.31.1.122 -j REJECT
The above command will remove the very first rule we added in iptables in this post.
Also, if you haven’t saved your iptables you can flush all currently configured rules by using
# iptables -F