Tag Archives: how to define iptables policies

Configuration of iptables policies

Leave a reply

Learn the configuration of iptables policies in Linux. Know how to add, delete, save Linux native firewall rules in iptables.

Configuring iptables policies in Linux

In our last article about iptables, we have seen the basics of iptables, iptables chains, and chain policy strategy. In this article we will walk through how to define iptables policies.

Defining iptables policies means allowing or blocking connections based on their direction of travel (incoming, outgoing or forward), IP address, range of IP addresses, and ports. Rules are scanned in order for all connections until iptables gets a match. Hence you need to decide and accordingly define rule numerically so that it gets match first or later than other rules.

In newer versions like RHEL7, the firewall is still powered by iptables only the management part is being handled by a new daemon called firewalld.

iptables is the command you need to use to define policies. With below switches –

  • -A: To append rule in an existing chain
  • -s: Source
  • -p: Protocol
  • –dport: service port
  • -j : action to be taken

Lets start with examples with commands.

Block/Allow single IP address

To block or allow a single IP address follow below command where we are adding a rule -A to input chain  (INPUT) for blocking (-j REJECT).

# iptables -A INPUT -s 172.31.1.122 -j REJECT

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  ip-172-31-1-122  anywhere            reject-with icmp-port-unreachable

----- output clipped -----

In the above command we are blocking incoming connections from IP 172.31.1.122. If you see the output of rules listing, you can see our rule is defined properly in iptables. Since we didn’t mention protocol, all protocols are rejected in the rule.

Here chain can be any of the three: input (incoming connection), output (outgoing connection), or forward (forwarding connection). Also, action can be accepted, reject, or drop.

Block/Allow single IP address range

Same as single IP address, whole address range can be defined in rule too. The above command can be used only instead of IP address you need to define range there.

# iptables -A INPUT -s 172.31.1.122/22 -j REJECT

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  172.31.0.0/22        anywhere            reject-with icmp-port-unreachable

# iptables -A INPUT -s 172.31.1.122/255.255.254.0 -j REJECT

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  172.31.0.0/22        anywhere            reject-with icmp-port-unreachable
REJECT     all  --  172.31.0.0/23        anywhere            reject-with icmp-port-unreachable

I have shown two different notation types to define the IP address range/subnet. But if you observe while displaying rules iptables shows you in /X notation only.

Again action and chain can be any of the three of their types as explained in the previous part.

 Block/Allow specific port

Now, if you want to allow/block specific port then you need to specify protocol and port as shown below :

# iptables -A INPUT -p tcp --dport telnet -s 172.31.1.122 -j DROP

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       tcp  --  172.31.1.122         anywhere            tcp dpt:telnet


Here in this example we blocked the telnet port using TCP protocol from specified source IP. You can choose the chain and action of your choice depending on which rule you want to configure.

Saving iptables policies

All the configuration done above is not permanent and will be washed away when iptable services restarted or server reboots. To make all these configured rules permanent you need to write these rules.  This can be done by supplying save argument to iptables service (not command!)

# /sbin/service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

You can also use iptables-save command.

If you open up /etc/sysconfig/iptables file you will see all your rules saved there.

# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Tue Jun 13 01:06:01 2017
*filter
:INPUT ACCEPT [32:2576]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [48:6358]
-A INPUT -s 172.31.1.122/32 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 172.31.0.0/22 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 172.31.0.0/23 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 172.31.1.122/32 -p tcp -m tcp --dport 23 -j DROP
COMMIT
# Completed on Tue Jun 13 01:06:01 2017

Deleting rule in iptables

We have seen how to add a rule, how to delete the existing rules. You can use the same commands used above only change is to add -D switch instead of -A!

# iptables -D INPUT -s 172.31.1.122 -j REJECT

The above command will remove the very first rule we added in iptables in this post.

Also, if you haven’t saved your iptables you can flush all currently configured rules by using -F.

# iptables -F