Knowledgebase: VPS Hosting
Working with IPTables
Posted by Noble M on 30 June 2014 10:08 AM

Linux servers comes with a host based firewall called Netfilter. This firewall is controlled by a program called IPTables. Netfilter filtering takes place at the kernel level, before a program can even process the data from the network packet.

Where do I find the iptable configuration file?

Over here: /etc/sysconfig/iptables-config

The rules for iptables are added in the file /etc/sysconfig/iptables.

We’d recommend you to save the firewall rules before making any changes to the rules. Just run the command and you’re good to go:

iptables-save > /root/rule_1.fw


If you’d like to restore the firewall rule file, run the command given below:

iptables-restore < /root/rule_1.fw



How to Stop, Start or Restart firewall?

Its easy. Just run the command given below for each action:


service iptables stop

service iptables start

service iptables restart


Note:To automatically save the rules while stopping or restarting the service, open the file /etc/sysconfig/iptables-config and change the following parameters to YES.






How to save the iptable rules to /etc/sysconfig/iptables file?

Run the command: /etc/init.d/iptables save


How to restore the rules from /etc/sysconfig/iptables file?

Run the command: /etc/init.d/iptables start


Basic concepts of IPTables:

1. Tables: IPTables have 4 built-in tables.

1.1. Filter: This is the default table. It contains built-in chains INPUT, FORWARD and OUTPUT.

1.2. NAT: It is used for network address translation (e.g. port forwarding).  It consists of three built-in chains: PREROUTING, OUTPUT and POSTROUTING.

1.3. Mangle: It is used for specialized packet alteration. since Kernel 2.4.18, it supports INPUT, FORWARD and POSTROUTING.

1.4. Raw: This table is used mainly for configuring exemptions from connection tracking in combination with the NOTRACK target. It provides the following built-in chains: PREROUTING and OUTPUT.


2. IPTables chains:

2.1. INPUT: The default chain is used for packets addressed to the system. Use this to open or close incoming ports and ip addresses / subnets.

2.2. OUTPUT: The default chain is used when packets are generating from the system. Use this open or close outgoing ports and ip addresses / subnets.

2.3. FORWARD: The default chains is used when packets send through another interface. Usually used when you setup Linux as router.

2.4. PREROUTING: It is manipulating packets before they are routed.

2.5. POSTROUTING: It is for manipulating packets after they are routed.

3. Target Values:

3.1. ACCEPT: Accepts the packet.

3.2. DROP: Drop the packet and do not send an error message to remote host.

3.3. REJECT: Drop the packet and send an error message to remote host.


4. Packet Matching Rules:

4.1. Each packet starts at the first rule in the chain .

4.2. A packet proceeds until it matches a rule.

4.3. If a match found, then control will jump to the specified target (such as REJECT, ACCEPT, DROP).

Basic Usage Commands:

--append -A chain // Append to chain

--delete  -D chain  // Delete matching rule from chain

--delete  -D chain rulenum // Delete rule rulenum (1 = first) from chain

--insert  -I chain [rulenum] // Insert in chain as rulenum (default 1=first)

--replace -R chain rulenum // Replace rule rulenum (1 = first) in chain

--list  -L [chain]  // List the rules in a chain or all chains

--flush   -F [chain] //Delete all rules in  chain or all chains

--zero-Z [chain] //  Zero counters in chain or all chains

--new-N chain  // Create a new user-defined chain

--delete-chain -X [chain] //  Delete a user-defined chain

--policy  -P chain target // Change policy on chain to target

--rename-chain -E old-chain new-chain // Rename the user specified chain to the user supplied name.

--numeric-n  // IP addresses and port numbers will be printed in numeric format. By default, the program will try to display them as host names, network names, or services.

--verbose -v // Verbose output.


Basic operations using IPTables:

1. Change the default target of a chain:

By default, IPTables rule will have ACCEPT or DROP as the default policy. If the target value is ACCEPT, by default firewall will allow all the traffic. If it’s DROP, all the traffic to the server will be blocked.

For example:



:INPUT ACCEPT [531:91893]


:OUTPUT ACCEPT [617:118476]


The above rules implies that the default policy is ACCEPT. To change the default policy, open the file "/etc/sysconfig/iptables" and change the default policy to DROP from ACCEPT for the INPUT and FORWARD built-in chains.



:INPUT DROP [531:91893]




2. List the IPTables rule:

iptables -nL -v


Chain INPUT (policy ACCEPT 964 packets, 158K bytes)

pkts bytes target prot opt in out source           destination

1574  232K cP-Firewall-1-INPUT  all  --  *  *

1293  214K acctboth   all  --  *  *



3. List the default rules with line number:

iptables -nL --line-number


Chain INPUT (policy ACCEPT)

num  target prot opt source           destination

1cP-Firewall-1-INPUT  all  --

2acctboth   all  --



4. To list the default rules of a particular chain:

iptables -nL [chain name]


iptables -nL INPUT

Chain INPUT (policy ACCEPT)

target prot opt source           destination

cP-Firewall-1-INPUT  all  --

acctboth   all  --



5. Delete a firewall rule:

5.1. List the rules with line number:

iptables -L INPUT -n --line-numbers

5.2. You will get the list of IP. Look at the number on the left, then use number to delete it. For example delete line number 4, enter:

iptables -D INPUT 4

5.3. Find source IP and delete from rule:

iptables -D INPUT -s -j DROP


6. Whitelist an IP address:



iptables -A INPUT -s  -j ACCEPT



7. Block an IP address:

iptables -A [CHAIN] -s [SOURCE IP ADDRESS]  -j DROP


iptables -A INPUT -s -j DROP



8. Open a port on the server:

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport [PORT NUMBER] -j ACCEPT


iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 993 -j ACCEPT


NOTE: Replace ACCEPT with DROP to block the connections.


9. Blocking incoming/outgoing connections:

9.1. Block all  requests on a port:

iptables -A INPUT -p tcp --dport  [PORT NUMBER] -j DROP

For example:: Block all requests to port 80.


iptables -A INPUT -p tcp --dport 80 -j DROP



9.2. Block a request from a single IP address:

For example:: Block port 80 request from a particular IP address.


iptables -A INPUT -p tcp -s --dport 80 -j DROP



9.3. Block outgoing connection to a single IP address:



iptables -A OUTPUT -d -j DROP



10. Open a range of IP address:

iptables -A INPUT -p tcp  -m iprange --src-range [RANGE OF ip ADDRESS] -j ACCEPT


iptables -A INPUT -p tcp  -m iprange --src-range -j ACCEPT



10.1. Open a port for a range of IP address:

iptables -A INPUT -p tcp --destination-port [PORT NUMBER] -m iprange --src-range [RANGE OF ip ADDRESS] -j ACCEPT


iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range -j ACCEPT


NOTE: Replace ACCEPT with DROP to block the connections.


(0 vote(s))
This article was helpful
This article was not helpful