Linux software firewall¶

Command Structure¶

   iptables -I OUTPUT -p tcp -s 192.168.0.1 --dport 2020 -j ACCEPT

The individual elements of the above commands are explained below

• iptables

  The command itself.

• -I

  Insert the new rule at the top of the chain.

  IPTables rules are read in sequentially, so the order the rules are in is very important. If the rule you’re adding doesn’t need to be the first, can you alternatively use -A to append it to the bottom of the chain or -I {CHAIN} {LINE NUMBER} to insert it at a particular line number.

• OUTPUT

  The chain name.

  There are 2 main chains that you’ll likely be interested in, INPUT and OUTPUT. Simply put, rules in INPUT affect inbound traffic and rules in OUTPUT affect outbound.

• -p

  The protocol that the rule relates to.

  Valid protocols are tcp, udp or icmp

• -s

  Source IP address that the rule pertains to.

  Can also be written longhand as --source or --src.

  Inversely, destination IP addresses can be specified with -d, --destination or --dst.

  Can also be given a range such as 192.168.0.0/24 or 192.168.0.0/255.255.255.0.

• --dport

  Destination port that the rule relates to.

  Can also be written as --destination-port.

  Alternatively, source port can be specified with --sport or --source-port.

  Ranges of ports can be specified with a :, for example 1096:2999.

• -j

  Chain to jump to when previous elements have been matched.

  Basic chains that can be used here are ACCEPT, DROP and REJECT.

  ACCEPT will accept packet, REJECT will deny packet and DROP will result in it being silently dropped.

List current rules¶

iptables -vnL

Blocking a port¶

iptables -I INPUT -p tcp --dport 6667 -j REJECT

Blocking an IP¶

iptables -I INPUT -p tcp -s 1.2.3.4 -j DROP

Blocking a port for a particular IP¶

iptables -I OUTPUT -p tcp -s 192.168.0.1 --dport 25 -j DROP