Introduction
The firewall is an essential safety layer on any Linux server. iptables is the traditional tool that allows to define package filtering rules at the kernel level. Although nfables has been gaining ground, iptables are still widely used and knowledge of their operation is essential for system managers.
What's iptable?
iptables is a user interface for the Linux kernel Netfilter package filter subsystem. It works through tables and chains: each table contains a set of chains (INPUT, OUTPUT, FORWARD, etc.) where the packages are evaluated according to the defined rules.
Basic syntax
The general format of a rule is:
iptables [-t tabla] cadena coincidencia -j acción-t tabla: specifies the table (defaultfilter). Other useful tables arenatandmangle.cadena: indicates in which chain the rule is inserted (INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING).coincidencia: criteria such as protocol, port, IP address, connection status, etc.-j acción: the jump to an action (ACCEPT, DROP, REJECT, LOG, etc.).
Predetermined policies
Before adding specific rules, it is recommended to establish a basic policy. For example, for a server that only accepts necessary incoming connections:
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
With this, all incoming traffic is discarded by default and only the permitted will explicitly pass.
Common rules of example
Allow SSH traffic (port 22)
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow HTTP and HTTPS
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --sports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Block a specific IP address
iptables -A INPUT -s 203.0.113.5 -j DROP
Limit simultaneous connections (anti-flood)
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 5 -j ACCEPT
Save and restore rules
The iptable rules are volatile; they are lost when the system is restarted. To make them persistent:
- In Debian / Ubuntu:
apt-get install iptables-persistentand thennetfilter-persistent save. - In RHEL / CentOS:
service iptables saveoriptables-save > /etc/sysconfig/iptables. - Recharge at boot:
iptables-restore < /etc/sysconfig/iptables.
Verification and problem-solving
To list the active rules:
iptables -L -v -n
If traffic does not behave as you expect, check the order of the rules (the first match and stop the evaluation) and make sure there is no ruleDROPbefore permissive.
Best practices
- Documents each rule with a comment using
-m comment --comment "texto". - Group related rules in custom chains for greater clarity.
- Check the register regularly (
LOG) to detect unauthorized access attempts. - Combine iptables with tools like
fail2banto automatically block PIs after multiple failures. - Test changes in a staging environment before applying them in production.
Conclusion
iptables remains a powerful and flexible tool to manage the firewall in Linux. Dominating your syntax, understanding the chain flow and applying rules with criteria can effectively protect any server. Although the future points to nfables, the knowledge of iptables remains valuable for many environments and serves as a solid basis for learning new filtering systems.
