iptables

iptables-persistent, netfilter-persistent

Basic options

There are a few basic concepts within iptables:

Tables

Within each table, there are a few available chain options. The values will be listed down under each table, and will be further discussed in a later section.

  1. filter (default)

    • INPUT

    • FORWARD

    • OUTPUT

  2. nat

    • ...

  3. mangle

    • ...

  4. raw

    • ...

Chain

  1. INPUT

  2. FORWARD

  3. OUTPUT

Target

  1. ACCEPT

  2. DROP

  3. REJECT

Basic flag options

  1. -A OR --append

  2. -I OR --insert

  3. -D OR --delete

  4. -t OR --table

  5. -L OR --list

  6. -p OR --protocol

  7. -P or --policy

  8. -j OR --jump

  9. -s OR --source

  10. -d OR --destination

  11. --sport OR --source-port

  12. --dport OR --destination-port

Add/insert rules examples

  1. Add an INPUT rule to DROP all traffic regardless of the protocol, destination port, source address, or any other parameters

$ sudo iptables -A INPUT -j DROP

  1. Add an INPUT rule to DROP all SSH traffic (TCP port 22) 

$ sudo iptables -A INPUT -p tcp --dport 22 -j DROP

An additional rule can be added to allow SSH traffic from a source address range. Note that the -I flag option is used instead of -A to insert, rather than append the new rule. This allow sthe new rule to take precedence over the previously defined rule (for matching traffic).

$ sudo iptables -I INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT

View the rules

$ sudo iptables -L
$ sudo iptables --list

Persistent rules with iptables-persistent

  1. Install iptables-persistent 

$ sudo apt install iptables-persistent

  1. Update rules with iptables command

  2. Save to rules file: /etc/iptables/rules.v4 (For IPv4)

$ sudo iptables-save | sudo tee /etc/iptables/rules.v4

Persistent rules with netfilter-persistent

All the same steps as above for iptables-persistent, with some additional steps:

  1. Install netfilter-persistent and iptables-persistent

  • seems like installing iptables-persistent automatically adds the current rules in the iptables into the file: /etc/iptables/rules.v4

$ sudo apt install netfilter-persistent
$ sudo install iptables-persistent

  1. Enable netfilter-persistent service

$ sudo systemctl enable netfilter-persistent

Check to ensure that it is enabled. It doesn't matter if its not running yet, as it will be started on reboot as long its enabled.

$ sudo systemctl status netfilter-persistent

  1. Verify if the rules have been added to the configuration file: /etc/iptables/rules.v4

$ sudo cat /etc/iptables/rules.v4

Otherwise, manually add the rules using the iptables-save tool

$ sudo iptables-save | sudo tee /etc/iptables/rules.v4

The iptables-save tool simply returns the current iptables rules

$ sudo iptables-save
...
...
...

  1. Reboot the system

$ reboot

  1. Check iptables rule

$ sudo iptables --list
$ sudo iptables -L

The iptables rules should persist from the previous configurations.

Example use case

Previousfirewall & securityNextnft

Last updated