Chain, a set of rules

Target, matched package

• ACCEPT
• DROP
• RETURN, skip the current chain and go back to the next rule from the chain

Filter

• INPUT, incoming packages
• FORWARD, imcoming packages but forwarded somewhere else
• OUTPUT, going out packages

Check status

• sudo iptables -L -v, all three chains are set to default ACCEPT

Define rules

• sudo iptables -A -i <interface> -p <protocol (tcp/udp) > -s <source> --dport <port no.> -j <target>
  • -A, append
  • -i, interface
  • -p, protocol
  • -s, ip sources
  • --dport, port numbers, such as, HTTP (port 80), https (port 443), ssh (port 22)
  • -j, target, ACCEPT, DROP, and RETURN
• sudo iptables -A INPUT -s 192.168.1.3 -j DROP, drop packets from a specific IP address
• sudo iptables -A INPUT -m iprange --src-range 192.168.1.100-192.168.1.200 -j DROP, drop packets from a range of IP addresses
• sudo iptables -A INPUT -j DROP, DROP all other traffic after defining the rules as it prevents unauthorized access to a server from other open ports
• sudo iptables -F, remove all rules
• sudo iptables -L --line-numbers, list rules
• sudo iptables -D INPUT 3, remove a specific rule

Persisting changes

• sudo /sbin/iptables-save, saves current rules to system configuration file which is used to reconfigure the tables at the time of reboot

iptables tutorial