25 Most Commonly Used Linux iptables Rules Examples
At first glance, iptables rules may seem cryptic.
In this article, we have given 25 useful IPTables rules that you can copy/paste and use as needed.
These examples will serve as a basic template for us to adapt these rules to our specific requirements.
For ease of reference, all 25 iptables rules are in shell script format:iptables-rules
1. Delete existing rules
Before you start building a new ruleset, you may want to flush all the default and existing rules. Use the iptables flush command as shown below to do this.
$ iptables -F
# (or)
$ iptables --flush
2. Set the default chain strategy
The default chain policy is ACCEPT . Change all INPUT , FORWARD , and OUTPUT chains to DROP as shown below.
$ iptables -P INPUT DROP
$ iptables -P FORWARD DROP
$ iptables -P OUTPUT DROP
As we set the default policy for both INPUT and OUTPUT chains to DROP, for each firewall rule requirement we have, we should define two rules. One for incoming and one for outgoing.
In all the examples below, we set two rules for each scenario because we have set DROP as the default policy for both the INPUT and OUTPUT chains.
If you trust internal users, you can omit the last line above. That is, all outgoing packets are not dropped by default. In this case, we only need to define one rule for each firewall rule requirement we have. That is, we define rules only for incoming, because outgoing is accepted for all packets.
注意: If you don't know what a chain means, you should first familiarize yourself with the basics of IPTables .
3. Block specific IP addresses
Before we move on to other examples, if we want to block a specific IP address, we should do this first as shown below. Change the " xxxx " in the following examples to the specific IP address we want to block.
BLOCK_THIS_IP="x.x.x.x"
iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP
This is helpful when we find some strange activity from a specific IP address in our log files, and we want to temporarily block that IP address while we conduct further research.
We can also use one of the following variations, which blocks only TCP traffic on the eth0 connection for this IP address.
$ iptables -A INPUT -i eth0 -s "$BLOCK_THIS_IP" -j DROP
$ iptables -A INPUT -i eth0 -p tcp -s "$BLOCK_THIS_IP" -j DROP
4. Allow all incoming SSH
The following rule allows eth0all incoming ssh connections on the interface.
$ iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
注意If we want to understand exactly what each parameter means, we should read How to Add IPTables Firewall Rules
5. Allow incoming SSH only from specific networks
The following rule allows incoming ssh connections only from the 192.168.100.X network.
$ iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
In the above example, we could have also used the full subnet mask instead of /24 . That is, " 192.168.100.0/255.255.255.0 ".
6. Allow incoming HTTP and HTTPS
The following rule allows all incoming web traffic. That is, HTTP traffic to port 80.
$ iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
The following rule allows all incoming secure web traffic. That is, HTTPS traffic to port 443.
$ iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
7. Use MultiPorts to combine multiple rules together
When we allow incoming connections from the outside world to multiple ports, instead of writing separate rules for each port, we can group them together using the multi-port extension as shown below.
The following example allows all incoming SSH , HTTP , and HTTPS traffic.
$ iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
8. Allow outgoing SSH
The following rule allows outgoing ssh connections. That is, when we ssh from internal to external server.
$ iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
请注意, which is slightly different from the incoming rules. That is, we allow NEW and ESTABLISHED states on the OUTPUT chain, and only ESTABLISHED state on the INPUT chain . For the incoming rules, it is vice versa.
9. Allow outgoing SSH only to specific networks
The following rule allows only outgoing ssh connections to a specific network. i.e. we can only connect to the 192.168.100.0/24 network from within.
$ iptables -A OUTPUT -o eth0 -p tcp -d 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
10. Allow outgoing HTTPS
The following rules allow outgoing secure web traffic. This is helpful when we want to allow internet traffic for our users. On the server, wgetthese rules are also useful when we want to use to download some files from the outside.
$ iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
注意: For outgoing HTTP web traffic, add two additional rules as above and change 443 to 80.
11. Load Balancing Incoming Web Traffic
We can also use iptables firewall rules to load balance incoming web traffic.
This uses the iptables nth extension. The following example load balances HTTPS traffic to three different IP addresses. For every 3 packets, it is load balanced to the appropriate server (using counter 0).
$ iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
$ iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
$ iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443
12. Allow ping from outside to inside
The following rules allow external users to be able to ping our server.
$ iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$ iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
13. Allow pinging from inside to outside
The following rules allow us to ping any external server from inside.
$ iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
$ iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
14. 允许环回访问
我们应该允许在服务器上进行完全环回访问。 即使用 127.0.0.1 访问
$ iptables -A INPUT -i lo -j ACCEPT
$ iptables -A OUTPUT -o lo -j ACCEPT
15. 允许内部网络到外部网络
在防火墙服务器上,一个以太网卡连接到外部,另一个以太网卡连接到内部服务器,使用以下规则允许内部网络与外部网络通信。
本例中eth1连接外网(internet),eth0连接内网(例如:192.168.1.x)。
$ iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
16.允许出站DNS
以下规则允许传出 DNS 连接。
$ iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
$ iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
17. 允许 NIS 连接
如果我们正在运行 NIS 来管理用户帐户,我们应该允许 NIS 连接。 即使允许 SSH 连接,如果不允许 NIS 相关的 ypbind 连接,用户将无法登录。
NIS 端口是动态的。 即当 ypbind 启动时,它会分配端口。
首先执行如下所示的 rpcinfo -p 并获取端口号。 在此示例中,它使用端口 853 和 850。
$ rpcinfo -p | grep ypbind
现在允许到端口 111 和 ypbind 使用的端口的传入连接。
$ iptables -A INPUT -p tcp --dport 111 -j ACCEPT
$ iptables -A INPUT -p udp --dport 111 -j ACCEPT
$ iptables -A INPUT -p tcp --dport 853 -j ACCEPT
$ iptables -A INPUT -p udp --dport 853 -j ACCEPT
$ iptables -A INPUT -p tcp --dport 850 -j ACCEPT
$ iptables -A INPUT -p udp --dport 850 -j ACCEPT
当我们重新启动 ypbind 时,上述操作将不起作用,因为届时它将具有不同的端口号。
有两种解决方案:1) 为我们的 NIS 使用静态 ip-address,或 2) 使用一些巧妙的 shell 脚本技术从 rpcinfo -p 命令输出中自动获取动态端口号,并使用上面的那些 iptables 规则。
18. 允许来自特定网络的 Rsync
以下规则仅允许来自特定网络的 rsync。
$ iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT
19. 只允许来自特定网络的 MySQL 连接
如果我们正在运行 MySQL,通常我们不希望允许来自外部的直接连接。 在大多数情况下,我们可能在运行 MySQL 数据库的同一台服务器上运行 Web 服务器。
然而,DBA 和开发人员可能需要使用 MySQL 客户端从他们的笔记本电脑和台式机直接登录到 MySQL。 在这种情况下,我们可能希望允许我们的内部网络直接与 MySQL 通信,如下所示。
$ iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
20. 允许 Sendmail 或 Postfix 流量
以下规则允许邮件通信。 它可能是 sendmail 或 postfix。
$ iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
21. 允许 IMAP 和 IMAPS
以下规则允许 IMAP/IMAP2 流量。
$ iptables -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT
以下规则允许 IMAPS 流量。
$ iptables -A INPUT -i eth0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o eth0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT
22. 允许 POP3 和 POP3S
以下规则允许 POP3 访问。
$ iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
以下规则允许 POP3S 访问。
$ iptables -A INPUT -i eth0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o eth0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT
23. 防止 DoS 攻击
以下 iptables 规则将帮助我们防止对我们的网络服务器的拒绝服务 (DoS) 攻击。
$ iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
在上面的例子中:
- -m limit:这使用限制 iptables 扩展
- --limit 25/minute:这仅限制每分钟最多 25 个连接。 根据您的具体要求更改此值
- --limit-burst 100:该值表示只有在连接总数达到 limit-burst 级别后才会执行 limit/minute。
24. 端口转发
以下示例将进入端口 442 的所有流量路由到 22。这意味着传入的 ssh 连接可以来自端口 22 和 422。
$ iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22
如果我们执行上述操作,我们还需要明确允许端口 422 上的传入连接。
$ iptables -A INPUT -i eth0 -p tcp --dport 422 -m state --state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -o eth0 -p tcp --sport 422 -m state --state ESTABLISHED -j ACCEPT
25. 记录丢弃的数据包
我们可能还想记录所有丢弃的数据包。 这些规则应该在底部。
首先,创建一个名为 LOGGING 的新链。
$ iptables -N LOGGING
接下来,确保所有剩余的传入连接都跳转到 LOGGING 链,如下所示。
$ iptables -A INPUT -j LOGGING
接下来,通过指定自定义“日志前缀”来记录这些数据包。
$ iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
最后,丢弃这些数据包。
$ iptables -A LOGGING -j DROP
For reprinting, please send an email to 1244347461@qq.com for approval. After obtaining the author's consent, kindly include the source as a link.
Related Articles
Restart PostgreSQL in Ubuntu 18.04
Publish Date:2025/04/09 Views:72 Category:PostgreSQL
-
This short article shows how to restart PostgreSQL in Ubuntu. Restart PostgreSQL Server in Ubuntu You can restart Postgres server in Ubuntu using the following command. Order: sudo service postgres restart Sometimes the above command does n
Issues to note when installing Apache on Linux
Publish Date:2025/04/08 Views:78 Category:OPERATING SYSTEM
-
As the most commonly used web server, Apache can be used in most computer operating systems. As a free and open source Unix-like operating system, Linux and Apache are a golden pair. This article will introduce the installation and use of A
How to decompress x.tar.xz format files under Linux
Publish Date:2025/04/08 Views:186 Category:OPERATING SYSTEM
-
A lot of software found today is in the tar.xz format, which is a lossless data compression file format that uses the LZMA compression algorithm. Like gzip and bzip2, it supports multiple file compression, but the convention is not to compr
Summary of vim common commands
Publish Date:2025/04/08 Views:115 Category:OPERATING SYSTEM
-
In Linux, the best editor should be vim. However, the complex commands behind vim's powerful functions also make us daunted. Of course, these commands do not need to be memorized by rote. As long as you practice using vim more, you can reme
Detailed explanation of command return value $? in Linux
Publish Date:2025/04/08 Views:58 Category:OPERATING SYSTEM
-
? is a special variable. This variable represents the return value of the previous command. That is to say, when we run certain commands, these commands will return a code after running. Generally, if the command is successfully run, the re
Common judgment formulas for Linux script shell
Publish Date:2025/04/08 Views:159 Category:OPERATING SYSTEM
-
In shell script programming, predicates are often used. There are two ways to use predicates, one is to use test, and the other is to use []. Let's take a look at how to use these two methods through two simple examples. Example 1 # test –
Shell script programming practice - specify a directory to delete files
Publish Date:2025/04/08 Views:98 Category:OPERATING SYSTEM
-
Usually, in Linux system we need to frequently delete some temporary files or junk files. If we delete them one by one manually, it will be quite troublesome. I have also been learning shell script programming recently, so I tried to write
Use of Linux command at - set time to execute command only once
Publish Date:2025/04/08 Views:158 Category:OPERATING SYSTEM
-
This article mainly involves a knowledge point, which is the atd service. Similar to this service is the crond service. The functions of these two services can be similar to the two functional functions of javascript. Those who have learned
Use of Linux command crontab - loop execution of set commands
Publish Date:2025/04/08 Views:170 Category:OPERATING SYSTEM
-
Compared with at , which executes a command only once, crontab, which we are going to talk about in this article, executes the set commands in a loop. Similarly, the use of crontab requires the support of the crond service. The service is s
