My Board
How to Install and Use Iptables Linux Firewall - Printable Version

+- My Board (https://ellohost.com/forum)
+-- Forum: Tutoriel EN (https://ellohost.com/forum/forumdisplay.php?fid=8)
+--- Forum: Others (https://ellohost.com/forum/forumdisplay.php?fid=20)
+--- Thread: How to Install and Use Iptables Linux Firewall (/showthread.php?tid=136)

How to Install and Use Iptables Linux Firewall - aaron - 08-12-2023


How to Install and Use Iptables Linux Firewall

How to Install and Use Iptables Linux Firewall



We will divide this iptables tutorial into three steps. First, you will learn how to install the tool on Ubuntu. Secondly, we are going to show you how to define the rules. Lastly, we will guide you to make persistent changes in iptables.


1. Install Iptables


Iptables comes pre-installed in most Linux distributions. However, if you don’t have it in Ubuntu/Debian system by default, follow the steps below:


  1. Connect to your server via SSH. If you don’t know, you can read our SSH tutorial.
  2. Execute the following command one by one:

sudo apt-get update

sudo apt-get install iptables

Check the status of your current iptables configuration by running:


sudo iptables -L -v

Here, the -L option is used to list all the rules, and -v is for showing the info in a more detailed format. Below is the example output:


Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target    prot opt in out  source destination



Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target    prot opt in out  source destination



Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target    prot opt in out  source destination

You will now have the Linux iptables firewall installed. At this point, you can notice that all chains are set to ACCEPT and have no rules. This is not secure since any packet can come through without filtering.


Don’t worry. We’ll tell you how to define rules on the next step of our iptables tutorial.


2. Define Chain Rules


Defining a rule means appending it to the chain. To do this, you need to insert the -A option (Append) right after the iptables command, like so:


sudo iptables -A

It will alert iptables that you are adding new rules to a chain. Then, you can combine the command with other options, such as:


  • -i (interface) — the network interface whose traffic you want to filter, such as eth0, lo, ppp0, etc.
  • -p (protocol) — the network protocol where your filtering process takes place. It can be either tcp, udp, udplite, icmp, sctp, icmpv6, and so on. Alternatively, you can type all to choose every protocol.
  • -s (source) — the address from which traffic comes from. You can add a hostname or IP address.
  • --dport (destination port) — the destination port number of a protocol, such as 22 (SSH), 443 (https), etc.
  • -j (target) — the target name (ACCEPT, DROP, RETURN). You need to insert this every time you make a new rule.

If you want to use all of them, you must write the command in this order:


sudo iptables -A <chain> -i <interface> -p <protocol (tcp/udp)> -s <source> --dport <port no.> -j <target>

Once you understand the basic syntax, you can start configuring the firewall to give more security to your server. For this iptables tutorial, we are going to use the INPUT chain as an example.


Enabling Traffic on Localhost

To allow traffic on localhost, type this command:


sudo iptables -A INPUT -i lo -j ACCEPT

For this iptables tutorial, we use lo or loopback interface. It is utilized for all communications on the localhost. The command above will make sure that the connections between a database and a web application on the same machine are working properly.


Enabling Connections on HTTP, SSH, and SSL Port

Next, we want HTTP (port 80), HTTPS (port 443), and SSH (port 22) connections to work as usual. To do this, we need to specify the protocol (-p) and the corresponding port (--dport). You can execute these commands one by one:


sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

It’s time to check if the rules have been appended in iptables:


sudo iptables -L -v

It should return with the results below which means all TCP protocol connections from the specified ports will be accepted:


Filtering Packets Based on Source

Iptables allows you to filter packets based on an IP address or a range of IP addresses. You need to specify it after the -s option. For example, to accept packets from 192.168.1.3, the command would be:


sudo iptables -A INPUT -s 192.168.1.3 -j ACCEPT

You can also reject packets from a specific IP address by replacing the ACCEPT target with DROP.


sudo iptables -A INPUT -s 192.168.1.3 -j DROP

If you want to drop packets from a range of IP addresses, you have to use the -m option and iprange module. Then, specify the IP address range with --src-range. Remember, a hyphen should separate the range of IP addresses without space, like this:


sudo iptables -A INPUT -m iprange --src-range 192.168.1.100-192.168.1.200 -j DROP

Dropping all Other Traffic

It is crucial to use the DROP target for all other traffic after defining --dport rules. This will prevent an unauthorized connection from accessing the server via other open ports. To achieve this, simply type:


sudo iptables -A INPUT -j DROP

Now, the connection outside the specified port will be dropped.


Deleting Rules

If you want to remove all rules and start with a clean slate, you can use the -F option (flush):


sudo iptables -F

This command erases all current rules. However, to delete a specific rule, you must use the -D option. First, you need to see all the available rules by entering the following command:


sudo iptables -L --line-numbers

You will get a list of rules with numbers:


Chain INPUT (policy ACCEPT)



num  target    prot opt source              destination



1    ACCEPT    all -- 192.168.0.4          anywhere

2    ACCEPT    tcp -- anywhere            anywhere tcp dpt:https

3    ACCEPT    tcp -- anywhere            anywhere tcp dpt:http

4    ACCEPT    tcp -- anywhere            anywhere tcp dpt:ssh

To delete a rule, insert the corresponding chain and the number from the list. Let’s say for this iptables tutorial, we want to get rid of rule number three of the INPUT chain. The command should be:


sudo iptables -D INPUT 3

3. Persist Changes


The iptables rules that we have created are saved in memory. That means we have to save them to a file to be able to load them again after a reboot. To make these changes you can use these commands depending if you are saving IPv4 or IPv6 rules:


sudo iptables-save > /etc/iptables/rules.v4

sudo iptables-save > /etc/iptables/rules.v6

Now whenever you restart your VPS you will need to load the saved rules with the following commands:


sudo iptables-restore < /etc/iptables/rules.v4

sudo iptables-restore < /etc/iptables/rules.v6

If you want for the loading process to be completely automatic, you can set up the iptables-persistent package and it will take care of loading the rules.


sudo apt-get install iptables-persistent

After installation, you will be asked to save the current rules. Choose Yes for both IPv4 and IPv6 and finish the configuration. Now the loading process will be automatic. Keep in mind that you will still need to use the sudo iptables-save command each time you make changes to iptables.