How to use IPTables – Part 2

Welcome back to this the second part of the discussion about IPtables, if you missed the first part you can find it here. As mentioned previously, I plan to get into some basic usage and hands-on practice. A few notes before we get started. Firstly: IPtables from the CLI requires root or administrative access for the majority of commands. Second: for these demonstrations, we will be erasing all current existing entries.


I highly recommend that these be practiced on a home machine where you have admin rights and aren’t using IPtables as your active firewall. Since deleting the configuration will leave the computer vulnerable to attack. Under no circumstances should this be practiced on a live production network (i.e at work). Myself nor GBServers will be held responsible for any possible damages by ignoring these suggestions. I’d go as far as suggesting: unplugging your computer from the internet. You can practice with computers on your home network. You don’t necessarily need to be connected to the internet.



Also be aware that while Linux distros are more or less the same. There can be some differences in how services are started such as IPtables. But if you have read the first article, you hopefully have gotten IPtables installed as well as learned how to turn it on and off. With that said, lets get started..


The first thing you’ll want to do is to verify whether the firewall is installed or not. Typically the easiest way to check this is to open up a console/terminal window and at the prompt type:  iptables –help (or iptables –h). If it is indeed installed you should see output similar to the following:


Note: The # symbol represents the command prompt. It shouldn’t be typed in, unless otherwise stated.


# iptables –help


iptables v1.2.9  Usage: iptables -[AD] chain rule-specification [options]        iptables -[RI] chain rulenum rule-specification [options]        iptables -D chain rulenum [options]        iptables -[LFZ] [chain] [options]        iptables -[NX] chain        iptables -E old-chain-name new-chain-name        iptables -P chain target [options]    <…>


After it’s verified installed, a useful option is the –L switch. Which will list the current entries (if any):


# iptables -L


Chain INPUT (policy DROP) target     prot opt source               destination ACCEPT     all  —  anywhere             anywhere ACCEPT     all  —  anywhere             anywhere            state RELATED,ESTABLISHED ACCEPT     all  —  neo               anywhere            MAC 00:50:56:c0:00:08 DROP       all  —  smith                anywhere ACCEPT     all  —  trinity                 anywhere            MAC 00:50:56:c0:00:01 ACCEPT     tcp  —  anywhere             anywhere            tcp dpt:ftp ACCEPT     tcp  —  ict                 anywhere            state NEW tcp dpt:ssh  Chain FORWARD (policy DROP) target     prot opt source               destination  Chain OUTPUT (policy ACCEPT) target     prot opt source               destination


If for some reason iptables doesn’t appear to be running. You can check to see if the module is enabled. By issuing the following command: # lsmod |grep ip ipt_mac . You should get some form of output such as:


2691  1 ip_tables      28644  3 ipt_mac,ipt_state,iptable_filter


Hopefully you have IPtables installed and verified it’s active. For this initial example we will start by writing a basic rule set, which will act as a useful stateful packet inspection firewall.


At a prompt type in:


# iptables -F iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT


You can view the newly created rules as mentioned with: iptables –L . Which should output:


Chain INPUT (policy DROP 0 packets, 0 bytes)  pkts bytes target     prot opt in     out     source               destination     0     0 ACCEPT     all  —  lo     any     anywhere             anywhere     0     0 ACCEPT     all  —  any    any     anywhere             anywhere            state RELATED,ESTABLISHED  Chain FORWARD (policy DROP 0 packets, 0 bytes)  pkts bytes target     prot opt in     out     source               destination  Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)  pkts bytes target     prot opt in     out     source               destination


That wasn’t too difficult was it :-). We now have a very simple SPI firewall. The rules you typed out will permit all outgoing traffic but also block (or deny) all incoming traffic, along with forwarded traffic.


To help understand the commands entered. I will briefly explain them:


– [iptables –F]: This command with the –F switch. Means to erase all existing rules. So that you start from scratch & ensures no current rules will cause any conflicts.


– [iptables –P Input Drop]: Using the –P sets a default rule. So we have set the Input table to Drop packets. In English this means that if a packet does not match up with any other rule in the list. Then the packet will get dropped or ignored.


– [iptables –P Forward Drop]: As above we’ve set a default rule. That any network packets being forwarded should be automatically ignored. Since we haven’t setup the system to act as a router. There’s no need to forward any traffic on.


– [iptables –P Output Accept]: Again a default rule. This simply means that any network traffic leaving our computer should automatically be accepted or allowed to pass. Since normally we know the software we run to be safe.

Now that we have set our defaults. The last few lines define slightly more specific filtering.


– [iptables –A Input –i lo –j Accept]: The –A is append (add) the rule to a certain chain. In this example it means to append to Input. The –I refers to interface (i.e network card). Or any traffic going to the network card specified. Which here is lo, or commonly known as the loopback/ The –j means to jump to the action (i.e Accept). In plain English this line will allow any traffic going to the loopback (or


– (iptables –A Input –m state –state Established,Related –j Accept): This line is really the meat and potatoes of the firewall. As before we are –A (appending) to Input. The –m means to load a module (i.e state). In this example we are filtering against network connections that are already existing (Established or Related). If the connection didn’t originate from the system itself (New) they will be blocked. If you were to add in “NEW” to the line as well. That would allow incoming traffic not from your computer to pass through. Which is a security risk hence it’s not included in the rule.


The final thing to do will be to save the rules we just entered. So that when the computer is rebooted, you don’t have to retype them in. Which on my system is the following:


# /sbin/service iptables save

Note: Linux versions do vary slightly. You may have to look up the correct path for Iptables on your particular Linux distro.

Finally what I typically do is create a simple bash script. That allows me to run the firewall by typing in a simple command. To do that you’ll want to open an editor. On Linux usually vi or nano is typically installed (I personally like nano).


Then you can paste the script:





# iptables SPI firewall


# Flush all current rules from iptables


iptables -F


# Set defaults (INPUT, FORWARD, OUTPUT)

iptables -P INPUT DROP

iptables -P FORWARD DROP



# Permit access for loopback (


iptables -A INPUT -i lo -j ACCEPT


# Accept packets for established, related connections


iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT


The lines that start with # refers to a comment. So you can make your own personal notes. Apart from the first line: ” #!/bin/bash” which tells the computer it’s a bash file.


Next you’ll want to save the file for example: . Once out of the editor make sure the script is executable by typing: chmod +x (or whatever name you chose)


Finally run the script. By going to a command prompt and typing: ./


I hope you have enjoyed this entry and will come back to read the next one.



Leave a Comment