iptables
Check the status of the current firewall rules
Appending Rules to the Chain
-A stands for append and it is how you will add rules to the bottom of the chain.
-i (interface) — the network interface whose traffic you want to filter, such as eth0, lo, ppp0, etc.
-p (protocol) — the network protocol where your filtering process takes place. It can be either tcp, udp, udplite, icmp, sctp, icmpv6, and so on. Alternatively, you can type all to choose every protocol.
-s (source) — the address from which traffic comes from. You can add a hostname or IP address.
–dport (destination port) — the destination port number of a protocol, such as 22 (SSH), 443 (https), etc.
-j (target) — the target name (ACCEPT, DROP, RETURN). You need to insert this every time you make a new rule.
If you want to use all of them, you must write the command in this order:
Enabling Traffic on Localhost
To allow traffic on localhost, type this command:
The command above will make sure that the connections between a database and a web application on the same machine are working properly.
Enabling Connections on HTTP, SSH, and SSL Port
Next, we want http (port 80), https (port 443), and ssh (port 22) connections to work as usual. To do this, we need to specify the protocol (-p) and the corresponding port (–dport). You can execute these commands one by one:
Filtering Packets Based on Source
You need to specify it after the -s option. For example, to accept packets from 192.168.1.3, the command would be:
You can also reject packets from a specific IP address by replacing the ACCEPT target with DROP.
If you want to drop packets from a range of IP addresses, you have to use the -m option and iprange module. Then, specify the IP address range with –src-range. Remember, a hyphen should separate the range of ip addresses without space, like this:
Last updated
Was this helpful?