Filter Tables

Default table and is primarily used for packet filtering.

Chains

INPUT

Examined when packets ARRIVE at the system.

OUTPUT

Applied as packets are SENT FROM the system.

FORWARD

Checked as packets are ROUTED THROUGH the system.

Actions

ACCEPT

REJECT

DROP

Examples by Chain

INPUT/OUTPUT

Allow loopback traffic

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT

Allow established and related connections INCOMING and OUTGOING

Allow incoming SSH traffic from a specific IP range

Allow incoming ICMP (ping) traffic

Allow incoming FTP traffic

Allow incoming and outgoing DNS traffic

Allow incoming and outgoing NTP traffic

Allow outgoing SMTP (email) traffic

Allow outgoing IMAP and IMAPS (email) traffic

Allow outgoing HTTP and HTTPS traffic

Allow outgoing FTP traffic

Allow INCOMING traffic by PORT:

Allow OUTGOING traffic by PORT:

Limit incoming SSH connections per minute and block brute-force attacks

Log and drop invalid packets

iptables -t filter -A INPUT -i lo -j ACCEPT

Append rule to accept all INCOMING traffic on the loopback interface

iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT

Append a rule to accept SSH traffic (port 22) in the INPUT chain.

iptables -t filter -A INPUT -p icmp -j DROP

Append a rule to drop all ICMP traffic in the INPUT chain.

iptables -t filter -I INPUT 1 -s 192.168.1.1 -j DROP

Insert a rule at the top of the INPUT chain to drop traffic from IP 192.168.1.1.

iptables -t filter -R INPUT 1 -p tcp --dport 80 -j ACCEPT

Replace the first rule in the INPUT chain with a new one to accept HTTP traffic (port 80).

iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Append a rule to accept all established and related connections in the INPUT chain.

FORWARD

Allow all forwarded traffic (not secure, but useful for open forwarding)

Drop all forwarded traffic (default policy for a secure stance)

Allow forwarded traffic from a specific source IP

Allow forwarded traffic to a specific destination IP

Allow forwarded traffic from a specific subnet to another subnet

Drop forwarded traffic from a specific subnet to any destination

Allow forwarded traffic on a specific port (e.g., HTTP)

Log and then drop forwarded packets from a specific IP

Limiting forwarded traffic rate from a specific source (e.g., 5 packets per second)

Reject forwarded traffic to a specific port with a custom TCP reset

Allow forwarded traffic but ensure stateful inspection (connection tracking)

Examples by Match Statements

Multiport

Block Incoming Traffic on Multiple Ports:

Allow Outgoing Traffic on Multiple Ports:

Restricting Access to Specific IP Addresses on Multiple Ports:

Block Outgoing Traffic to Multiple Ports Except for a Specific IP Address:

Logging Packets That Match Multiport Rules:

State/Conntrack

Allow Established and Related Incoming Connections

Allows incoming packets that are part of an established connection or are related to an established connection.

Useful for ensuring that once a connection is initiated, its packets can continue to flow:

Drop Invalid Packets:

Allow New, Established, and Related Outgoing Connections:

Allow New SSH Connections From a Specific IP Address:

Block New Incoming Connections on a Specific Port

Allows established and related connections.

It's a common security measure to prevent unauthorized access while allowing ongoing SSH sessions:

Logging New Incoming Connections:

Limiting New Connections Per Second From a Single Source:

iprange

Allow Traffic to a Specific Port from a Range of IP Addresses:

Block Outgoing Traffic to a Specific IP Range:

Limiting Forward Traffic from a Specific IP Range:

Rejecting Incoming Connections to a Range of IP Addresses:

icmp

Block All Incoming ICMP Echo Requests (Ping Requests)

Limit Incoming ICMP Echo Requests

Allow ICMP Destination Unreachable

Block ICMP Timestamp Requests

Allow ICMP Fragmentation Needed for Path MTU Discovery

PreviousGeneral CommandsNextNAT

Last updated

Was this helpful?