iptables is a powerful firewall utility for Linux that allows users to set specific rules for managing incoming and outgoing network traffic. It uses three main chains to handle different types of traffic: INPUT : Manages packets destined for the host computer. OUTPUT : Manages packets originating from the host computer. FORWARD : Manages packets that pass through the host computer, used when the computer acts as a router. To start fresh with new rules or recover from accidental blocks, you can flush existing iptables rules with: iptables -F To flush a specific chain: sudo iptables -F INPUT To view current rules: iptables -L iptables -S For rules specific to a chain, use: iptables -L INPUT Note. You can also add "-v" to your command (iptables -L -v), this will let you check the packets and their size matched with each rule. Now we can continue with more specific rules to make some simple rules. Usually, a Firewall is used to block something first, and only then to allow something. So here are some rules which help you to block the connections. Here are some common iptables rules: Block a specific IP address : iptables -A INPUT -s 1.1.1.1 -j DROP iptables -A OUTPUT -s 1.1.1.1 -j DROP iptables -A INPUT -s 1.1.1.1 -j REJECT REJECT sends a "connection refused" message. Block a specific port (e.g., SMTP port 25) : iptables -A INPUT -p tcp --dport 25 -j DROP iptables -I OUTPUT -p tcp --dport 25 -j DROP Allow SSH connections only from a specific IP : iptables -A INPUT -i venet0 -p tcp -s 1.1.1.1 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o venet0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT Allow HTTP and HTTPS connections : iptables -A INPUT -i venet0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o venet0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i venet0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o venet0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT The first set of rules allows HTTP and the second set of rules allows HTTPS connection using the default ports 80 and 443 Allow or block ping requests : iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j DROP iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP Allow loopback access : iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT Allow MySQL connection from a specific IP : iptables -A INPUT -i venet0 -p tcp -s 1.1.1.1 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o venet0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT Allow POP3 and IMAP traffic : iptables -A INPUT -i venet0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o venet0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i venet0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o venet0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT Also, this can be applied for POP3/IMAP using a secure connection: iptables -A INPUT -i venet0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o venet0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i venet0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o venet0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT Note: When specifying network interfaces in the rules, such as venet0 , be sure to update it if your server uses different network interfaces, like eth0 or others. Another use of iptables is to help prevent DDoS attacks by limiting the number of connections per minute. For example, you can use the following command: iptables -A INPUT -p tcp --dport 80 -m limit --limit 10/minute --limit-burst 100 -j ACCEPT Here’s a breakdown of the command: -m limit : Uses the limit extension of iptables . --limit 10/minute : Limits the number of connections to a maximum of 10 per minute. --limit-burst 100 : Sets a burst limit, meaning the rate limit is enforced only after the number of connections exceeds 100. You can adjust these parameters according to your needs to mitigate potential attacks.

Basic and most common iptables rules

Freya VPS Hosting Team

iptables is a powerful firewall utility for Linux that allows users to set specific rules for managing incoming and outgoing network traffic. It uses three main chains to handle different types of traffic:

INPUT: Manages packets destined for the host computer.
OUTPUT: Manages packets originating from the host computer.
FORWARD: Manages packets that pass through the host computer, used when the computer acts as a router.

To start fresh with new rules or recover from accidental blocks, you can flush existing iptables rules with:

iptables -F

To flush a specific chain:

sudo iptables -F INPUT

To view current rules:

iptables -L

iptables -S

For rules specific to a chain, use:

iptables -L INPUT

Note. You can also add "-v" to your command (iptables -L -v), this will let you check the packets and their size matched with each rule.

Now we can continue with more specific rules to make some simple rules. Usually, a Firewall is used to block something first, and only then to allow something. So here are some rules which help you to block the connections.
Here are some common iptables rules:

Block a specific IP address:

iptables -A INPUT -s 1.1.1.1 -j DROP

iptables -A OUTPUT -s 1.1.1.1 -j DROP

iptables -A INPUT -s 1.1.1.1 -j REJECT

REJECT sends a "connection refused" message.

Block a specific port (e.g., SMTP port 25):

iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -I OUTPUT -p tcp --dport 25 -j DROP

Allow SSH connections only from a specific IP:

iptables -A INPUT -i venet0
-p tcp -s 1.1.1.1 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Allow HTTP and HTTPS connections:

iptables -A INPUT -i venet0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i venet0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

The first set of rules allows HTTP and the second set of rules allows HTTPS connection using the default ports 80 and 443

Allow or block ping requests:

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP

Allow loopback access:

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Allow MySQL connection from a specific IP:

iptables -A INPUT -i venet0
-p tcp -s 1.1.1.1 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

Allow POP3 and IMAP traffic:

iptables -A INPUT -i venet0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i venet0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT

Also, this can be applied for POP3/IMAP using a secure connection:

iptables -A INPUT -i venet0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i venet0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o venet0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT

Note: When specifying network interfaces in the rules, such as venet0, be sure to update it if your server uses different network interfaces, like eth0 or others.

Another use of iptables is to help prevent DDoS attacks by limiting the number of connections per minute. For example, you can use the following command:

iptables -A INPUT -p tcp --dport 80 -m limit --limit 10/minute --limit-burst 100 -j ACCEPT

Here’s a breakdown of the command:

-m limit: Uses the limit extension of iptables.
--limit 10/minute: Limits the number of connections to a maximum of 10 per minute.
--limit-burst 100: Sets a burst limit, meaning the rate limit is enforced only after the number of connections exceeds 100.

You can adjust these parameters according to your needs to mitigate potential attacks.