Master iptables: Essential Commands and Advanced Matching Techniques
This guide walks through iptables fundamentals—including listing, flushing, and setting default policies—then demonstrates adding, inserting, replacing, and deleting rules, explores basic and extended match modules, and provides practical exercises for building robust firewall configurations.
1. Commands
List all chains: iptables -L; view a specific chain: iptables -L INPUT.
Show detailed information: iptables -vnL.
Flush all chains: iptables -F.
Set default policies to DROP: iptables -P INPUT DROP, iptables -P OUTPUT DROP, iptables -P FORWARD DROP. On a virtual machine, change to iptables -P INPUT ACCEPT to enable remote connections.
Add a rule to the INPUT chain for TCP port 21: iptables -A INPUT -p tcp --dport 21.
Insert a rule at position 1 for TCP port 23: iptables -I INPUT 1 -p tcp --dport 23.
Replace rule number 1 to change the destination port to 24: iptables -R INPUT 1 -p tcp --dport 24.
Delete rule number 1 from the INPUT chain: iptables -D INPUT 1.
2. Basic Match Extensions
Specify protocol (TCP): iptables -A INPUT -p tcp -j ACCEPT.
Specify ICMP type (echo request): iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT.
Specify source IP address: iptables -A INPUT -s 192.168.1.109 -j ACCEPT.
Specify outgoing interface: iptables -A FORWARD -o eno16777736 -j ACCEPT.
Specify source port (80): iptables -A INPUT -p tcp --sport 80 -j ACCEPT.
3. Extended Match Extensions
Limit rate:
iptables -I INPUT -d 192.168.1.109 -p icmp --icmp-type 8 -m limit --limit 3/minute --limit-burst 5 -j ACCEPT.
IP range match:
iptables -A INPUT -d 172.16.100.67 -p tcp --dport 80 -m iprange --src-range 172.16.100.5-172.16.100.10 -j DROP.
Time match: specify a time window during which packets are accepted (command omitted for brevity).
Multiport match: match multiple destination ports (command omitted).
String match: filter packets containing specific strings such as sensitive words (command omitted).
State match: use connection tracking to filter based on packet state (command omitted).
Exercise
Set INPUT and OUTPUT default policies to DROP.
Block web server access on Monday; limit new requests to 100 per second; block pages containing the string "admin"; allow only response packets to leave the host.
Allow FTP service for the 172.16.0.0/16 network during weekdays 8:30‑18:00, with download requests limited to 5 per minute.
Allow SSH service for hosts 172.16.x.1‑172.16.x.100 (x = your student ID), limiting new connection attempts to 2 per minute, and permitting only response packets to exit.
Drop packets where all TCP flags are either all 1 or all 0.
Allow the host to ping other machines, but block inbound ping requests.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.