Master iptables: Essential Commands, Installation, and Real-World Firewall Rules

iptables Command Syntax Order

-L  Show all rules of the selected chain; if no chain is specified, all chains are shown. Can be combined with -Z to list and zero counters.
-n  Show numeric IPs and ports.
-t  Specify table.
-A  Append rule to the end of the chain.
-I  Insert rule at the beginning of the chain.
-D  Delete a rule.
-p  Specify protocol (tcp, udp, icmp, all).
--dport  Destination port.
--sport  Source port.
-s  Source IP.
-d  Destination IP.
-m  Specify module.
-i  Input network interface.
-o  Output network interface.
-j  Target action (DROP, ACCEPT, REJECT, etc.).
-F  Flush all rules.
-X  Delete user‑defined chains.
-Z  Zero counters.
# author : by www.yuchaoit.cn

1. Install iptables

yum install iptables-services -y

2. Load kernel modules

modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_state

3. Start the firewall

# Stop firewalld and enable iptables
systemctl stop firewalld
systemctl disable firewalld

systemctl start iptables.service
systemctl enable iptables.service

4. iptables Core Commands

1. View rules

# -n --numeric (numeric output)
# -L list rules
iptables -nL
# Example output omitted for brevity

2. Flush rules

iptables -F      # Delete all rules
iptables -X      # Delete user‑defined chains
iptables -Z      # Zero counters

3. Add firewall rule

iptables -t filter -A INPUT -p tcp --dport 6379 -j DROP

4. View connection states

NEW: new connection
ESTABLISHED: established connection
RELATED: related connection
INVALID: invalid or unrecognizable

5. Delete a specific rule

iptables -nL --line-numbers
iptables -D INPUT 1   # delete rule number 1 in INPUT chain

2. Rule Practice Scenarios

1. Block access to port 22

# Danger: use with caution
iptables -t filter -A INPUT -p tcp --dport 22 -j DROP

2. Block a specific IP on a specific interface

iptables -F
iptables -I INPUT -p tcp -s 10.0.0.52 -i ens33 -j DROP

3. Use negation (!)

# Block all IPs except 10.0.0.53 on interface ens33
iptables -A INPUT -p tcp ! -s 10.0.0.53 -i ens33 -j DROP

4. Allow only 10.0.0.0/24 network

iptables -A INPUT -p tcp ! -s 10.0.0.0/24 -j DROP

5. Single entry point for bastion host

iptables -I INPUT -p tcp ! -s 10.0.0.61 -j DROP

6. Match a range of ports

Allow only the 172.16.1.0/24 network to access ports 22, 6379, and 80.

iptables -I INPUT -p tcp ! -s 172.16.1.0/24 -m multiport --dport 22,6379,80 -j DROP

7. Reject ping (ICMP echo request)

# REJECT provides feedback, DROP is silent
iptables -A INPUT -p icmp --icmp-type 8 -j REJECT

8. Drop ping silently

iptables -A INPUT -p icmp --icmp-type 8 -j DROP

9. Practice Exercises

# Example: block 10.0.0.51 from accessing the host
iptables -I INPUT -s 10.0.0.51 -j DROP
# Example: allow only 10.0.0.1 to SSH to bastion
iptables -I INPUT -p tcp -s 10.0.0.1 --dport 22 -j ACCEPT
# Example: block all access to port 6379
iptables -I INPUT -p tcp --dport 6379 -j DROP

4. Save and Restore Rules

iptables-save > /opt/www.yuchaoit.cn_iptables.txt   # Save to file
iptables-restore < /opt/www.yuchaoit.cn_iptables.txt   # Restore

Tips

1. Backup before changes.
2. Avoid locking yourself out.
3. Use temporary rules for testing.
4. If locked out, use cloud console or physical access to fix.