Master iptables: Essential Commands, Rules, and Real-World Scenarios

Installation of iptables

Install the iptables service on a CentOS/RHEL system:

yum install iptables-services -y

Load firewall kernel modules

Load the necessary kernel modules before using iptables:

modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ipt_state

Start the firewall

Stop and disable firewalld, then enable and start iptables:

systemctl stop firewalld
systemctl disable firewalld
systemctl start iptables.service
systemctl enable iptables.service

Core iptables commands

Viewing rules

Common options: -L – list all rules in the selected chain (or all chains if none is specified). -n – numeric output (no DNS lookups). -t <table> – specify the table (default is filter).

Example:

iptables -nL

Clearing rules

iptables -F      # Flush all rules in all chains
iptables -X      # Delete user‑defined chains
iptables -Z      # Zero packet and byte counters

Adding firewall rules

Basic actions: -A – append a rule to the end of a chain. -I – insert a rule at the beginning (or at a specific position). -D – delete a rule.

Example – block TCP port 22:

iptables -t filter -A INPUT -p tcp --dport 22 -j DROP

Viewing connection states

Common state names: NEW – a new connection is being established. ESTABLISHED – an existing connection. RELATED – a new connection related to an existing one. INVALID – packets that cannot be identified.

Deleting a specific rule

First list rules with line numbers, then delete by number:

iptables -nL --line-numbers
iptables -D INPUT 1   # delete rule number 1 in INPUT chain

Practical rule scenarios

1. Block access to port 22

iptables -t filter -A INPUT -p tcp --dport 22 -j DROP

2. Block a specific IP on a specific interface

iptables -I INPUT -p tcp -s 10.0.0.52 -i ens33 -j DROP

3. Use negation to allow only a subnet

iptables -A INPUT -p tcp ! -s 10.0.0.53 -j DROP

4. Allow only the 10.0.0.0/24 subnet

iptables -A INPUT -p tcp ! -s 10.0.0.0/24 -j DROP

5. Match multiple ports with multiport

iptables -I INPUT -p tcp ! -s 172.16.1.0/24 -m multiport --dport 22,6379,80 -j DROP

6. Block ICMP echo requests (ping) with REJECT

iptables -A INPUT -p icmp --icmp-type 8 -j REJECT

7. Block ICMP echo requests with DROP (more aggressive)

iptables -A INPUT -p icmp --icmp-type 8 -j DROP

8. Save and restore rules

iptables-save > /opt/iptables_backup.txt   # save
iptables-restore < /opt/iptables_backup.txt  # restore

9. Common pitfalls

Back up the current rules before making changes.

Avoid locking yourself out; test rules locally first.

If a rule blocks all traffic, you may need console or cloud‑provider access to recover.

Exercises

Block host 10.0.0.51 from accessing the machine.

Allow only 10.0.0.1 to SSH into the bastion host.

Block all traffic to port 6379 (Redis).

Restrict access to port 6379 to the 172.16.1.0/24 subnet.

Block all ICMP echo requests.

These examples demonstrate how iptables processes rules top‑to‑bottom, how the first matching rule terminates further evaluation, and how to combine -m multiport, negation ( !), and state matching to build robust firewall policies.

Reference: https://www.cnblogs.com/sxy-blog/p/18128060