Most Frequently Used Linux IPTables Rules with Examples

This article provides a comprehensive collection of IPTables rules that you can use directly for common networking and security tasks. These examples serve as practical templates for configuring IPTables firewall rules to suit your specific requirements.

Deleting IPTables or Existing Rules

Before building new IPTables rules, clean up all default and existing rules using the flush command:

# iptables --flush
# iptables -F

Setting Default Chain Policies

Change the default policy from ACCEPT to DROP for enhanced security:

# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT DROP

Remember that firewall rules typically require two rules: one for incoming traffic and another for outgoing traffic. If you trust internal users, you can set DROP for incoming rules while keeping the default outgoing policy as ACCEPT.

Allowing HTTP & HTTPS Incoming Connections

These rules allow all incoming HTTP (port 80) and HTTPS (port 443) traffic:

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

Allowing SSH from Specific Network

These rules allow outgoing SSH connections only from the 192.168.100.0/24 network:

iptables -A OUTPUT -o eth0 -p tcp -d 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Allowing Incoming MySQL Port (3306)

Allow incoming and outgoing traffic on port 3306 for MySQL database connections:

iptables -A INPUT -i eth0 -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

MySQL Access from Specific Network

Restrict MySQL access to a specific network (192.168.87.0/24):

iptables -A INPUT -i eth0 -p tcp -s 192.168.87.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

Allowing Multiple Ports with Single Rule

Use the multiport module to allow multiple ports (MySQL, HTTP, HTTPS) in a single rule:

iptables -A INPUT -i eth0 -p tcp -m multiport --dports 3306,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 3306,80,443 -m state --state ESTABLISHED -j ACCEPT

Allowing Outgoing MySQL Connections

For outgoing MySQL connections, allow both NEW and ESTABLISHED states on OUTPUT, but only ESTABLISHED on INPUT:

iptables -A OUTPUT -o eth0 -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

Email Services Configuration

Sendmail/Postfix Traffic (Port 25)

iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

IMAP and POP3 Ports

# IMAP (port 143)
iptables -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT

# POP3 (port 110)
iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT

Port Forwarding

Forward traffic from port 5722 to port 22 (SSH) using NAT:

iptables -t nat -A PREROUTING -p tcp -d 192.168.87.100 --dport 5722 -j DNAT --to 192.168.87.200:22

Rsync Backup Traffic (Port 873)

Allow rsync traffic from a specific network for backup operations:

iptables -A INPUT -i eth0 -p tcp -s 192.168.87.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT

Blocking IP Addresses

Block specific IP addresses to prevent unauthorized access:

BLOCK_ADDRESS="192.168.87.100"
iptables -A INPUT -s "$BLOCK_ADDRESS" -j DROP

# Block TCP traffic specifically
iptables -A INPUT -i eth0 -p tcp -s "$BLOCK_ADDRESS" -j DROP

You can also block entire network ranges by modifying the variable to include a subnet mask.

Conclusion

These IPTables rules provide a solid foundation for securing your Linux systems and controlling network traffic. You can modify ports, networks, and protocols according to your specific environment requirements, and these rules can be integrated into shell scripts for automated deployment across multiple servers.