Home / ComXchange / ComXchange Tips / ComXchange 17 iptables with netfilter persistent

ComXchange 17 iptables with netfilter persistent

In ComXchange 17 iptables-persistent is a plugin and boot-time loader for netfilter (the kernel module behind iptables) on Debian/Ubuntu systems.  Iptables is the firewall technology, while netfilter-persistent is the system service Iptables-persistent that is often installed with iptables-persistent to ensure your iptables commands are not lost when the system restarts. You can use netfilter-persistent to save and load iptables rules from /etc/iptables/rules.v4 and /etc/iptables/rules.v6.

View saved iptables rules

  • You can see the saved rules with the less or more command
    • less /etc/iptables/rules.v4
    • more /etc/iptables/rules.v4

Save and apply iptables changes

  • iptables rules will be saved and applied with the Netfilter-persistent commands 
    • netfilter-persistent save
    • systemctl restart netfilter-persistent 
  • You can write directly to /etc/iptables/rules.v4.  You may consider making a backup of the file first
    • vim /etc/iptables/rules.v4 
      • save the file when done editing
    • reload the file with the command 
      • netfilter-persistent reload
    • restart netfilter-persistent
      • systemctl restart netfilter-persistent

Common iptables commands

  • iptables -L    -Lists all current firewall rules.
    • iptables -L -v -n --line-numbers - Verbose, numeric output with line numbers and interfaces
  • iptables -F   - Flushes (deletes) all rules in all chains.  
    • iptables -F INPUT - Flush only the INPUT chain
  • iptables -A    Appends (adds) a rule to the end of a chain.    
    • iptables -A INPUT -p tcp --dport 80 -j ACCEPT _ Accept port 80 for the input chain
  • iptables -I    Inserts a rule at a specific position in a chain (default is the top).     
    • iptables -I INPUT 1 -i lo -j ACCEPT - Inserts a loopback accept as the first rule
  • iptables -D    Deletes a specific rule.    
    • iptables -D INPUT <Number> (delete rule by its line number)
  • iptables -P    Sets the default policy for a chain (ACCEPT, DROP, REJECT).    
    • iptables -P INPUT DROP - Set default INPUT policy to DROP

Basic rule examples

  • Allow all traffic on the loopback interface
    • iptables -A INPUT -i lo -j ACCEPT
  • Allow all traffic on the bridge interface used for OpenVPN
    • iptables -I INPUT 3 -i br0 -j ACCEPT
  • Allow all incoming SSH traffic (port 22):
    • iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    • iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  • Allow incoming HTTP (port 80) and HTTPS (port 443) traffic:
    • iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    • iptables -A INPUT -p tcp --dport 443 -j ACCEPT
  • Allow incoming traffic for OpenVPN connections on port 1194    
    • iptables -I INPUT 41 -i enp4s0 -p UDP --dport 1194 -j ACCEPT
  • Delete Iptables rule 31
    • iptables -D INPUT 31
  • Allow established/related connections:
    • iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  • Allow incoming failover services traffic
    • iptables -I INPUT 41 -i enp4s0 -p tcp -s 10.20.20.2 --dport 3306 -j ACCEPT
    • iptables -I INPUT 42 -i enp4s0 -p tcp -s 10.20.20.2 --dport 3381 -j ACCEPT
    • iptables -I INPUT 43 -i enp4s0 -p tcp -s 10.20.20.2 --dport 3030 -j ACCEPT
    • iptables -I INPUT 44 -i enp4s0 -p udp -s 10.20.20.2 --dport 65000 -j ACCEPT
  • Block all other incoming traffic by default:
    • iptables -A INPUT -j DROP
Note: This should be one of the last rules appended, and you should ensure essential services (like SSH) are allowed first to avoid locking yourself out. 



    		 RSS of this page