Complete Guide to iptables Options: Network Security Mastery

A-digital-illustration-of-a-modern-Linux-server-prominently-featuring
02/08/2024 •

iptables options

iptables provides a wide range of options to configure firewall rules and control network traffic on a Linux system. Here is an overview of some common options used with

iptables options

iptables options:

General Syntax:

iptables [options] [table] [command] [chain] [match] [target/jump]

Options:

  1. -A, –append:
    • Appends a rule to the end of the specified chain.
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT

  1. -I, –insert:
    • Inserts a rule at the specified position in the chain.
    iptables -I INPUT 2 -p tcp --dport 80 -j ACCEPT

  1. -D, –delete:
    • Deletes a rule from the specified chain based on its rule number.

    iptables -D INPUT 3

  1. -L, –list:
    • Lists the rules in the specified chain.
    iptables -L INPUT

  1. -F, –flush:
    • Flushes all rules from the specified chain.

    iptables -F INPUT

  1. -P, –policy:
    • Sets the default policy for a chain (ACCEPT, DROP, or REJECT).

    iptables -P INPUT DROP

  1. -N, –new-chain:
    • Creates a new user-defined chain.

    iptables -N MYCHAIN

  1. -X, –delete-chain:
    • Deletes the specified user-defined chain.

    iptables -X MYCHAIN

  1. -E, –rename-chain:
    • Renames a user-defined chain.
    iptables -E OLDCHAIN NEWCHAIN

  1. -Z, –zero:
    • Zeroes the packet and byte counters in all chains.

    iptables -Z

  1. -S, –list-rules:
    • Lists all rules in a human-readable format.
    iptables -S

  1. -v, –verbose:
    • Provides detailed output, including packet and byte counters.
    iptables -L -v

  1. -h, –help:
    • Displays help information and usage instructions.
    iptables --help

Match Extensions and Targets:

  • -m, –match:
    • Specifies a match extension to use with a rule.
    • Example: iptables -A INPUT -p tcp –dport 80 -m tcp –tcp-flags SYN,ACK,FIN,RST ACK -j ACCEPT
  • -j, –jump:
    • Specifies the target to jump to if a packet matches the rule.
    • Example: iptables -A INPUT -p tcp –dport 22 -j ACCEPT

These are just a subset of the available options. The full list of options, matches, and targets can be found in the iptables man page (man iptables). It’s important to carefully plan and test firewall rules, as incorrect configurations can lead to unintended consequences.

iptables options in more detail

Rule Specification iptables options:

  1. -p, –protocol [protocol]:
    • Specifies the protocol of the rule, such as TCP, UDP, ICMP, etc.
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT

  1. -s, –source [address]:
    • Specifies the source address or network.

    iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT

  1. -d, –destination [address]:
    • Specifies the destination address or network.

    iptables -A OUTPUT -d 8.8.8.8 -j ACCEPT

Port and Service iptables options:

  1. –sport, –source-port [port]:
    • Specifies the source port for the rule.

    iptables -A INPUT --sport 1024:65535 -j ACCEPT

  1. –dport, –destination-port [port]:
    • Specifies the destination port for the rule.

    iptables -A INPUT --dport 22 -j ACCEPT

Connection State iptables options:

  1. -m, –match [match]:
    • Specifies a match extension module, such as state for connection tracking.

    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Target iptables options:

  1. -j, –jump [target]:
    • Specifies the target to jump to if the packet matches the rule.

    iptables -A INPUT -p tcp --dport 80 -j ACCEPT

  1. -g, –goto [chain]:
    • Causes packets to jump to the specified chain and continue processing in that chain.

    iptables -A INPUT -p tcp --dport 80 -g LOG_DROP

Logging iptables options:

  1. –log-prefix [prefix]:
    • Prefixes log messages with the specified string.

    iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "SSH Attempt: "

  1. –log-level [level]:
    • Sets the logging level (numeric or symbolic).

    iptables -A INPUT -p tcp --dport 22 -j LOG --log-level 4

Miscellaneous iptables options:

  1. -i, –in-interface [interface]:
    • Specifies the input interface.

    iptables -A INPUT -i eth0 -j ACCEPT

  1. -o, –out-interface [interface]:
    • Specifies the output interface.

    iptables -A OUTPUT -o eth0 -j ACCEPT

  1. -c, –set-counters [packets] [bytes]:
    • Initializes packet and byte counters.

    iptables -A INPUT -p tcp --dport 80 -c 0 0 -j ACCEPT

These are just a selection of the many options available with iptables. The tool provides extensive flexibility, allowing administrators to craft precise firewall rules to suit their network security requirements. For more comprehensive information and additional options, refer to the iptables manual (man iptables).

https://en.wikipedia.org/wiki/Iptables#:~:text=iptables%20is%20a%20user%2Dspace,to%20treat%20network%20traffic%20packets.

https://sanchitgurukul.com/basic-networking

https://sanchitgurukul.com/network-security

Tutorial
How To
Disclaimer: This article may contain information that was accurate at the time of writing but could be outdated now. Please verify details with the latest vendor advisories or contact us at admin@sanchitgurukul.com.

Discover more from

Subscribe now to keep reading and get access to the full archive.

Continue reading