iptables Quick Reference

From Wikipedia: “iptables is the name of the user space tool by which administrators create rules for the packet filtering and NAT modules. While technically iptables is merely the tool which controls the packet filtering and NAT components within the kernel, the name iptables is often used to refer to the entire infrastructure, including netfilter, connection tracking and NAT, as well as the tool itself. iptables is a standard part of all modern Linux distributions.”

The list shows the INPUT, FORWARD and OUTPUT chains. For the most part we will be concerned with the INPUT chain. The INPUT chain deals with incoming packets. You can use this command to see if there are rules preventing or allowing certain traffic. However, all requests to modify iptables configuration should be sent to the Support Department. You must be logged in as root to perform iptables commands.

To list the current ruleset:
[root@DedI1 ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp flags:ACK/ACK
ACCEPT all -- anywhere anywhere state ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED
ACCEPT udp -- anywhere anywhere udp spt:domain dpts:1024:65535
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:pop3
ACCEPT tcp -- anywhere anywhere tcp dpt:imap
ACCEPT udp -- anywhere anywhere udp dpt:imap
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcp dpt:postgres
ACCEPT tcp -- anywhere anywhere tcp dpt:10000
LOG all -- anywhere anywhere LOG level debug prefix `DROPPED = '

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@DedI1 ~]#


To list the current ruleset in numeric format:
[root@DedI1 ~]# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x10/0x10
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:1024:65535
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 255
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:143
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:3306
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:5432
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 7 prefix `DROPPED = '

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@DedI1 ~]#


To list the current ruleset in verbose mode:
[root@DedI1 ~]# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
114 15593 ACCEPT all -- lo any anywhere anywhere
0 0 ACCEPT all -- !eth0 any anywhere anywhere
1079 219K ACCEPT tcp -- any any anywhere anywhere tcp flags:ACK/ACK
872 113K ACCEPT all -- any any anywhere anywhere state ESTABLISHED
0 0 ACCEPT all -- any any anywhere anywhere state RELATED
0 0 ACCEPT udp -- any any anywhere anywhere udp spt:domain dpts:1024:65535
1346 80696 ACCEPT icmp -- any any anywhere anywhere icmp any
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp
4 192 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:smtp
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:domain
100 6886 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
42 2520 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:pop3
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:imap
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:imap
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:mysql
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:postgres
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:10000
0 0 LOG all -- any any anywhere anywhere LOG level debug prefix `DROPPED = '

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 3341 packets, 375K bytes)
pkts bytes target prot opt in out source destination
[root@DedI1 ~]#

Add Feedback