The iptables -L
or iptables --list
commands will list all of the iptables rules that are set on your Linux machine. Below is the abbreviated output of this command on my Fedora Linux system.
[root@localhost homer]# iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere INPUT_direct all -- anywhere anywhere INPUT_ZONES_SOURCE all -- anywhere anywhere INPUT_ZONES all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited ACCEPT tcp -- anywhere anywhere tcp dpt:ssh Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere FORWARD_direct all -- anywhere anywhere FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere FORWARD_IN_ZONES all -- anywhere anywhere FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere FORWARD_OUT_ZONES all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-host-prohibited |
To flush all iptables rules, use this command as root.
iptables --flush |
This will flush all customized iptables rules.
[root@localhost homer]# iptables --flush |
Here is a sample rule for ssh I am putting into my iptables configuration.
[root@localhost homer]# iptables -A INPUT -p tcp --dport ssh -j ACCEPT |
This will enable traffic coming into my machine to pass to the SSH port.
The rules below block access to a certain website, but will not block ICMP pings to it.
jason@jason-Lenovo-H50-55:~$ sudo iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination REJECT tcp -- anywhere anywhere STRING match "smh.com.au" ALGO name kmp TO 65535 reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere STRING match "server-18-67-105-24.syd62.r.cloudfront.net" ALGO name kmp TO 65535 reject-with icmp-port-unreachable |
But blocking sites is possible with iptables at least. I tested with Lynx and that site would not load on my server.
Entering new iptables rules looks like this.
jason@jason-Lenovo-H50-55:~$ sudo iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 30 -j DROP jason@jason-Lenovo-H50-55:~$ sudo iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT |
This then may be listed with the command shown above. This is how easy it is to administer a firewall on Linux.
These are my firewall rules now.
jason@jason-Lenovo-H50-55:~$ sudo iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- anywhere anywhere state NEW tcp dpt:ssh recent: UPDATE seconds: 30 name: DEFAULT side: source mask: 255.255.255.255 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh recent: SET name: DEFAULT side: source mask: 255.255.255.255 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination REJECT tcp -- anywhere anywhere STRING match "smh.com.au" ALGO name kmp TO 65535 reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere STRING match "server-18-67-105-24.syd62.r.cloudfront.net" ALGO name kmp TO 65535 reject-with icmp-port-unreachable REJECT tcp -- anywhere anywhere STRING match "18.67.105.24" ALGO name kmp TO 65535 reject-with icmp-port-unreachable |
They will not be saved once I reboot the machine, but this can be solved easily with this simple tip.
How to have iptables entries applied on boot.
https://securitronlinux.com/bejiitaswrath/how-to-have-iptables-entries-applied-on-boot/. This way, the rules are applied on each boot and you do not need to worry.