Knowledgebase

How to manage iptables firewall in Linux

In this tutorial we will show you how to manage iptables firewall in Linux

For other articles go back to our Knowledge Base

The iptables management commands vary depending on the version of Linux.

Stopping, starting, restarting, enabling and disabling iptables and ip6tables


CentOS 6 iptables and ip6tables
#list loaded rules
iptables -nL
ip6tables -nL
#service management
service iptables [stop,start,restart,status]
service ip6tables [stop,start,restart,status]
#disable iptables
chkconfig iptables off
chkconfig ip6tables off
#enable iptables
chkconfig iptables on
chkconfig ip6tables on

CentOS 7 iptables and ip6tables
#list loaded rules
iptables -nL
ip6tables -nL
#service management
systemctl [stop,start,restart,status] iptables
systemctl [stop,start,restart,status] ip6tables
#disable iptables
systemctl disable iptables
systemctl disable ip6tables
#enable iptables
systemctl enable iptables
systemctl enable ip6tables

Ubuntu 14 iptables and ip6tables
#list loaded rules
iptables -nL
ip6tables -nL
#service management
service iptables-persistent [flush,start,restart,reload,save]
#disable iptables
update-rc.d -f iptables-persistent remove
#enable iptables
update-rc.d iptables-persistent defaults

Debian 8 and Ubuntu 16 iptables and ip6tables
#list loaded rules
iptables -nL
ip6tables -nL
#service management
systemctl [stop,start,restart,status] netfilter-persistent.service
#disable iptables
systemctl disable netfilter-persistent.service
#enable iptables
systemctl enable netfilter-persistent.service

List iptables and ip6tables rules

Note: If iptables does not list any rules then the service(s) may not be running. Start and enable iptables services using the commands shown earlier.

#list the loaded iptables rules
iptables -nL
ip6tables -nL

#CentOS 6/7 list the saved iptables and ip6tables file
cat /etc/sysconfig/iptables
cat /etc/sysconfig/ip6tables

#Debian and Ubuntu list the saved iptables and ip6tables file
cat /etc/iptables/rules.v4
cat /etc/iptables/rules.v6

Save iptables and ip6tables loaded rules

Note: If iptables service is not running or no rules are loaded then saving will blank the default rule set in the saved file. Make sure iptables is loaded and you intend to overwrite the existing saved iptables file if you save. Consider saving to an alternate backup file if needed.

#list the loaded iptables rules
iptables -nL
ip6tables -nL

#CentOS 6/7 saving loaded rules
iptables-save | tee /etc/sysconfig/iptables
ip6tables-save | tee /etc/sysconfig/ip6tables

#Debian/Ubuntu saving loaded rules
iptables-save | tee /etc/iptables/rules.v4
ip6tables-save | tee /etc/iptables/rules.v6

Save iptables and ip6tables rules to an alternate backup file (in case needed to rollback)

#CentOS 6/7 saving loaded rules to backup file
iptables-save | tee /etc/sysconfig/iptables.bak
ip6tables-save | tee /etc/sysconfig/ip6tables.bak

#Debian/Ubuntu saving loaded rules to backup file
iptables-save | tee /etc/iptables/rules.v4.bak
ip6tables-save | tee /etc/iptables/rules.v6.bak

Restoring iptables and ip6tables rules from an alternate backup file

#CentOS 6/7 restoring saved rules from a backup file
iptables-restore /etc/sysconfig/iptables.bak
ip6tables-restore /etc/sysconfig/ip6tables.bak

#Debian/Ubuntu restoring saved rules from a backup file
iptables-restore /etc/iptables/rules.v4.bak
ip6tables-restore /etc/iptables/rules.v6.bak

Example adding a new port rule to iptables and ip6tables

#CentOS 6/7 adding port tcp1000 (inserting to line 1) and saving to permanent ruleset for iptables
iptables -I INPUT 1 -p tcp -m tcp --dport 1000 -j ACCEPT
iptables-save | tee /etc/sysconfig/iptables

#CentOS 6/7 adding port tcp1000 (inserting to line 1) and saving to permanent ruleset for ip6tables
ip6tables -I INPUT 1 -p tcp -m tcp --dport 1000 -j ACCEPT
ip6tables-save | tee /etc/sysconfig/ip6tables

#Debian/Ubuntu adding port tcp1000 (inserting to line 1) and saving to permanent ruleset for iptables
iptables -I INPUT 1 -p tcp -m tcp --dport 1000 -j ACCEPT
iptables-save | tee /etc/iptables/rules.v4

#Debian/Ubuntu adding port tcp1000 (inserting to line 1) and saving to permanent ruleset for ip6tables
ip6tables -I INPUT 1 -p tcp -m tcp --dport 1000 -j ACCEPT
ip6tables-save | tee /etc/iptables/rules.v6

Example deleting a port rule from iptables and ip6tables

#list iptables rules
iptables -nL
ip6tables -nL

#CentOS 6/7 deleting port tcp1000 and saving to permanent ruleset for iptables
iptables -D INPUT -p tcp -m tcp --dport 1000 -j ACCEPT
iptables-save | tee /etc/sysconfig/iptables

#CentOS 6/7 deleting port tcp1000 and saving to permanent ruleset for ip6tables
ip6tables -D INPUT -p tcp -m tcp --dport 1000 -j ACCEPT
ip6tables-save | tee /etc/sysconfig/ip6tables

#Debian/Ubuntu deleting port tcp1000 and saving to permanent ruleset for iptables
iptables -D INPUT -p tcp -m tcp --dport 1000 -j ACCEPT
iptables-save | tee /etc/iptables/rules.v4

#Debian/Ubuntu deleting port tcp1000 and saving to permanent ruleset for ip6tables
ip6tables -D INPUT -p tcp -m tcp --dport 1000 -j ACCEPT
ip6tables-save | tee /etc/iptables/rules.v6

CentOS6/7 editing iptables and ip6tables ruleset file directly

Note: It is important you make a backup of the iptables file before modifying directly. Any syntax errors will prevent iptables from being able to load at all.

#CentOS 6/7
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak
vi /etc/sysconfig/iptables

# Generated by iptables-save v1.4.7 on Wed Jul 11 17:37:19 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [104:15924]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -m comment --comment "ssh default" -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22122 -m comment --comment "ssh alternate" -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -m comment --comment "http" -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 443 -m comment --comment "https" -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 3306 -m comment --comment "mysql" -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Jul 11 17:37:19 2018

When finished editing restart iptables or iptables-restore the file to load the directly modified rule set file.

cp /etc/sysconfig/ip6tables /etc/sysconfig/ip6tables.bak
vi /etc/sysconfig/ip6tables

# Generated by ip6tables-save v1.4.7 on Wed Jul 11 17:37:19 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5:396]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -d fe80::/64 -p udp -m state --state NEW -m udp --dport 546 -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -m comment --comment "ssh default" -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22122 -m comment --comment "ssh alternate" -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -m comment --comment "http" -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 443 -m comment --comment "https" -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 3306 -m comment --comment "mysql" -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
# Completed on Wed Jul 11 17:37:19 2018

When finished editing restart ip6tables or ip6tables-restore the file to load the directly modified rule set file.

Debian/Ubuntu editing iptables and ip6tables ruleset file directly

Note: It is important you make a backup of the iptables file before modifying directly. Any syntax errors will prevent iptables from being able to load at all. 

#Debian/Ubuntu
cp /etc/iptables/rules.v4 /etc/iptables/rules.v4.bak
vi /etc/iptables/rules.v4

# Generated by iptables-save v1.6.0 on Tue Jul 10 20:27:22 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [95:9648]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -m comment --comment "ssh default" -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22122 -m comment --comment "ssh alternate" -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -m comment --comment “http” -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 443 -m comment --comment “https” -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 3306 -m comment --comment “mysql” -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Jul 10 20:27:22 2018

When finished editing restart iptables or iptables-restore the file to load the directly modified rule set file.

cp /etc/iptables/rules.v6 /etc/iptables/rules.v6.bak
vi /etc/iptables/rules.v6

# Generated by ip6tables-save v1.6.0 on Tue Jul 10 20:27:42 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -d fe80::/64 -p udp -m state --state NEW -m udp --dport 546 -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22 -m comment --comment "ssh default" -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 22122 -m comment --comment "ssh alternate" -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -m comment --comment “http” -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 443 -m comment --comment “https” -j ACCEPT
-A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 3306 -m comment --comment “mysql” -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT --reject-with icmp6-adm-prohibited
COMMIT
# Completed on Tue Jul 10 20:27:42 2018

When finished editing restart ip6tables or ip6tables-restore to load the directly modified rule set file.

 

 

  • 99 Users Found This Useful
Was this answer helpful?

Related Articles

How to connect to Linux from Windows using PuTTY

In this tutorial we will show you how to use PuTTY to connect to your Linux VPS from Windows 10,...

How to setup OpenVPN client on Windows to connect to OpenVPN server

In this tutorial we will show you how to setup OpenVPN client to connect to OpenVPN server from...

How to setup OpenVPN client on macOS to connect to OpenVPN Server

This tutorial will walk you through the setup process of OpenVPN client on macOS operating...