iptables is a powerful firewall that allows you to set up rules to control incoming, outgoing, and forwarded traffic on your networks. It is a default firewall in many linux systems including server instances provided on oracle cloud.

In this post, we’ll cover the following topics:

• The Basics of iptables
• Installing and Viewing Rules
• Common iptables Commands
• Working with Chains and Rules
• Best Practices

The Basics of iptables

iptables works by examining network packets and applying rules to determine how to handle them. The main component of iptables is the Chains

Chains: A chain is a list of rules that are examined in order. The three default chains in iptables are:

• INPUT: For packets coming into our server aka incoming traffic.
• OUTPUT: For packets going out of our server aka outgoing traffic.
• FORWARD: For packets being routed through the server.

Installing and Viewing Rules

On Debian/Ubuntu, you can install iptables with:

sudo apt-get install iptables

Once installed you can use this command to view it's current state:

sudo iptables -L -n -v

• -L: List the rules.
• -n: Show numerical addresses instead of resolving hostnames.
• -v: Provide verbose output.

Common iptables Commands

• Allow input traffic on a port:

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

This will accept incoming traffic on the port 80

• Block input traffic on a port:

sudo iptables -A INPUT -p tcp --dport 443 -j DROP

This will disallow input traffic on the port 443

• Reject a Connection (Send a response):

sudo iptables -A INPUT -p tcp --dport 23 -j REJECT

• Flush All Rules:

sudo iptables -F

• Delete a Specific Rule: To delete a rule, you first need to find out its sequence number:

sudo iptables -L --line-numbers
sudo iptables -D INPUT {line_number}

Working with Chains and Rules

Before adding or deleting a rules it's important to understand the order in which the rules of a chain are executed.

iptables evaluates rules in a chain sequentially, from top to bottom. If a rule does not match the packet, only then the packet is passed to the next rule.

When a packet arrives, it's checked against each rule in the chain, one by one, until a match is found. Once a matching rule is identified, the corresponding action (such as ACCEPT, DROP or REJECT) is applied, and processing stops. No further rules in the chain are evaluated for that packet.

So if you have a REJECT rule at line 14 which rejects all incoming traffic

REJECT     all  --  *      *       0.0.0.0/0    0.0.0.0/0      reject-with icmp-host-prohibited

and you have a rule at line 15 which accepts incoming traffic on port 3000

ACCEPT     tcp  --  *      *       0.0.0.0/0    0.0.0.0/0      tcp dpt:3000

there will be no incoming traffic on port 3000 as iptables will stop on line 14 and the ACCEPT rule on line 15 will not be evaluated.

• Add Rule to End of Chain:

sudo iptables -A INPUT -s 192.168.1.2 -j ACCEPT

• Add a Rule at a Specific Position:

sudo iptables -I INPUT 4 -s 192.168.1.2 -j ACCEPT

Here 4 is the line number where this rule will be added

• Add a incoming traffic rule at Position 6 :

sudo iptables -I INPUT 6 -p tcp --dport 8000 -j ACCEPT

Best Practices

• Backup Your Rules: Always take a backup before making changes.
• Test Rules: Apply and test your rules carefully, especially when implementing complex configurations.
• Use DESCRIPTIVE Comments: Document your rules by using comments to explain the purpose of complex rules.
• Monitor Logs: Regularly check the logs to identify any potential issues or blocked traffic.