Here’s a run-down of iptables, a Linux utility for configuring a host-based firewall.



iptables <table> <action> <chain> <protocol> <rule>


iptables -t filter	# default; it is not required to explicitly specify this table
iptables -t nat 	# helpful in managing connection re-directs (based on src/dst IP)
iptables -t mangle	# used for stripping and modifying outbound traffic
iptables -t raw
iptables -t security

Actions (applicable to all tables)

iptables -t filter -A 	# append
iptables -t filter -C	# check; compares user provided rule against what is configured
iptables -t filter -D 	# delete
iptables -t filter -L	# list; use this to review configured rules

Chains (for the “filter” table)

iptables -t filter -A INPUT	# traffic destined for the localhost
iptables -t filter -A FORWARD	# traffic allowed through the localhost
iptables -t filter -A OUTPUT	# traffic outbound from localhost


iptables -t filter -A INPUT -p tcp
iptables -t filter -A INPUT -p udp
iptables -t filter -A INPUT -p icmp
iptables -t filter -A INPUT -p ip 


iptables -t filter -A INPUT -p icmp -j DROP
iptables -t filter -A INPUT -p icmp -j REJECT
iptables -t filter -A INPUT -p icmp -j ACCEPT  

Append (adding) to your rule-set


iptables -t <table> -A <chain> <rule>

Deny and respond to inbound ICMP packets

iptables -t filter -A INPUT -p icmp -j REJECT

Do not respond to ICMP packet (safer)

iptables -t filter -A INPUT -p icmp -j DROP

Checking your rule-set

List currently configured rules

iptables -L

Show sockets listening for IPv4 connections (open ports)

netstat -l4	

Show live stream of inbound traffic from a specific host (“-n” is numbers only)

tcpdump -n src host <ip address>

Delete rules


iptables -t <table> -D <chain> <rule>

Flush all previously configured rules

iptables -F

Delete a rule

iptables -t filter -D INPUT -p icmp -j DROP

Example rule-set

iptables -A INPUT -p ip -m iprange --src-range -j DROP 
iptables -A INPUT -p ip -m iprange --src-range -j DROP 
iptables -A INPUT -p ip -m iprange --src-range -j DROP 
iptables -A INPUT -p tcp 23 -j DROP	# deny Telnet connections
iptables -A OUTPUT -p tcp 80 -j DROP	# deny HTTP requests
iptables -A INPUT -p icmp -j DROP	# deny ICMP traffic
iptables -A INPUT -p tcp 22 -j ACCEPT	# accept SSH connections
iptables -A INPUT -p ip -j DROP		# deny ip any any; explicit deny all statement

Firewall Principles

  • Build firewall rules like a pyramid (put as much specificity upfront/at the top as possible)
  • Block source addresses using private IP ranges
  • Block inbound traffic with as destination
  • Block inbound traffic with as destination
  • Block inbound traffic destined for ports that facilitate un-encrypted services (Telnet, HTTP, etc.)
  • Block outbound traffic that is not from your network (spoofed IP addresses)
  • Permit authorized inbound/outbound IP traffic
  • Block everything else (an explicit “deny all” statement)

Practical Exercise

Using the knowledge provided here, perform the following exercise for a “check-on learning.”

Tools required: ifconfig, nc, netstat, iptables, tcpdump, telnet, ping

  1. Verify configured IP addresses of both boxes
  2. Open ports on target box
  3. Verify open ports on target box
  4. Verify current iptables rule set on target box
  5. Flush and re-verify current iptables rule set
  6. Configure and re-verify iptables rule set
  7. Start “live stream” on target box
  8. Send traffic to target ports using Telnet, SSH, and Ping