Updated on 24.5.2023

How to configure iptables on CentOS

firewall

The user-space application program iptables allows configuring the tables provided by the Linux kernel firewall, as well as the chains and rules it stores. The kernel module currently used for iptables only applies to IPv4 traffic, to configure firewall rules for IPv6 connections instead use ip6tables, which respond to the same command structures as iptables. If you are using CentOS 7, you should look into configuring firewalld, which combines the functionality of iptables and ip6tables, though it’s possible to still use iptables just the same.

Listing current rules

On CentOS and other Red Hat variants, iptables often comes with some pre-configured rules, check the current iptable rules using the following command.

sudo iptables -L

This will print out a list of three chains, input, forward and output, like the empty rules table example output below.

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

The chain names indicate which traffic the rules in each list will be applied to, input is for any connections coming to your cloud server, output is any leaving traffic and forward for any pass through. Each chain also has its policy setting which determines how the traffic is handled if it doesn’t match any specific rules, by default it’s set to accept.

Adding rules

Firewalls can commonly be configured in one of two ways, either set the default rule to accept and then block any unwanted traffic with specific rules, or by using the rules to define allowed traffic and blocking everything else. The latter is often the recommended approach, as it allows pre-emptively blocking traffic, rather than having to reactively reject connections that should not be attempting to access your cloud server.

To begin using iptables, you should first add the rules for allowed inbound traffic for the services you require. Iptables can track the state of the connection, so use the command below to allow established connections continue.

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

You can check that the rule was added using the same sudo iptables -L as before.

Next, allow traffic to a specific port to enable SSH connections with the following.

sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT

The ssh in the command translates to the port number 22, which the protocol uses by default. The same command structure can be used to allow traffic to other ports as well. To enable access to an HTTP web server, use the following command.

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

After adding all the allowed rules you require, change the input policy to drop.

Warning: Changing the default rule to drop will permit only specifically accepted connection. Make sure you’ve enabled at least SSH as shown above before changing the default rule.

sudo iptables -P INPUT DROP

The same policy rules can be defined for other chains as well by entering the chain name and selecting either DROP or ACCEPT.

Saving and restoring rules

Now if you were to restart your cloud server all of these iptables configurations would be wiped. To prevent this, save the rules to a file.

sudo iptables-save > /etc/sysconfig/iptables

You can then simply restore the saved rules by reading the file you saved.

# Overwrite the current rules
sudo iptables-restore < /etc/sysconfig/iptables
# Add the new rules keeping the current ones
sudo iptables-restore -n < /etc/sysconfig/iptables

To automate the restore at reboot CentOS offers a system service by the same name, iptables. However, it does not come in the default configuration and needs to be installed manually.

sudo yum install iptables-services

Once installed, start and enable the service.

sudo systemctl start iptables
sudo systemctl enable iptables

Afterwards, you can simply save the current rules using the following command.

sudo service iptables save

These are just a few simple commands you can use with iptables, which is capable of much more. Read on to check on some of the other options available for more advanced control over iptable rules.

Advanced rule setup

As per basic firewall behaviour, the rules are read in the order they are listed on each chain, which means you’ll need to put the rules in the correct order. Appending new rules adds them to the end of the list. You can add new rules to a specific position of the list by inserting them using iptables -I <index> -command, where the <index> is the order number you wish to insert the rule. To know which index number to enter, use the following command.

sudo iptables -L --line-numbers
Chain INPUT (policy DROP)
 num target prot opt source   destination
 1   ACCEPT all  --  anywhere anywhere ctstate RELATED,ESTABLISHED
 2   ACCEPT tcp  --  anywhere anywhere tcp dpt:ssh
 3   ACCEPT tcp  --  anywhere anywhere tcp dpt:http

The number at the beginning of each rule line indicates the position in the chain. To insert a new rule above a specific existing rule, simply use the index number of that existing rule. For example to insert a new rule to the top of the chain, use the following command with index number 1.

sudo iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT

If you wish to remove an existing rule from a certain chain, use the delete command with the parameter -D. The easiest way to select the rule for deletion is to use the index numbers explained above. For example to delete the second rule on the input chain, use this command

sudo iptables -D INPUT 2

It’s also possible to flush all rules of a specific chain or even the whole iptables using the -F -parameter. This is useful if you suspect iptables is interfering with your attempted network traffic, or you simply wish to start configuring again from a clean table. Remember to save the rules to a file before flushing the table.

Warning: Make sure you set the default rule to ACCEPT before flushing any chain.

sudo iptables -P INPUT ACCEPT

Afterwards, you can go ahead with clearing other rules. Remember to save the rules to a file before flushing the table in case you want to restore the configuration later.

# Clear input chain
sudo iptables -F INPUT
# Flush the whole iptables
sudo iptables -F

With the iptable flushed, your server could be vulnerable to attacks. Make sure to secure your system with an alternative method while disabling iptables even temporarily.

Janne Ruostemaa

Editor-in-Chief

  1. Hello, thanks a lot for the article.

  2. Ludovic Bourton

    Thx for this article :)

  3. Hi, sudo service iptables save does not work…

  4. Janne Ruostemaa

    Hi Alexander, thanks for the comment. Seems the iptables services no longer comes with the default CentOS 7 configuration. You’ll need to first install it and then enable the service. We’ve updated the tutorial to include the installation steps that are now required.

  5. Hello,
    I have installed iptables version 1.4 on CenOS7
    Please teach me how to update it to the latest version of iptables [iptables-1.8.7]
    Thank you very much

  6. Janne Ruostemaa

    Hi Tommy, thanks for the comment. Version 1.4 seems to be the latest in the CentOS 7 repositories. If you want to update it, you’ll need to compile and install it from the source.

  7. hello, i have flushed and disabled iptables and then run reboot command .now i can’t access to my vps via controle pannel or ssh . i’mon the rescue mode but i don’t know what to do . i tried to install iptables but i got error . please help . thank you

  8. Janne Ruostemaa

    Hi Sadok, thanks for the question. On UpCloud CentOS templates should have iptables installed by default so there should not be a need to install it manually. If your cloud server has become unreachable via SSH the Web Console should still allow you to log in even without network connectivity on the server. Try disabling any existing rules that might block your SSH connection by flushing the rules again and setting the default rule to accept.

    iptables -F
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT
  9. It worked in the CentOS 8

  10. how to enbale iptables loging in centos 9 in seprate file

  11. Marco Matuttis

    are the rules somewhere written in a file so that i can simply edit the file

  12. Janne Ruostemaa

    Hi Marco, thanks for the question. You can save the rules table to a file, edit that, and then restore the rules from your file.
    # Save rules to file
    sudo iptables-save > /etc/sysconfig/iptables
    # Restore rules from file, overwrite the current rules
    sudo iptables-restore < /etc/sysconfig/iptables

  13. Janne Ruostemaa

    Hi there, thanks for the question. You need to include a logging rule before any DROP or REJECT rules
    iptables -A INPUT -j LOG --log-level info --log-prefix "IPTABLES-DROP: "
    Then use the rsyslog to record the events to file by adding a new rule e.g. to /etc/rsyslog.d/iptables.conf
    :msg, startswith, "IPTABLES" -/var/log/iptables.log
    & ~

    Of the above, the first line instructs rsyslog to write the iptable events to /var/log/iptables.log and the second line stop the same event being recorded in /var/log/messages.

Leave a Reply to maciek

Your email address will not be published. Required fields are marked *

Back to top