Updated on 16.9.2024

How to configure iptables on Ubuntu

The user-space application program iptables allows configuring the tables provided by the Linux kernel firewall and the chains and rules it stores. The kernel module currently used for iptables only applies to IPv4 traffic. To configure firewall rules for IPv6 connections, use ip6tables, which respond to the same command structures as iptables.

Listing current rules

Ubuntu servers do not implement any restrictions by default, but for future reference, check the current iptable rules using the following command.

sudo iptables -L

This will print out a list of three chains, input, forward and output, like the empty rules table example output below.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

The chain names indicate which traffic the rules in each list will be applied toInput is for any connections coming to your cloud server, output is any leaving traffic, and forward is for any pass-through. Each chain also has its policy setting, which determines how the traffic is handled if it doesn’t match any specific rules. By default, it’s set to accept.

Adding rules

Firewalls can commonly be configured in one of two ways: either set the default rule to accept and then block any unwanted traffic with specific rules or use the rules to define allowed traffic and block everything else. The latter is often the recommended approach, as it allows preemptively blocking traffic rather than having to reactively reject connections that should not be attempting to access your cloud server.

To begin using iptables, you should first add the rules for allowed inbound traffic for the services you require. Iptables can track the state of the connection, so use the command below to allow established connections to continue.

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

You can check that the rule was added using the same sudo iptables -L as before.

Next, traffic to a specific port will be allowed to enable SSH connections with the following:

sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT

The ssh in the command translates to port number 22, which the protocol uses by default. The same command structure can also be used to allow traffic to other ports. To enable access to an HTTP web server, use the following command.

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

After adding all the allowed rules you require, change the input policy to drop.

Warning: Changing the default rule to drop will permit only specifically accepted connections. Before changing the default rule, make sure you’ve enabled at least SSH, as shown above.

sudo iptables -P INPUT DROP

The same policy rules can also be defined for other chains by entering the chain name and selecting either DROP or ACCEPT.

Saving and restoring rules

Now, if you were to restart your cloud server, all of these iptables configurations would be wiped. To prevent this, save the rules to a file.

sudo iptables-save > /etc/iptables/rules.v4

You can then simply restore the saved rules by reading your saved file.

# Overwrite the current rules
sudo iptables-restore < /etc/iptables/rules.v4
# Add the new rules keeping the current ones
sudo iptables-restore -n < /etc/iptables/rules.v4

You can automate the restore process at reboot by installing an additional package for iptables, which takes over the loading of the saved rules. To this with the following command.

sudo apt-get install iptables-persistent

After the installation, the initial setup will ask you to save the current rules for IPv4 and IPv6. Just select Yes and press enter for both.

If you make further changes to your iptables rules, remember to save them again using the same command as above. The iptables-persistent looks for the files rules.v4 and rules.v6 under /etc/iptables.

These are just a few simple commands you can use with iptables, which is capable of much more. Read on to check on some of the other options available for more advanced control over iptable rules.

Advanced rule setup

As per basic firewall behaviour, the rules are read in the order they are listed on each chain, which means you’ll need to put the rules in the correct order. Appending new rules adds them to the end of the list. You can add new rules to a specific list position by inserting them using the iptables -I <index> -command, where the <index> is the order number you wish to insert the rule. To know which index number to enter, use the following command.

sudo iptables -L --line-numbers
Chain INPUT (policy DROP)
 num target prot opt source   destination
 1   ACCEPT all  --  anywhere anywhere ctstate RELATED,ESTABLISHED
 2   ACCEPT tcp  --  anywhere anywhere , dpt:ssh
 3   ACCEPT tcp  --  anywhere anywhere tcp dpt:http

The number at the beginning of each rule line indicates the position in the chain. To insert a new rule above a specific existing rule, simply use the index number of that existing rule. For example to insert a new rule to the top of the chain, use the following command with index number 1.

sudo iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT

If you wish to remove an existing rule from a certain chain, use the delete command with the parameter -D. The easiest way to select the rule for deletion is to use the index numbers explained above. For example to delete the second rule on the input chain, use this command.

sudo iptables -D INPUT 2

It’s also possible to flush all rules of a specific chain or even the whole iptables using the -F -parameter. This is useful if you suspect iptables is interfering with your attempted network traffic, or you simply wish to start configuring again from a clean table.

Warning: Make sure you set the default rule to ACCEPT before flushing any chain.

sudo iptables -P INPUT ACCEPT

Afterwards, you can go ahead with clearing other rules. Remember to save the rules to a file before flushing the table in case you want to restore the configuration later.

# Clear input chain
sudo iptables -F INPUT
# Flush the whole iptables
sudo iptables -F

With the iptable flushed, your server could be vulnerable to attacks. Make sure to secure your system with an alternative method while disabling iptables even temporarily.

Janne Ruostemaa

Editor-in-Chief

  1. the question is in the what happend when i create one new rule
    am i able to delete or update ?
    i can’t see one of them ?

  2. Janne Ruostemaa

    Hi there, check the last section about how to list all rules with their line numbers as well as how to modify or delete existing rules.

  3. Short, great and to the point. Great way to get your feet wet. Thank you for writing this tutorial it was helpful.

  4. Hi there, isn’t it a bit obsolete way of configuring firewall and ufw or firewalld is bettereasier nowdays?

  5. Janne Ruostemaa

    Hi Victor, thanks for the question. You are right that ufw and firewalld are much easier to use. However, a lot of other software still integrate with iptables which keeps it relevant for years on.

  6. Philip Miller

    This is short and sweet and very easy to understand.

    IP tables is still the preferred method of firewall configuration. Using ufw and firewalld is much more complex. The goal is simple and elegant!

    However, in all these discussions, there is a simple procedure that makes this even easier. If you simply copy IPtables-save to any file and directory of your choice. Then you can simply text edit that file which is much easier. And then reverse the restore process. Bypassing all the complex command lines.

  7. Janne Ruostemaa

    Hi Philip, thanks for the comment. UFW and firewalld work as the command-line front-end for iptables and are good alternatives for putting in few config lines. While it might not be intended, you are right that the iptables save file can be modified with a simple text editor. Manually editing the config file will require some extra care though.

  8. Francois Campbell

    Last command may lock you out of your OS.
    So please be careful with it.

  9. Janne Ruostemaa

    Hi Francois, thanks for the comment. You are right that there are risks of lockout when making changes to rules on a chain with default rule DROP. We’ve added an extra warning to try to prevent mishaps.

  10. SERGEI MIRONOV

    Hey guys what you are talking about? Iptables doesnt work since febr. 2020. Ubuntu 20.04

    All users should migrate to nftables tool. No choice. Please make corrections because peoples whoes googling about “iptables doesn’t work” will read this topic.

    Thanks

  11. Janne Ruostemaa

    Hi Sergei, thanks for the comment. You are right that iptables is being replaced by nftables. However, iptables is still widely used and the default firewall framework for most Linux distributions. We’ll look to putting together a tutorial for nftables as well as it is gaining popularity.

  12. Can I work with iptables all the rules to make permanent how will be?

  13. Hey, thanks for the question. You can save the rules to a file and then restore them after reboot, which is mentioned in the tutorial. Alternatively, you can also install the package iptables-persistent and this will automatically save and restore iptables when rebooting the server. You would still need to save any new rules that you created to make them persistent.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top