Listing current rules
Debian servers do not implement any restrictions by default, but for future reference, check the current iptable rules, use the following command.
sudo iptables -LThis will print out a list of three chains, input, forward and output, like the empty rules table example output below.
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destinationAdding rules
To begin using iptables, you should first add the rules for allowed inbound traffic for the services you require. Iptables can track the state of the connection, use the command below to allow established connections.
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPTNext, allow traffic to a specific port to enable SSH connections with the following.
sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPTThe ssh in the command translates to the port number 22, which the protocol uses by default. The same command structure can be used to allow traffic to other ports as well. To enable access to an HTTP web server, use the following command.
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPTAfter adding all the allowed rules you require, change the input policy to drop.
sudo iptables -P INPUT DROPSaving and restoring rules
Now if you were to restart your cloud server all of these iptables configurations would be wiped. To prevent this, save the rules to a file.
sudo iptables-save > /etc/iptables/rules.v4You can then simply restore the saved rules by reading the file you saved.
# Overwrite the current rules
sudo iptables-restore < /etc/iptables/rules.v4
# Add the new rules keeping the current ones
sudo iptables-restore -n < /etc/iptables/rules.v4You can automate the restore process at reboot by installing an additional package for iptables which takes over the loading of the saved rules. To this with the following command.
sudo aptitude install iptables-persistentDelete Rule by Specification
One of the ways to delete iptables rules is by rule specification. To do so, you can run the iptables command with the -D option followed by the rule specification. If you want to delete rules using this method, you can use the output of the rules list, iptables -S, for some help.
For example, if you want to delete the rule that drops invalid incoming packets (-A INPUT -m conntrack --ctstate INVALID -j DROP), you could run this command:
sudo iptables -D INPUT -m conntrack --ctstate INVALID -j DROPNote that the -A option, which is used to indicate the rule position at creation time, should be excluded here.
Delete Rule by Chain and Number
The other way to delete iptables rules is by its chain and line number. To determine a rule’s line number, list the rules in the table format and add the --line-numbers option:
sudo iptables -L --line-numbers[secondary_output Example Output: Rules with Line Numbers]
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
2 ACCEPT all -- anywhere anywhere
3 DROP all -- anywhere anywhere ctstate INVALID
4 UDP udp -- anywhere anywhere ctstate NEW
5 TCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
6 ICMP icmp -- anywhere anywhere ctstate NEW
7 REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
8 REJECT tcp -- anywhere anywhere reject-with tcp-reset
9 REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
10 ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW,ESTABLISHED
...This adds the line number to each rule row, indicated by the num header.
Once you know which rule you want to delete, note the chain and line number of the rule. Then run the iptables -D command followed by the chain and rule number.
For example, if we want to delete the input rule that drops invalid packets, we can see that it’s rule 3 of the INPUT chain. So we should run this command:
sudo iptables -D INPUT 3Now that you know how to delete individual firewall rules, let’s go over how you can flush chains of rules.