The following iptables rules should serve as a template for creating more customized iptables rules to fit desired network environment.

This article is NOT a comprehensive guide to iptables. If you are new to iptables please familiarize your self with netfilter / iptables before you use some of the iptables rules described below. This is especially recommended if you are working on a production server.

Before applying any rule make sure that you know what you are doing.

1. Rule: iptables to reject all outgoing network connections

The second line of the rules only allows current outgoing and established connection. This is very useful when you are login to the server vie ssh or telnet

# iptables -F OUTPUT
# iptables -A OUTPUT -m state \
--state ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -j REJECT

2. Rule: iptables to reject all incoming network connections

The second line of the rules only allows current outgoing and established connection. This is very useful when you are login to the server vie ssh or telnet

# iptables -F INPUT
# iptables -A INPUT -m state \
--state ESTABLISHED -j ACCEPT
# iptables -A INPUT -j REJECT

3. Rule: iptables to reject all network connections

NOTE: This rule will drop and block all network connection whether incoming or outgoing. More importantly this will also include current ongoing established connections

# iptables -F
# iptables -A INPUT -j REJECT
# iptables -A OUTPUT -j REJECT
# iptables -A FORWARD -j REJECT

4. Rule: iptables to drop incoming ping requests

This iptables rule will DROP all incoming ping requests.

NOTE: it is possible to use REJECT instead of DROP. The difference between DROP vs REJECT is that DROP silently discards the incoming package, whereas REJECT will result in ICMP error being returned.

# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

5. Rule: iptables to drop outgoing telnet connections

This iptables rule will block any outgoing traffic to any host where destination port is 23 ( telnet ).

# iptables -A OUTPUT -p tcp --dport telnet -j REJECT

6. Rule: iptables to reject incoming telnet connections

Refuse all incoming connection requests to a local port 23

# iptables -A INPUT -p tcp --dport telnet -j REJECT

7. Rule: iptables to reject outgoing ssh connections

# iptables -A OUTPUT -p tcp --dport ssh -j REJECT

8. Rule: iptables to reject incoming ssh connections

Refuse all incoming connections to a local port 22 ( ssh ).

# iptables -A INPUT -p tcp --dport ssh -j REJECT

9. Rule: iptables to reject all incoming traffic except ssh and local connections

# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# iptables -A INPUT -j REJECT

10. Rule: iptables to accept incoming ssh connections from specific IP address

Using this iptables rule we will block all incoming connections to port 22 ( ssh ) except host with IP address 77.66.55.44. What it meas is that only host with IP 77.66.55.44 will be able to ssh.

# iptables -A INPUT -p tcp -s 77.66.55.44 --dport ssh -j ACCEPT
# iptables -A INPUT -p tcp --dport ssh -j REJECT

11. Rule: iptables to accept incoming ssh connections from specific MAC address

Using this iptables rule we will block all incoming connections to port 22 ( ssh ) except host with MAC address 00:e0:4c:f1:41:6b . In other works all ssh connections will be limited to a single host with a MAC address 00:e0:4c:f1:41:6b.

# iptables -A INPUT -m mac --mac-source 00:e0:4c:f1:41:6b -p tcp --dport ssh -j ACCEPT
# iptables -A INPUT -p tcp --dport ssh -j REJECT

12. Rule: iptables to reject incoming connections on a specific TCP port

The following iptables rule will drop all incoming traffic on TCP port 3333

# iptables -A INPUT -p tcp --dport 3333 -j REJECT

13. Rule: iptables to drop all incoming connections on a specific network interface

The following rule will drop incoming traffic on a specific network interface coming from subnet 192.168.0.0/16. The is very useful in attempt to drop all spoofed IP addresses. If eth0 is an external network interface, no incoming traffic originating from internal network should hit eth0 network interface.

# iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP

14. Rule: iptables to create a simple IP Masquerading

The following rule will create a simple IP Masquerading gateway to allow all host on the same subnet to access the Internet. The below specified eth0 is a external interface connected to the Internet.

# echo "1" > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE

15. Rule: Reject all incoming telnet traffic except specified IP address

The following iptables rule will reject all incoming telnet traffic except connection request from IP 222.111.111.222

# iptables -A INPUT -t filter ! -s 222.111.111.222 -p tcp --dport 23 -j REJECT

16. Rule: Reject all incoming ssh traffic except specified IP address range

The following iptables rule will reject all incoming ssh traffic except connection request from IP address range 10.1.1.90 - 10.1.1.1.100.

Removing negator "!" from the below rule reject all ssh traffic originating from IP address range 10.1.1.90 - 10.1.1.100.

iptables -A INPUT -t filter -m iprange ! --src-range 10.1.1.90-10.1.1.100  -p tcp --dport 22 -j REJECT

17. Rule: iptables to reject all outgoing traffic to a specific remote host

The following iptables rule will reject all outgoing traffic to a remote host with an IP address 222.111.111.222

# iptables -A OUTPUT -d 222.111.111.222 -j REJECT

18. Rule: iptables to block an access to a specific website

The following iptables rule will block all incoming traffic from facebook.com where source port is port 80 / www

# iptables -A INPUT -s facebook.com -p tcp --sport www -j DROP

NOTE: the above iptables rule will block access to facebook.com as well as www.facebook.com.

Free Linux eBooks

Do you have the right skills?

Our IT Skills Watch page reflects an up to date IT skills demand leaning towards the Linux and Unix environment. We have considered a number of skills and operating systems.

See the result...

Linux Online Training

Learn to run Linux servers and prepare for LPI certification with Linux Academy. 104 available video lessons with PDF course notes with your own server!

Go to top