How to edit iptables rules

In this how-to, we will illustrate three ways of editing iptables rules, via:

  • Command line interface (CLI): iptables and system configuration file /etc/sysconfig/iptables.

  • Text-based interfaces (TUI): setup or system-config-firewall-tui

  • Graphical user interface(GUI): system-config-firewall

This how-to illustrates editing existing iptables rules, not the initial creation of rules chains.

Command Line Interface

Changes to iptables Rules

The following procedures allow for changes in the behaviour of the firewall while it is running. It is important to understand that every change is applied immediately.

Read the man pages (man iptables) for further explanations and more sophisticated examples.

Listing Rules

Currently running iptables rules can be viewed with the command:

# iptables -L

The following example shows four rules. These rules permit established or related connections, any ICMP traffic, any local traffic as well as incoming connections on port 22. Please note that the output has no indication that the third rule applies only to local traffic. Therefore you might want to add the -v option. This will reveal that the rule only applies to traffic on the loopback interface.

[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Also remember that rules are applied in order of appearance and that after the first match, no further rules are considered (there are exceptions, please refer to the man pages for details). For example, in case there is a rule rejecting ssh connections and subsequently a second rule permitting ssh connections, the first rule would be applied to incoming ssh connections while the latter would never be evaluated.

Appending Rules

The following adds a rule at the end of the specified chain of iptables:

[root@server ~]# iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Notice the last line in the INPUT chain. There are now five rules.

Deleting Rules

To delete a rule you need to know its position in the chain. The following will delete the rule from the previous example. To do so, the rule in the fifth position has to be deleted:

[root@server ~]# iptables -D INPUT 5
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Inserting Rules

You can also insert rules at a specific position. To insert a rule at the top (i.e. first) position, use:

[root@server ~]# iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

The number given after the chain name indicates the position of your new rule after the insertion. So, for example, if you want to insert a rule at the third position, you specify the number 3. Afterwards your new rule is at position 3, while the old rule from position 3 is now shifted to position 4.

Replacing Rules

Rules may be specified to replace existing rules in the chain.

In the previous example, the first rule grants access to tcp port 80 from any source. To restrict the access to sources within a local net, the following command replaces the first rule:

[root@server ~]# iptables -R INPUT 1 -p tcp -s 192.168.0.0/24 --dport 80 -j ACCEPT
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     tcp  --  192.168.0.0/24       anywhere             tcp dpt:http
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Flushing Rules

To flush or clear all iptables rules, use the --flush, -F option:

# iptables -F <chain>

Specifying a chain is optional. Without a given chain, all chains are flushed. Remember that the new rule set is immediately active. Depending on the default policies, you might loose access to a remote machine by flushing the rules.

To flush all rules in the OUTPUT chain use:

# iptables -F OUTPUT

Making changes persistent

All changes to iptables rules using the CLI commands will be lost upon system reboot. However, iptables comes with two useful utilities: iptables-save and iptables-restore.

iptables-save prints a dump of current rule set to stdout. This may be redirected to a file:

[root@server ~]# iptables-save > iptables.dump
[root@server ~]# cat iptables.dump
# Generated by iptables-save v1.4.12 on Wed Dec  7 20:10:49 2011
*filter
:INPUT DROP [45:2307]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1571:4260654]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Wed Dec  7 20:10:49 2011

Use iptables-restore to restore a dump of rules made by iptables-save.

[root@server ~]# iptables-restore < iptables.dump
[root@server ~]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             state NEW tcp dpt:ssh

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

In the default configuration, stopping or restarting the iptables service will discard the running configuration. This behavior can be changed by setting IPTABLES_SAVE_ON_STOP="yes" or IPTABLES_SAVE_ON_RESTART="yes" in /etc/sysconfig/iptables-config. If these values are set, the configuration will be automatically dumped to /etc/sysconfig/iptables and /etc/sysconfig/ip6tables for IPv4 and IPv6 respectively.

If you prefer, you may edit these files directly. Restart the iptables service or restore the rules to apply your changes. The rules are in the same format as you would specify them on the command line:

# Generated by iptables-save v1.4.12 on Wed Dec  7 20:22:39 2011
*filter
:INPUT DROP [157:36334]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [48876:76493439]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
COMMIT
# Completed on Wed Dec  7 20:22:39 2011

The numbers in brackets are counters and usually you don’t have to mangle them. If needed, you can reset packet and byte counters using the -Z or --zero option:

# iptables -Z <chain> <rule_number>

It is possible to reset only a single rule counter. This might become handy if you want to know how many packets were captured for a specific rule.

Text-based User Interface

There are two ways to manage iptables rules using a text-based user interface. These are setup and system-config-firewall-tui. If you start setup, you will see something similar to the following:

setup menu utility

If you select "Firewall configuration" you will see the screen below. You could also invoke system-config-firewall-tui. This will take you directly to the same screen. Make sure that "Firewall" is enabled, otherwise you cannot edit its rule set. Continue by selecting "Customize":

Firewall Configuration by TUI. First screen.

There is a good chance, that a service you want to modify is part of the list of standard "trusted services". Select the services you want to trust (i.e. open their ports) and press "Forward". (This has to be read as "next", it has nothing to do with port forwarding):

Editing trusted service with firewall tui interface.

The "Other ports" menu lets you open additional ports which are not in the list of standard trusted services:

Editing Other ports on firewall configuration by TUI interface.

To add other ports, specify one port or a port range. Choose between tcp and udp for the protocol. The port range format is: beginningPort - endingPort.

The "Trusted interfaces" menu allows you to trust all traffic on a network interface. All traffic will be allowed and the port filtering rules will never apply. You should only select interfaces which face private networks. Never trust an interface that deals with traffic from networks which are not under your full control.

Trusted interfaces.

The masquerading menu lets you select an interface to be masqueraded. Masquerading is better known as NAT (Network Address Translation). It is useful, to setup your computer as a gateway between different networks:

Firewall TUI interface : masquerading.

Port forwarding, also known as PAT (Port Address Translation), permits traffic from one port to be "rerouted" to another port.

Firewall TUI interface : configuring Port Forwarding.

You have to specify source and destination, as well as the interface and protocol accordingly:

Firewall TUI : adding port forwarding rules.

The ICMP Filter menu lets you reject various types of ICMP packets. By default, no limitations are made. You may define rules to reject ICMP traffic, define the return type to ICMP request, etc.

Firewall TUI: configuring ICMP behaviour.

Finally, you can add custom firewall rules. These must be prepared ahead of time in files that use the same format for the command line interface.

Firewall TUI: create custom rules.

For adding custom rules you have specify the protocol (i.e. ipv4 or ipv6) and the table you want your rules add to (filter, mangle, nat,…​) and - of course - the file containing your rules:

Firewall TUI: adding a custom rules.

When you have completed all menus, choose "Close" to resume to the first screen. Select "OK" and confirm your changes by choosing "Yes". If you choose "No" you will get back the configuration screen with no changes applied to your firewall.

Firewall TUI warning.

Graphical User Interface

There are several graphical user interfaces available to configure iptables.

  • fwbuilder: Very complete GUI tools to configure iptables.

  • Shorewall: Another very complete GUI like fwbuilder.

  • Turtle firewall project: Web interface and integrated to webmin. But it can not handle all iptables options.

  • IPmenu :A console based interface that covers all iptables functionality.

The following section describes yet another frontend: system-config-firewall.

system-config-firewall

The GUI interface is similar to the text based interface just more friendly.

The first time you start the GUI you will receive a warning. The program will not load your custom configuration. So any preexisting rules will be overwritten.

First time startup message

Before you start, you have to enable your firewall to activate the configuration utility.

Firewall Gui startup screen

The initial configuration is empty and will not allow any network traffic.

No firewall configuration

You can ignore the warning and start the wizard. Click forward:

Firewall Wizard : welcome screen

Choose System with network access to enable the firewall. The other option System without network access would disable the firewall and don’t allow access to any network.

Firewall Wizard : network access?

Next, you have to choose your skill level. The Beginner options only allows the configuration of trusted services. This option is fine if you only want to use services like ftp, dns, http, etc. It does not allow you to configure customs port ranges. If you select Expert, you will have access to firewall options. You can change the skill level later via Options in the main window.

Firewall Wizard : skill?

You can choose from a set of default configurations to start with. The Server template will only enable SSH on the firewall. The desktop template enables additional ports (IPsec, multicast DNS, Network Printing Client and SSH). For convenience select Desktop and continue:

Firewall Wizard : configuration base?

To enable additional trusted services just choose the services from the list.

Firewall Main interface : enabled

You can add custom rules after choosing Other ports from the side bar. Click the Add button and either choose form services list on the right or tick User Defined and fill in the requested information.

Firewall GUI : edit other ports rules.

The other options in the sidebar Trusted Interfaces, Masquerading, Port Forwarding and so on work exactly as in the text based interface.

When you finished the configuration, click Apply to save and activate the firewall.