Using IPTables

The first step in using iptables is to start the iptables service. Use the following command to start the iptables service: 

service iptables start

The ip6tables service can be turned off if you intend to use the iptables service only. If you deactivate the ip6tables service, remember to deactivate the IPv6 network also. Never leave a network device active without the matching firewall.

To force iptables to start by default when the system is booted, use the following command: 

chkconfig --level 345 iptables on

This forces iptables to start whenever the system is booted into runlevel 3, 4, or 5.

IPTables Command Syntax

The following sample iptables command illustrates the basic command syntax: 

iptables -A <chain> -j <target>

The -A option specifies that the rule be appended to <chain>. Each chain is comprised of one or more rules, and is therefore also known as a ruleset.

The three built-in chains are INPUT, OUTPUT, and FORWARD. These chains are permanent and cannot be deleted. The chain specifies the point at which a packet is manipulated.

The -j <target> option specifies the target of the rule; i.e., what to do if the packet matches the rule. Examples of built-in targets are ACCEPT, DROP, and REJECT.

Refer to the iptables man page for more information on the available chains, options, and targets.

Basic Firewall Policies

Establishing basic firewall policies creates a foundation for building more detailed, user-defined rules.

Each iptables chain is comprised of a default policy, and zero or more rules which work in concert with the default policy to define the overall ruleset for the firewall.

The default policy for a chain can be either DROP or ACCEPT. Security-minded administrators typically implement a default policy of DROP, and only allow specific packets on a case-by-case basis. For example, the following policies block all incoming and outgoing packets on a network gateway: 

iptables -P INPUT DROP
iptables -P OUTPUT DROP

It is also recommended that any forwarded packets - network traffic that is to be routed from the firewall to its destination node - be denied as well, to restrict internal clients from inadvertent exposure to the Internet. To do this, use the following rule: 

iptables -P FORWARD DROP

When you have established the default policies for each chain, you can create and save further rules for your particular network and security requirements.

The following sections describe how to save iptables rules and outline some of the rules you might implement in the course of building your iptables firewall.

Saving and Restoring IPTables Rules

Changes to iptables are transitory; if the system is rebooted or if the iptables service is restarted, the rules are automatically flushed and reset. To save the rules so that they are loaded when the iptables service is started, use the following command: 

service iptables save

The rules are stored in the file /etc/sysconfig/iptables and are applied whenever the service is started or the machine is rebooted.