This article provides some basic information about how to use your
iptables software firewall. This firewall is the default firewall solution for Red Hat® Enterprise Linux® (RHEL®) 6 and CentOS® 6 based distributions.
The steps in this article are not intended for use on RackConnect® servers. If you need to make changes to your firewall on a RackConnect server, you need to use your Dedicated Firewall Manager.
You need to have the following prerequisites:
- Basic understanding of SecureShell® (SSH)
- Sudo or administrative access to your server
- A non-RackConnect Cloud Server running RHEL 6 or CentOS 6.
iptables is the default Linux software firewall solution. By using the netfilter kernel module,
iptables can handle the incoming and outgoing network traffic.
iptables uses the chains of rules configured as part of a table on the server. A table groups similar chains that accomplish a specific task.
Each table has a set of default chains. This article refers to the filter table, which contains the INPUT, FORWARD, and OUTPUT chains. The rules in these chains are read and processed from top to bottom.
INPUT: This chain handles incoming traffic that is destined for the server.
FORWARD: This chain handles traffic that comes to the server but is destined for another device.
OUTPUT: This chain is used for outgoing packets that originate on the server.
The following table shows some basic targets and actions in
iptables when traffic is sent to the server:
|ACCEPT||Traffic is accepted, and no further rules are processed.|
|DROP||The packet is blocked, and no further rules are processed. No response sent to sender.|
|LOG||The packet information is logged on the server, and iptables continues processing rules.|
|REJECT||Similar to the DROP packet, but sends a response to the sender.|
|Filter||What it does|
|The protocol of the packet. The specified protocol can be one of |
|The source IP address of the packet.|
|The destination for the packet.|
|The source port to match.|
|The destination port to match.|
|The interface the packet is received.|
The following rule is an example of an
iptables -I INPUT -i eth0 -s 192.168.1.1 -p tcp --dport 22 -j ACCEPT
In this example, traffic that comes from the source IP address,
192.168.1.1, over the
tcp protocol is accepted on the
eth0 interface at the destination port
22. This rule is added to the top of the
One way to limit incoming and outgoing network traffic on server is to implement firewall rules. On a RHEL or CentOS 6 server, the default software firewall solution is
iptables allows you to setup a configuration similar to that of a dedicated firewall that is running on your server. You configure these rules in a
CHAIN depending on the rule. This article discusses the
INPUT chain, which is the default chain to accept traffic through
Before you add new rules in
iptables, you should verify that the service is running and list the current rules.
To check the status of
iptables, run the following command:
service iptables status
You should get output indicating that the service is
Active on the server. If not, you can start the service with the
service iptables start command.
After the service starts, you can list the rules by using the following command:
If you haven't configured any rules yet, the output looks similar to the following example:
Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination
The following examples show some rules in
iptables and their functionality within
-I flag inserts the rule to the top of the selected chain, and the
-A flag appends the new rule to the bottom of the selected chain. This is important because the rules are read from top to bottom. Therefore, if there is a rule at the top that blocks all incoming traffic and you use
-A to append a rule that accepts traffic from an IP, the rule you appended is blocked by the first rule. You should consider the configuration to determine if
-I is the better option for the change being made on the server. Always review the current rules before making changes.
A good rule is to append all rules that end in a drop and to insert all rules that accept a packet.
|Example command||What it does|
|This command lists all of the |
|This command lists all of the |
|When used in conjunction with |
|This rule drops traffic on port 22 from the source IP through the INPUT chain via TCP. This rule is appended to the top of the INPUT chain.|
|This rule drops all incoming connections from the source IP. This example is appended to the top of the |
|This command deletes the specified rule from the |
|This rule accepts traffic on port 22 from the source IP through the |
|This rule accepts all incoming connection from the source IP via any protocol on any port. This rule is inserted to the |
|By default, |
|This command reloads the iptables service to allow for processing of new rules.|
This article touches on only the basics of
iptables. There are several other tasks and rules that you can configure to limit access to your server. For more information on
iptables, you can review the
man page for iptables at iptables - Linux man page.
Updated 24 days ago