Actions: | Security

Navigation: Home | Services | Tools | Articles | Other

Basic Firewalling with iptables

The standard for firewalling on linux has been iptables(8) for many years. Most distributions have their own configuration tools to help create firewalls and they have some merit, but here I'll describe some basic information that is generic and therefore valid across distributions.

The exact functionality available in your linux kernel's firewall is dependent on how your kernel is built and what version you have. If you're rebuilding a kernel, the relevant options are under 'Network Packet Filtering Framework(Netfilter)'. I'm not going to use anything exotic in this article, it will probably just work with 2.6.x kernels offered by almost any distribution.

Like many of my articles, I am only considering machines that run services that listen to network requests. The considerations and requirements for say, standard desktop/laptop usage would be quite different. Also, I'm not going to discuss routing here, so the only chains that we're concerned with will INPUT and OUTPUT.

Why should I use a firewall on my server?

The purpose of using a firewall is to increase the security of your environment and as such, should be considered as part of your overall security strategy. It's more layer of defence.

If you are concerned that there might possibly be a vulnerability somewhere in:

If you are not concerned about this, it implies that you are not thinking about security and shouldn't be running network services in adversiarial environments like the public internet. Furthermore, if you're not running a firewall of any kind, you'd better have some justification; nowadays, it just looks like negligence.

Yes, there is a cost involved in terms of direct time to administer the firewall rules and a complexity cost (who hasn't spent time wondering why $foo service is unreachable only to discover that it's blocked at the firewall?) and it's conceivable that it's not worth it in some situations, but current common practice recommends firewalls for public network servers.

Working on firewalls

If you're developing firewalls on a remote machine, you'll probably lock yourself out at one point or another, so make sure you have a way to get back in.

In order to be able to get back in once you've locked yourself out while developing rules, you could create a cronjob that runs iptables -F every ten minutes or so to reset the firewall. Then comment out the cronjob once you're happy with your new rules.


Each firewall rule is created by the execution of an iptables(8) command. Its parameters specify the characteristics of the packets to which the rule will be applied and the target which is what happens to matched packets.


There are many potential criteria for matching packets but the simplest and most commonly used are:

  • source location (--source, -s,--src):

    where on the network did it come from? An IP address or CIDR location, can be negated with !.

  • destination location (--destination,-d,--dst):

    where on the network is it going to? An IP address or CIDR location, can be negated with !.

  • protocol (--protocol, -p):

    specify a protocol. I'm only concerned with TCP or UDP for now.

  • source port (--sport):

    specify an originating tcp/udp port or port range.

  • destination port (--dport):

    specify a destination tcp/udp port or port range.

  • mark (--mark):

    specifies a mark value which has been assigned by a previous rule using the MARK target


The target specifies what to do with a matching packet.

  • DROP
  • LOG
  • MARK

These are largely self-explanatory. The distinction between DROP and REJECT is that REJECT sends an error packet back and can be useful for troubleshooting, at the least. Opinions vary on whether one should use DROP or REJECT in general. Those wanting to be considered 'Well Behaved' should probably use REJECT, but using DROP is less of a drain on your system and more of a drain on the originator. Of course, unless this target fires a lot, you'll likely not notice the difference.


  • Append a rule to the chain:

    -A, --append <chain> <rule-specification>
  • Insert a rule to the chain at the numbered location, default 1 (beginning):

    -I, --insert <chain> [rule-number] <rule-specification>
  • List all the rules in the specified chain, default all:

    -L, --list [chain]
  • Delete all the rules in the specified chain, default all:

    -F,--flush [chain]


Linux has had sophisticated routing functionality for years, here's a list of some sources that I've used for information:

Linux also has Quality of Service (QOS) functionality, also known as "traffic shaping" or "traffic control", the latter terms gives the tool its name: tc. The web has a dearth of information about tc, but there is some: