1. Home
  2. Linux
  3. Setting up a linux firewall with iptables

Setting up a Linux firewall with iptables

If you need a good firewall for your Linux server or desktop, iptables is a great choice. It is highly flexible and fast. In this guide, we’ll show you how to set up an iptables firewall on Linux.

 

Installing iptables on Linux

To set up the Firewall with iptables on your Linux system, you need to install it first. Open up a terminal window and follow the installation instructions below for your Linux OS. Iptables is installable on both Linux desktops and servers, and if you prefer a generic Linux download of iptables, you can visit the official website. Once the installation is complete, you can proceed to set up your Firewall with iptables.

Ubuntu instructions

sudo apt install iptables

Debian instructions

sudo apt-get install iptables

Arch Linux instructions

sudo pacman -S iptables

Fedora instructions

sudo dnf install iptables

OpenSUSE instructions

sudo sudo zypper in iptables

EPEL distributions (Rhel, CentOS, Rocky, Alma, etc.)

sudo yum install iptables

How to create an iptables ruleset

You must create a new iptables ruleset before attempting to use it as a firewall. Open up a terminal window, and ensure you can enter sudo commands. If your user cannot, log into the root account with su.

From here, use the iptables -F command. This command will delete and flush all previous rules for iptables on your system.

sudo iptables -F

After running the command above, you can run the iptables -L command to check and confirm rules were erased.

sudo iptables -L

Once you’ve confirmed iptables rules have been flushed, use the iptables -P command below to block incoming traffic by default.

WARNING: if you are editing iptables via SSH, disconnect and edit at the physical machine. Running the command below will auto-disconnect you from SSH until you allow it through the firewall.

sudo iptables -P INPUT DROP

Next, you must allow outgoing traffic from your system via iptables. You can allow outgoing traffic through the iptables firewall by entering the following iptables -P command.

sudo iptables -P OUTPUT ACCEPT

Once you’ve disabled incoming traffic and enabled outgoing traffic, you move on to allowing specific services.

How to allow ports through iptables firewall

By default, running iptables -P INPUT DROP disables incoming traffic from all sources (SSH, HTTP, etc.) To enable these services, you’ll need to add to your iptables rules.

To make things simple, here’s a list of common ports you may wish to enable in your iptables firewall. Copy the command associated with the port you wish to enable via your iptables firewall.

  • HTTP (port 80): sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
  • HTTPS (port 443): sudo iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
  • SSH (port 22): sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  • FTP (port 21): sudo iptables -A INPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
  • SMTP (port 25): sudo iptables -A INPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
  • DNS (port 53): sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT for UDP or sudo iptables -A INPUT -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT for TCP
  • DNS over TLS (DoT) (port 853): sudo iptables -A INPUT -p tcp --dport 853 -m state --state NEW,ESTABLISHED -j ACCEPT
  • DNS over HTTPS (DoH) (port 443): sudo iptables -A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
  • Remote Desktop Protocol (RDP) (port 3389): sudo iptables -A INPUT -p tcp --dport 3389 -m state --state NEW,ESTABLISHED -j ACCEPT
  • Virtual Network Computing (VNC) (port 5900): sudo iptables -A INPUT -p tcp --dport 5900 -m state --state NEW,ESTABLISHED -j ACCEPT
  • Secure Shell (SSH) with X11 Forwarding (port 6010): sudo iptables -A INPUT -p tcp --dport 6010 -m state --state NEW,ESTABLISHED -j ACCEPT
  • MySQL database (port 3306): sudo iptables -A INPUT -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
  • PostgreSQL database (port 5432): sudo iptables -A INPUT -p tcp --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT

When you’ve allowed all of the ports you wish to allow, you can check your rules with iptables -L.

sudo iptables -L

Finally, save your iptables rules to a file for backup purposes. You can do this with the iptables-save command.

sudo iptables-save > /path/tosave/where/you/wish/to/save/rules/iptable-rules-backup

How to restore iptables backups

If you need to redeploy your iptables firewall on another machine, here’s what to do. First, use the iptables -F command to flush existing rules.

sudo iptables -F

Next, copy your backup file to the system. Once it is copied over, restore the backup.

sudo iptables-restore < /path/to/rules/iptable-rules-backup

default avatar image
Read Full Bio
AddictiveTips Team
Latest from Author
Deploy SeaFile in Docker on Ubuntu Server How to install TeamSpeak5 on Chromebook

Searching for something else?

Chances are, we can find what you're looking for: