When you’re running a Linux server, it’s important to protect it from unwanted traffic. One way to do that is by using iptables. This tool helps you filter network traffic and block anything that shouldn’t be there.
In this article, I’ll walk you through how to use iptables to set up a few basic firewall rules. I’ll explain things in plain language and show you how I like to set it up. Whether you’re new to servers or just looking to clean up your firewall, this guide will help.
What Is iptables?
iptables is a firewall tool used in Linux to manage incoming and outgoing traffic. It looks at each packet (a small piece of network data) and decides what to do with it.
You can tell iptables to:
- Accept the packet (let it through)
- Drop the packet (ignore it)
- Reject the packet (block it and send a message back)
Iptables works by reading a list of rules, in order, from top to bottom. If a packet matches a rule, it follows that rule. If it doesn’t match anything, it follows the default rule.
My Setup and Why I Use iptables
I use iptables on some of my smaller VPS servers. These machines don’t need anything fancy—just a simple way to block everything except what I use. I like iptables because:
- It’s lightweight
- It’s already built-in to most Linux systems
- It works even without extra software
Sometimes I prefer it over newer tools like FirewallD, especially when I want full control over the rules.
Before You Begin
Make sure you’re logged in as root or using sudo
. You’ll also want to test carefully. If you block SSH, you could lock yourself out of the server.
To see if iptables is installed:
sudo iptables -L
You should see a list of rules (even if it’s empty).
Step 1: Flush Old Rules (Optional)
If you’re starting fresh, you might want to clear old rules.
sudo iptables -F
This resets everything, so use it only if you know what you’re doing.
Step 2: Set Default Policies
You want to block everything unless you say otherwise. That means setting the default rules to DROP.
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
Here’s what they mean:
INPUT
: data coming inFORWARD
: data passing through the server (not common unless it’s a router)OUTPUT
: data going out
Most servers only need to deal with INPUT and OUTPUT.
Step 3: Allow Localhost Traffic
Your server talks to itself using something called localhost (127.0.0.1). Don’t block this.
sudo iptables -A INPUT -i lo -j ACCEPT
This allows internal communication. It’s needed for many apps to work.
Step 4: Allow Already Established Connections
This rule allows traffic from connections you’ve already approved. Like if you make an outbound request, the response can come back in.
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
This is safe and common.
Step 5: Open SSH Port (So You Don’t Get Locked Out)
SSH is what lets you connect to the server remotely. It’s usually on port 22.
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
If you’re using a different port (some people change it), change the number.
Step 6: Allow Web Traffic (Optional)
If you’re running a website, you’ll want to allow HTTP and HTTPS:
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
This opens ports for normal and secure web traffic.
Step 7: Save Your Rules
If you reboot now, you’ll lose all the rules. To save them, you can use one of these methods:
On CentOS / RHEL:
sudo service iptables save
Or install the save utility:
sudo yum install iptables-services
sudo systemctl save iptables
On Debian / Ubuntu:
You can install a tool:
sudo apt install iptables-persistent
During install, it’ll ask if you want to save the current rules. Say yes.
Later, you can save manually with:
sudo netfilter-persistent save
Step 8: Check Your Rules
Always double-check what rules are active:
sudo iptables -L -n -v
You’ll see all current rules, how many packets matched them, and which ports are open.
Three Useful Lists to Remember
Common Ports You Might Want to Open
- 22 – SSH (remote access)
- 80 – HTTP (websites)
- 443 – HTTPS (secure websites)
- 25 – SMTP (email)
- 3306 – MySQL (database)
Helpful iptables Options
-A
– Add a rule-D
– Delete a rule-L
– List rules-F
– Flush (remove all rules)-P
– Set default policy
Safety Tips When Using iptables
- Always allow SSH before testing other rules
- Save your rules or they’ll disappear after reboot
- Use
screen
ortmux
when editing remotely (so you don’t lose connection) - Test with a second terminal session
- Block only what you understand
A Quick Comparison: iptables vs FirewallD
I’ve used both tools. Here’s how they compare, in my experience:
Feature | iptables | FirewallD |
---|---|---|
Setup | Manual | Easier with zones |
Control | Precise | More automatic |
Persistent Rules | Needs setup | Built-in |
Learning Curve | Steeper | Easier for newbies |
I use iptables when I want tight control and don’t mind typing more. I use FirewallD for simple web servers or desktops.
Final Thoughts
Setting up iptables isn’t hard once you understand the basics. It gives you full control over your server’s traffic. You get to decide what comes in and what stays out.
In this post, you learned how to:
- Set default firewall behavior
- Open key ports like SSH and HTTP
- Allow traffic safely
- Save and view your rules
Do you feel more confident using iptables now? Have you ever locked yourself out by mistake? (I have—more than once.)
Let me know if you’d like a follow-up about advanced iptables setups or using iptables-save
and iptables-restore
.