iptables -A INPUT -i lo -m comment --comment "allow traffic on loopback interface" -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -m comment --comment "allow connections that are already established or related" -j ACCEPT
iptables -A INPUT -p icmp -m comment --comment "allow ping" -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m comment --comment "allow ssh" -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -m comment --comment "allow http" -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m comment --comment "allow https" -j ACCEPT
iptables -P -m comment --comment "drop the rest of the incoming traffic" INPUT DROP
iptables -P -m comment --comment "drop the forwarding traffic" FORWARD DROP
iptables -P -m comment --comment "allow outgoing traffic" OUTPUT ACCEPT
iptables -L
add comment to a rule
iptables -A INPUT -p tcp --dport 443 -m comment --comment "allow https" -j ACCEPT
allow all trafic on loopback interface
iptables -A INPUT -i lo -j ACCEPT
allow connections that are already established or related
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
allow a specific tcp port
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
allow a specific udp port
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
allow all traffic from a specific IP address
iptables -A INPUT -s 192.168.0.100 -j ACCEPT
block all traffic from a specific IP address
iptables -A INPUT -s 192.168.0.200 -j DROP
block all the ports (must be done after opening the needed ports)
iptables -P INPUT DROP
block all forwarding traffic
iptables -P FORWARD DROP
allow all outgoing traffic
iptables -P OUTPUT ACCEPT
iptables -F
sudo apt install iptables-persistent netfilter-persistent
/etc/iptables/rules.v4
/etc/iptables/rules.v6
# save rules
netfilter-persistent save
# load rules
netfilter-persistent start
# service stop/start/restart
systemctl stop netfilter-persistent
systemctl start netfilter-persistent
systemctl restart netfilter-persistent
Block and IP Address and Reject
iptables -A INPUT -s 192.168.1.10 -j REJECT
Specifying Multiple Ports with multiport
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports ssh,smtp,http,https -j ACCEPT