Published on August 25, 2025

Setting up Firewall with IPTables

2 minutes read •

Flush all iptables rules.

sudo iptables -F

List all rules.

sudo iptables -L

# With line numbers
sudo iptables -L --line-numbers

Change default INPUT policy from ACCEPT to DROP. WARNING!: MIGHT BLOCK YOUR SSH CONNECTIONS!
- -P or --policy to set default policy.

sudo iptables --policy INPUT DROP

Block All connections from an IP.
- -I for Inserting the rule. -A to Append.
- -s is Source IP.
- -j is the Operation/Target (ACCEPT/DROP/REJECT).

# Block only one IP
sudo iptables -I INPUT -s 10.0.0.11 -j DROP

# Block an entire subnet
sudo iptables -I INPUT -s 10.0.0.11/24 -j DROP

Delete rules. First list the rules with line numbers to see the line number of the rule you wanna delete.

# Usage
sudo iptables -D <Chain> <Line_Number>

# Example
sudo iptables -D INPUT 1

Block all connections to a specific port on the server.

sudo iptables -I INPUT -p tcp --dport 80 -j DROP

Accept from an IP to a port on the server.

sudo iptables -I INPUT -p tcp --dport 80 -s 10.10.11.213 -j ACCEPT

Making Changes permanent

As IP-Tables are not persistent, they will be deleted (“flushed”) with the next reboot.

Once you are happy with your ruleset, save the new rules to the master iptables file:

iptables-save > /etc/iptables.up.rules

To make sure the iptables rules are started on a reboot we’ll create a new file:

vim /etc/network/if-pre-up.d/iptables

Add these lines to it:

 #!/bin/sh
 /sbin/iptables-restore < /etc/iptables.up.rules

The file needs to be executable so change the permissions:

chmod +x /etc/network/if-pre-up.d/iptables

Rules can be stored something like this:

iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

Another way is to use the package `iptables-persistent`.

Install it.

sudo apt install iptables-persistent

Enable the service.

sudo systemctl enable netfilter-persistent.service
sudo systemctl status netfilter-persistent.service

Useful Rules

Accepts all established inbound connections (IMPORTANT!)

sudo iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow SSH, HTTP, HTTPS.

sudo iptables -A INPUT -p tcp -s src_ip --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Allow ICMP ping (echo).

Note that blocking other types of icmp packets is considered a bad idea by some remove -m icmp –icmp-type 8 from this line to allow all kinds of icmp: https://security.stackexchange.com/questions/22711

sudo iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

Default Deny Input and Allow Output.

sudo iptables -A OUTPUT -j ACCEPT
sudo iptables -A INPUT -j DROP
sudo iptables -A FORWARD -j DROP

Referances:

Setting up Firewall with IPTables

Making Changes permanent

Another way is to use the package iptables-persistent.

Useful Rules

Another way is to use the package `iptables-persistent`.