Bootstrap FreeKB - iptables - add a rule (-A --append -I --insert)
iptables - add a rule (-A --append -I --insert)
Updated:   |  iptables articles
  • The -I or --insert option can be used to add a rule at the beginning of a chain.
  • The -A or -- append option can be used to add a rule at the end of a chain.

This is important, because the order in which the rules are listed matters. iptables will read the rules from the top down, meaning the first rule listed will be read, then the second rule, and so on, until the last rule is read.

lo Interface

Typically, the first rule that is added is to allow traffic directed to the lo interface, which is the looback (or localhost) interface bound to IP address 127.0.0.1/8. The -i or --in-interface option is used to allow inbound connections on the lo interface.

iptables -I INPUT -i lo -j ACCEPT

 

The ip address or ifconfig commands can be used to confirm that 127.0.0.1/8 is bound to the lo interface. The ip address (or `ip addr` or `ip a`) command without any options will display information about the lo interface.

~]# ip address show so
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever

 

SSH

Another command default rule that is added is to allow SSH connections. conntrack stands for "connection tracking", which is the state of the SSH connection. NEW, ESTABLISHED, RELATED and INVALID are the possible states. The following will only allow NEW and ESTABLISHED SSH connections on the INPUT chain.

iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT

 

The following will only allow ESTABLISHED connections on the OUTPUT chain.

iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

 

ICMP echo request

Another common rule that is added is to allow ICMP echo requests, so that the system can be pinged. Notice now that the -A (append) option is used, not the -I (insert) option, so that the ICMP rule is appended after the lo rule.

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

 

Listing rules

The -L or --list option can be used to display the rules to ensure the rule was added.

 

Saving iptables

The iptables-save command will need to be used to permanently save iptables.

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 358a79 in the box below so that we can be sure you are a human.