- The -I or --insert option can be used to add a rule at the beginning of a chain.
- The -A or -- append option can be used to add a rule at the end of a chain.
This is important, because the order in which the rules are listed matters. iptables will read the rules from the top down, meaning the first rule listed will be read, then the second rule, and so on, until the last rule is read.
Typically, the first rule that is added is to allow traffic directed to the lo interface, which is the looback (or localhost) interface bound to IP address 127.0.0.1/8. The -i or --in-interface option is used to allow inbound connections on the lo interface.
iptables -I INPUT -i lo -j ACCEPT
The ip address or ifconfig commands can be used to confirm that 127.0.0.1/8 is bound to the lo interface. The ip address (or `ip addr` or `ip a`) command without any options will display information about the lo interface.
~]# ip address show so 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever
Another command default rule that is added is to allow SSH connections. conntrack stands for "connection tracking", which is the state of the SSH connection. NEW, ESTABLISHED, RELATED and INVALID are the possible states. The following will only allow NEW and ESTABLISHED SSH connections on the INPUT chain.
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
The following will only allow ESTABLISHED connections on the OUTPUT chain.
iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
ICMP echo request
Another common rule that is added is to allow ICMP echo requests, so that the system can be pinged. Notice now that the -A (append) option is used, not the -I (insert) option, so that the ICMP rule is appended after the lo rule.
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
The -L or --list option can be used to display the rules to ensure the rule was added.
The iptables-save command will need to be used to permanently save iptables.