User Tools

Site Tools



Five predifined tables (operations) and chains.

Tables include:

  • nat
  • mangle
  • raw
  • filter
  • security

chain: a list of rules that act on a packet flowing through the system.

Chains include:

  • prerouting
  • forward
  • postrouting
  • input
  • output

We'll cover the filter table and the nat tables. As applied:

  • filter table, the default table
    • forward: for packets destined to be routed through local
    • input: for packets destined to local
    • output: for locally generated packets
  • nat table, when a packet that creates a new connection is encountered
    • prerouting: for altering packets as soon as they come in
    • postrouting: for alterning packets as they are about to go out
    • output: for altering locally-generated packets before routing


# iptables -L -v | less
# iptables -L | grep policy

Let's change the default policy for the FORWARD chain:

# iptables --policy FORWARD DROP
# iptables -L | grep policy
  1. To locate the IP address for FB.
  2. To locate the CIDR value or IP range for FB.
  3. To block the IP range for FB.
$ host
$ whois | grep CIDR
$ sudo su
# iptables -A OUTPUT -p tcp -d -j DROP
# iptables -A INPUT -p tcp -d -j DROP
# w3m
# ping
  1. since table isn't added, this uses the default table, which is the filter table
  2. -A OUTPUT: append to table
  3. -p tcp: the protocol for the rule
  4. -d IP address: destination address
  5. -j DROP: specifies the target of the rule -- what to do if the packet matches. In this case, the target is to drop the package. Usual options include:
  • ACCEPT : allow the connection
  • DROP : drop and ignore the connection
  • REJECT : do not allow the connect and return error to source

Allow connections only from subnet

# comment: first, set policy to drop all incoming
$ sudo iptables --policy INPUT DROP
# comment: second, set policy to drop all forwarding 
$ sudo iptables --policy FORWARD DROP
# comment: thir , set policy to drop all outgoing 
$ sudo iptables --policy OUTPUT DROP
# comment: review new policies for the above chains
$ sudo iptables -L | grep policy
# comment: now accept only input, forwarding, and output from the following
# network ranges:
$ sudo iptables -A INPUT -s -j ACCEPT
$ sudo iptables -A FORWARD -s -j ACCEPT
$ sudo iptables -A OUTPUT -s -j ACCEPT

Saving changes

Save changes permanently, otherwise on restart, iptables reverts to default settings:

$ sudo su
# /sbin/service iptabels save

There are lots of examples on the web. Examples from:



Forward all traffice to port 25 to port 2525:

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 2525


Disable outgoing eamil:

# iptables -A OUTPUT -p tcp --dports 25,465,587 -j REJECT


firewalld is a slightly more user friendly interface to netfilters in Red Hat based distros.

Zones are important concept in firewalld. Some predefine zones:

  • DROP : strictest. All incoming network packets are dropped
  • BLOCK : all very strict
  • PUBLIC : only selected incoming connections are accepted. Good zone for web server, email server, etc.
  • EXTERNAL : external networks (useful for NAT)
  • DMZ : computers located in DMZ
  • work : trust most computers in network and accept some services
  • home : trust most computers in network and accept some services
  • trusted : trust all machines in network

Check if running:

# firewall-cmd --state

Get active zones and interfaces attached to them:

# firewall-cmd --get-zones
# firewall-cmd --get-default-zone
# firewall-cmd --get-active-zones
  interfaces: enp0s3
# firewall-cmd --zone=FedoraServer --add-port=22/tcp
# firewall-cmd --zone=FedoraServer --list-ports
# firewall-cmd --zone=FedoraServer --remove-service=ssh --permanent
# firewall-cmd --zone=FedoraServer --add-service=smtp --permanent

Go into panic mode (drop all incoming/outgoing packets):

# firewall-cmd --panic-on
# firewall-cmd --panic-off

To change default zone:

# firewall-cmd --permanent --set-default-zone=public


$ host
$ whois | grep CIDR
$ sudo su
# sudo ufw reject out to
# sudo ufw reject in to
linux/firewalls.txt · Last modified: 2019/01/21 11:22 by seanburns