Jump to content
Linux - Tutorials And How To's
Sign in to follow this  


Recommended Posts

Iptables is a firewall, installed by default on all official Ubuntu distributions (Ubuntu, Kubuntu, Xubuntu). among other distributions as well. When you install Ubuntu, iptables is there, but itallows all traffic by default.
There is a wealth of information available about iptables, but much of it is fairly complex, and designed for network admins. This walk through is simple for setting up the basic server. In this tutorial we will go over how to set up iptables for the first time, also how to add and remove tables as needed.


The first part is assuming you have a good running set of rules and just want to modify add/remove some tables. Scroll down to read about initial setting up your iptables.


To edit your tables

sudo nano /etc/iptables.rules

Once you have made the proper changes needed you will need to save the tables for them to take effect with

sudo iptables-apply /etc/iptables.rules

Now you need to verify that the tables have taken place.

sudo iptables -L

Now that verified and saved the rules, you will want to verify the port is open checking to see if the port is listening.

netstat -an | grep PORTNUMBER | grep -i listen 

If the return looks like below then your port is open and listening. If the port comes back empty, then the port is not open.

tcp6       0      0 :::80                   :::*                    LISTEN


Setting up IPTABLES for the first time


We need to create the iptables.rules file. Here is how to do that

sudo sh -c "iptables-save >  /etc/iptables.rules"


We want the iptables to start up when we have to reboot the server. To do this we need to modify
/etc/network/interfaces and add the following to the bottom of the file.

pre-up iptables-restore < /etc/iptables.rules
post-down iptables-save > /etc/iptables.rules


It will look like this

auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static


 dns-search linux.local
dns-domain linux-master

pre-up iptables-restore < /etc/iptables.rules
post-down iptables-save > /etc/iptables.rules



Save and close


Now we need to modify the iptables.rules file

sudo nano /etc/iptables.rules



by default your file will look similar to this one.

# Generated by iptables-save v1.4.12 on Sat Feb 16 22:25:15 2013
:INPUT ACCEPT [98238:127265495]
:OUTPUT ACCEPT [69623:10561242]
# Completed on Sat Feb 16 22:25:15 2013
You will want to start editing this file right about the COMMIT line. Here is an example:
# Generated by iptables-save v1.4.12 on Sat Feb 16 22:25:15 2013
:INPUT ACCEPT [98238:127265495]
:OUTPUT ACCEPT [69623:10561242]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Completed on Sat Feb 16 22:25:15 2013



Allowing Incoming Traffic on Specific Ports

You could start by blocking traffic, but you might be working over SSH, where you would need to allow SSH before blocking everything else.
To allow incoming traffic on the default SSH port (22), you could tell iptables to allow all TCP traffic on that port to come in.

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT



Here is a copy of my iptables.rules

-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4444 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 137:139 -j ACCEPT
-A INPUT -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m udp --dport 9987 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10011 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 30033 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 49152 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4040 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5555 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5001 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT



Once you have added the ports that you need open make sure that you have the drop line.


This tells us that anything out side of the following ports will be dropped and not allowed.

save and close.



Now we need to apply the changes to take effect with.

sudo iptables-apply /etc/iptables.rules


Now check your tables to make sure they have taken effect

sudo iptables -L


If you see your changes have taken effect reboot the server and check again.
If all is well you have successfully set up iptables. 
For more advanced information please visit


Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this