From Network Security Wiki


Adding Rules

Allow SSH

iptables -A INPUT -p tcp --dport ssh -j ACCEPT

Allow incoming web traffic

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Blocking Traffic

iptables -A INPUT -j DROP
iptables -A INPUT -i ens160 -s  -j DROP

Allow loopback

iptables -I INPUT 1 -i lo -j ACCEPT


List rules

iptables -L
iptables -L --line-numbers


iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

Check Stats

iptables -nvL

Reset Packet Counts and Aggregate Size:

iptables -Z

Deleting Rules

Delete a Rule

iptables -D INPUT -p tcp --dport 80 -j ACCEPT
iptables -D INPUT -i ens160 -s  -j DROP

Delete by Rule Number

iptables -D INPUT 3       # Chain name = INPUT

Flush Chain

iptables --flush MYCHAIN

Flush Iptables

iptables -F

Delete Empty Chain

iptables -X MYCHAIN

Saving Rules

Export rules

iptables-save > /etc/iptables.conf

Restore them on every reboot

sudo nano /etc/rc.local
iptables-restore < /etc/iptables.conf


Basic Usage


sudo apt-get install ufw
sudo apt-get install gufw
sudo ufw enable

To check your current settings:

sudo ufw status verbose

To add firewall rules:

sudo ufw deny 22
sudo ufw deny 25/tcp
sudo ufw deny 5353/udp
sudo ufw deny 135,139,445/tcp
sudo ufw deny 137,138/udp
sudo ufw deny from to any                            # Block specific IP address
sudo ufw deny from to any port 80                     # Block specific IP and port number i.e Block Spammers
sudo ufw deny proto tcp from to any port 22           # Deny specific IP, port number, and protocol
sudo ufw deny proto tcp from to any port 22        # Block Subnet

Add a Rule to the Top of the List:

sudo ufw insert 1 deny from comment 'Block DoS attack subnet'

Delete Specific Rules:

sudo ufw status numbered
sudo ufw delete 4

Confirm your changes:

sudo ufw status verbose
sudo ufw status numbered
sudo ufw show added
sudo ufw show listening
sudo ufw show builtins
sudo ufw show before-rules
sudo ufw show user-rules
sudo ufw show after-rules
sudo ufw show logging-rules

Manage Application Traffic:

sudo ufw app list
sudo ufw app info Samba
sudo ufw allow from to any app Samba

Rate Limiting:

sudo ufw limit 53/udp
sudo iptables -L | grep domain

Check Stats:

sudo ufw show raw

Re-check enable (required):

sudo ufw enable

Reset UFW:

sudo ufw reset

Receive the UDP multicast traffic

sudo ufw allow in proto udp to
sudo ufw allow in proto udp from

This will take care of the coming and going UDP packets, but you also need to allow IGMP packets through:

sudo nano /etc/ufw/before.rules

and add the following lines somewhere before the COMMIT line:

# allow IGMP
-A ufw-before-input -p igmp -d -j ACCEPT
-A ufw-before-output -p igmp -d -j ACCEPT

Internet Connection Sharing using UFW

sudo ufw allow from
sudo nano /etc/default/ufw
sudo nano /etc/ufw/sysctl.conf
sudo nano /etc/ufw/before.rules

Add rules for nat table


Forward traffic from eth0 through ppp0


Commit preceding nat table rules

sudo service ufw restart

{{#widget:DISQUS |id=networkm |uniqid=IPTables |url=https://aman.awiki.org/wiki/IPTables }}