The iptables management commands vary depending on the version of Linux.
Stopping, starting, restarting, enabling and disabling iptables and ip6tables
CentOS 6 iptables and ip6tables
#list loaded rules
iptables -nL
ip6tables -nL
#service management
service iptables [stop,start,restart,status]
service ip6tables [stop,start,restart,status]
#disable iptables
chkconfig iptables off
chkconfig ip6tables off
#enable iptables
chkconfig iptables on
chkconfig ip6tables on
CentOS 7 iptables and ip6tables
#list loaded rules
iptables -nL
ip6tables -nL
#service management
systemctl [stop,start,restart,status] iptables
systemctl [stop,start,restart,status] ip6tables
#disable iptables
systemctl disable iptables
systemctl disable ip6tables
#enable iptables
systemctl enable iptables
systemctl enable ip6tables
Ubuntu 14 iptables and ip6tables
#list loaded rules
iptables -nL
ip6tables -nL
#service management
service iptables-persistent [flush,start,restart,reload,save]
#disable iptables
update-rc.d -f iptables-persistent remove
#enable iptables
update-rc.d iptables-persistent defaults
Debian 8 and Ubuntu 16 iptables and ip6tables
#list loaded rules
iptables -nL
ip6tables -nL
#service management
systemctl [stop,start,restart,status] netfilter-persistent.service
#disable iptables
systemctl disable netfilter-persistent.service
#enable iptables
systemctl enable netfilter-persistent.service
List iptables and ip6tables rules
Note: If iptables does not list any rules then the service(s) may not be running. Start and enable iptables services using the commands shown earlier.
#list the loaded iptables rules
iptables -nL
ip6tables -nL
#CentOS 6/7 list the saved iptables and ip6tables file
cat /etc/sysconfig/iptables
cat /etc/sysconfig/ip6tables
#Debian and Ubuntu list the saved iptables and ip6tables file
cat /etc/iptables/rules.v4
cat /etc/iptables/rules.v6
Save iptables and ip6tables loaded rules
Note: If iptables service is not running or no rules are loaded then saving will blank the default rule set in the saved file. Make sure iptables is loaded and you intend to overwrite the existing saved iptables file if you save. Consider saving to an alternate backup file if needed.
#list the loaded iptables rules
iptables -nL
ip6tables -nL
#CentOS 6/7 saving loaded rules
iptables-save | tee /etc/sysconfig/iptables
ip6tables-save | tee /etc/sysconfig/ip6tables
#Debian/Ubuntu saving loaded rules
iptables-save | tee /etc/iptables/rules.v4
ip6tables-save | tee /etc/iptables/rules.v6
Save iptables and ip6tables rules to an alternate backup file (in case needed to rollback)
#CentOS 6/7 saving loaded rules to backup file
iptables-save | tee /etc/sysconfig/iptables.bak
ip6tables-save | tee /etc/sysconfig/ip6tables.bak
#Debian/Ubuntu saving loaded rules to backup file
iptables-save | tee /etc/iptables/rules.v4.bak
ip6tables-save | tee /etc/iptables/rules.v6.bak
Restoring iptables and ip6tables rules from an alternate backup file
#CentOS 6/7 restoring saved rules from a backup file
iptables-restore /etc/sysconfig/iptables.bak
ip6tables-restore /etc/sysconfig/ip6tables.bak
#Debian/Ubuntu restoring saved rules from a backup file
iptables-restore /etc/iptables/rules.v4.bak
ip6tables-restore /etc/iptables/rules.v6.bak
Example adding a new port rule to iptables and ip6tables
#CentOS 6/7 adding port tcp1000 (inserting to line 1) and saving to permanent ruleset for iptables
iptables -I INPUT 1 -p tcp -m tcp –dport 1000 -j ACCEPT
iptables-save | tee /etc/sysconfig/iptables
#CentOS 6/7 adding port tcp1000 (inserting to line 1) and saving to permanent ruleset for ip6tables
ip6tables -I INPUT 1 -p tcp -m tcp –dport 1000 -j ACCEPT
ip6tables-save | tee /etc/sysconfig/ip6tables
#Debian/Ubuntu adding port tcp1000 (inserting to line 1) and saving to permanent ruleset for iptables
iptables -I INPUT 1 -p tcp -m tcp –dport 1000 -j ACCEPT
iptables-save | tee /etc/iptables/rules.v4
#Debian/Ubuntu adding port tcp1000 (inserting to line 1) and saving to permanent ruleset for ip6tables
ip6tables -I INPUT 1 -p tcp -m tcp –dport 1000 -j ACCEPT
ip6tables-save | tee /etc/iptables/rules.v6
Example deleting a port rule from iptables and ip6tables
#list iptables rules
iptables -nL
ip6tables -nL
#CentOS 6/7 deleting port tcp1000 and saving to permanent ruleset for iptables
iptables -D INPUT -p tcp -m tcp –dport 1000 -j ACCEPT
iptables-save | tee /etc/sysconfig/iptables
#CentOS 6/7 deleting port tcp1000 and saving to permanent ruleset for ip6tables
ip6tables -D INPUT -p tcp -m tcp –dport 1000 -j ACCEPT
ip6tables-save | tee /etc/sysconfig/ip6tables
#Debian/Ubuntu deleting port tcp1000 and saving to permanent ruleset for iptables
iptables -D INPUT -p tcp -m tcp –dport 1000 -j ACCEPT
iptables-save | tee /etc/iptables/rules.v4
#Debian/Ubuntu deleting port tcp1000 and saving to permanent ruleset for ip6tables
ip6tables -D INPUT -p tcp -m tcp –dport 1000 -j ACCEPT
ip6tables-save | tee /etc/iptables/rules.v6
CentOS6/7 editing iptables and ip6tables ruleset file directly
Note: It is important you make a backup of the iptables file before modifying directly. Any syntax errors will prevent iptables from being able to load at all.
#CentOS 6/7
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak
vi /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Wed Jul 11 17:37:19 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [104:15924]
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 22 -m comment –comment “ssh default” -j ACCEPT
-A INPUT -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 22122 -m comment –comment “ssh alternate” -j ACCEPT
-A INPUT -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 80 -m comment –comment “http” -j ACCEPT
-A INPUT -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 443 -m comment –comment “https” -j ACCEPT
-A INPUT -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 3306 -m comment –comment “mysql” -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Jul 11 17:37:19 2018
When finished editing restart iptables or iptables-restore the file to load the directly modified rule set file.
cp /etc/sysconfig/ip6tables /etc/sysconfig/ip6tables.bak
vi /etc/sysconfig/ip6tables
# Generated by ip6tables-save v1.4.7 on Wed Jul 11 17:37:19 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5:396]
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -d fe80::/64 -p udp -m state –state NEW -m udp –dport 546 -j ACCEPT
-A INPUT -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 22 -m comment –comment “ssh default” -j ACCEPT
-A INPUT -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 22122 -m comment –comment “ssh alternate” -j ACCEPT
-A INPUT -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 80 -m comment –comment “http” -j ACCEPT
-A INPUT -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 443 -m comment –comment “https” -j ACCEPT
-A INPUT -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 3306 -m comment –comment “mysql” -j ACCEPT
-A INPUT -j REJECT –reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT –reject-with icmp6-adm-prohibited
COMMIT
# Completed on Wed Jul 11 17:37:19 2018
When finished editing restart ip6tables or ip6tables-restore the file to load the directly modified rule set file.
Debian/Ubuntu editing iptables and ip6tables ruleset file directly
Note: It is important you make a backup of the iptables file before modifying directly. Any syntax errors will prevent iptables from being able to load at all.
#Debian/Ubuntu
cp /etc/iptables/rules.v4 /etc/iptables/rules.v4.bak
vi /etc/iptables/rules.v4
# Generated by iptables-save v1.6.0 on Tue Jul 10 20:27:22 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [95:9648]
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 22 -m comment –comment “ssh default” -j ACCEPT
-A INPUT -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 22122 -m comment –comment “ssh alternate” -j ACCEPT
-A INPUT -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 80 -m comment –comment “http” -j ACCEPT
-A INPUT -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 443 -m comment –comment “https” -j ACCEPT
-A INPUT -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 3306 -m comment –comment “mysql” -j ACCEPT
-A INPUT -j REJECT –reject-with icmp-host-prohibited
-A FORWARD -j REJECT –reject-with icmp-host-prohibited
COMMIT
# Completed on Tue Jul 10 20:27:22 2018
When finished editing restart iptables or iptables-restore the file to load the directly modified rule set file.
cp /etc/iptables/rules.v6 /etc/iptables/rules.v6.bak
vi /etc/iptables/rules.v6
# Generated by ip6tables-save v1.6.0 on Tue Jul 10 20:27:42 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p ipv6-icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -d fe80::/64 -p udp -m state –state NEW -m udp –dport 546 -j ACCEPT
-A INPUT -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 22 -m comment –comment “ssh default” -j ACCEPT
-A INPUT -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 22122 -m comment –comment “ssh alternate” -j ACCEPT
-A INPUT -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 80 -m comment –comment “http” -j ACCEPT
-A INPUT -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 443 -m comment –comment “https” -j ACCEPT
-A INPUT -p tcp -m state –state NEW,ESTABLISHED -m tcp –dport 3306 -m comment –comment “mysql” -j ACCEPT
-A INPUT -j REJECT –reject-with icmp6-adm-prohibited
-A FORWARD -j REJECT –reject-with icmp6-adm-prohibited
COMMIT
# Completed on Tue Jul 10 20:27:42 2018
When finished editing restart ip6tables or ip6tables-restore to load the directly modified rule set file.
