From charlesreid1

iptables is a firewall program.

Listing Rules

To list all the rules currently in place for iptables, use the -L flag. Optionally, add the -v flag to show two extra columns (number of packets/bytes that have matched this rule). This can help shed light on which rules are active and applied often, and which rules are crusty and unused.

$ sudo iptables -L -v
Chain INPUT (policy ACCEPT 53 packets, 3680 bytes)
 pkts bytes target     prot opt in     out     source               destination
 7745 6400K            tcp  --  any    any     anywhere             anywhere             tcp dpt:https
  122  7228 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:snpp
 3582 1350K ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:ssyncd
   57  2868 ACCEPT     tcp  --  any    any     anywhere             anywhere             tcp dpt:tproxy

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
1898K 6060M DOCKER-ISOLATION  all  --  any    any     anywhere             anywhere
1423K 8009M DOCKER     all  --  any    docker0  anywhere             anywhere
1381K 8003M ACCEPT     all  --  any    docker0  anywhere             anywhere             ctstate RELATED,ESTABLISHED
 571K   98M ACCEPT     all  --  docker0 !docker0  anywhere             anywhere
   22  1320 ACCEPT     all  --  docker0 docker0  anywhere             anywhere

Chain OUTPUT (policy ACCEPT 38 packets, 6436 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination
   73  5057 ACCEPT     tcp  --  !docker0 docker0  anywhere             172.17.0.2           tcp dpt:28017
  163 10362 ACCEPT     tcp  --  !docker0 docker0  anywhere             172.17.0.2           tcp dpt:27017
15086 2366K ACCEPT     tcp  --  !docker0 docker0  anywhere             172.17.0.3           tcp dpt:tproxy
   69  4120 ACCEPT     tcp  --  !docker0 docker0  anywhere             172.17.0.4           tcp dpt:8888

Chain DOCKER-ISOLATION (1 references)
 pkts bytes target     prot opt in     out     source               destination
2063K 8114M RETURN     all  --  any    any     anywhere             anywhere

Or just list one particular block:

$ sudo iptables -L INPUT

Resetting Rule Counters

To reset the byte and packet counts for the firewall, you can use the -Z flag, either without arguments (reset all rules) or with arguments (which counters to reset).

For example, to reset all rules:

$ sudo iptables -Z

To reset only the INPUT chain counters:

$ sudo iptables -Z INPUT

You can also reset rules by index number. First, list all the iptables rules with numbering:

$ sudo iptables -L --line-numbers

Then you can pick out which rule number you want to reset, and pass that to the -Z flag. For example, to reset the counters for the first INPUT chain rule,

$ sudo iptables -Z INPUT 1 

Deleting Rules

To delete rules, first list them by number:

$ sudo iptables -L --line-numbers

Now you can pick out which rule number in which block you would like to delete. Specify the block first, then the rule number you wish to delete. This will delete the third rule in the INPUT block:

sudo iptables -D INPUT 3

Simple script example

here is a simple iptables example that allows ssh, http, and https, and not much else. It is a good starting point.

# Flush
iptables -F

# allow SSH/HTTP/HTTPS
iptables -A INPUT  -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT  -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT  -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

# Set default policies for INPUT, FORWARD and OUTPUT chains
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Set access for localhost
iptables -A INPUT -i lo -j ACCEPT

# Accept packets belonging to established and related connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

OpenVPN iptables scripts

For more examples of iptables scripts, you can visit the OpenVPN/Static Key page. More specifically:

Flags