25 Useful IPtable Firewall Rules Every Linux Administrator Should Know

Best Affordable Linux and WordPress Services For Your Business
Outsource Your Linux and WordPress Project and Get it Promptly Completed Remotely and Delivered Online.

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Get your own self-hosted blog with a Free Domain at ($3.45/month).
  4. Become a Supporter - Make a contribution via PayPal
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Marin Todorov

I am a bachelor in computer science and a Linux Foundation Certified System Administrator. Currently working as a Senior Technical support in the hosting industry. In my free time I like testing new software and inline skating.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

23 Responses

  1. abuchu says:

    I really like your page, I am new network admin working in my country Ethiopia, if you have anything that will help me to succeed in my career I am really like to see u soon and thank u for your info. Please just recommend me what can i do to succeed and be strong network or sys admin for my company.

  2. Marc says:

    I am wondering why everyone configure iptables but forget ip6tables?

    • Ravi Saive says:


      iptables firewall is default and most used firewall in Linux distributions..

    • cybernard says:

      Very few people have an IPv6. The people who have an IPv4 can only talk to IPv4 addresses. There maybe tunneling services, but 99% of the internet is IPv4 so why bother.

  3. Riyad says:

    Awsome ! I am beginner in Linux, Can you suggest me some tips about Linux Securiy Please

  4. Shany says:

    Great article!
    Is it possible to route a packet to one of several proxy servers randomly then have it return back to the sender?

    • cybernard says:

      connections are IP based. TCP uses a 3 way handshake, if all 3 packets don’t come from the same IP no connection will ever be established. All websites, servers(except DNS sometimes uses UDP) use TCP. UDP packets will go through, but since each proxy has a different IP the other side would assume they were new connections and the initial request would have to be re-issued.

      Each connection from start to finish could be routed to a different proxy, setting it up would not be trivial.

      Pretend you did establish a connection to a web server, the first packet is expected to contain a command, like GET index.html. Then normally you would start receiving the results, however, with a new IP from a different proxy the web server would be expecting a command all over again and the results would not arrive because no established connection exists with proxy 2. The data would attempt to come back to the originating proxy.

      The remote web server would somehow have to know which proxy to send the data to, and alternate on a per packet basis.

      You would have to write and deploy your own custom web server. Given apache and Microsoft and the other big names spend millions continuously testing and updating their products against attack no one would trust your server as secure without equal testing. The project would consume your life as you have to either write it all yourself or manage a community of users contributing code to it.

      • Shany says:

        As far as I know, proxy servers can cooperate (Squid for example), but continuing your line of thought, how would you randomly route a sessions through one of several proxies?

  5. chanuka says:

    Really needful

  6. cybernard says:

    Step 21: Instead of having a 2 potiential long blocks
    iptables -I INPUT -d SITE -p tcp -m multiport –dports 21,25,110,143,465,587,993,995 -j DROP
    use this instead
    iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -I INPUT -d SITE i -p tcp -m multiport ! –dports 80,443 -j DROP

    This teaches the allow only was is required principle instead of a long blacklist.

  7. Wodin says:

    You don’t want to block ALL incoming ICMP. If you just want to block PING requests, then you need to block ICMP echo requests like this:
    iptables -A INPUT -p icmp –icmp-type echo-request -j DROP

  8. me says:

    For black/white lists, banning IP, you should teach people IPSET as it is way more efficient. Blocking with iptables doesn’t scale well, and at approx 2000 blocks (depending on your CPU) your CPU utilization will go through the roof.

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.