Common iptables Filtering
Default policy set to block all incoming, outgoing, and forwarded packets, it is impossible for the firewall/gateway and internal LAN users to communicate with each other or with external resources. To allow users to perform network-related functions and use networking applications, administrators must open certain ports for communication.
To allow access to port 80 on the firewall, append the following rule:
iptables -A INPUT -p tcp -m tcp –sport 80 -j ACCEPT
This allows regular Web browsing from websites that communicate via port 80. To allow access to secure websites (such as https://www.serverbuddies.com/), you must open port 443, as well.
iptables -A INPUT -p tcp -m tcp –sport 443 -j ACCEPT
You must set a rule to allow first, and then set a drop rule on the subnet.
To arbitrarily insert a rule in an existing chain of rules, use -I, followed by the chain in which to insert the rule, and a rule number (1,2,3,…,n) for where the rule should reside. For example:
iptables -I INPUT 1 -i lo -p all -j ACCEPT
The rule is inserted as the first rule in the INPUT chain to allow local loopback device traffic.
$ sudo iptables -L -n -v
Chain INPUT (policy ACCEPT 235 packets, 45229 bytes)
pkts bytes target prot opt in out source destination
2 158 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0
169 36782 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80
To allow remote SSH access, the following rules may be used:
iptables -A INPUT -p tcp –dport 22 -j ACCEPT
iptables -A OUTPUT -p udp –sport 22 -j ACCEPT