IPTables, what is it?!

The main firewall tool on ubuntu is iptables, which includes some useful tools like iptables-restore, iptables-save ed iptables. Iptables let you define throughput, input and out network policies and exceptions, otherwise accepting or denying specific kind of connection.
Vi sono 2 modi per utilizzare iptables:


    Quick and temporary, every rule will be forget on system reboot. You can set a rule or a policy a time, so it can be necessary to concatenate multiple commands together to avoid to ends up having a system unable to be reached from outside.

    Policies INPUT, FORWARD and OUTPUT:

    Defining a rule to open or close a specific port


    Efficient for definitive configurations, the file can be used one-time or for a permanent configuration.
    The config file must follows some rules: to define policies they must be preceeded by *filter while each definition must starts with colon character (:), besides the last row of the file must contains COMMIT to confirm the execution of the defined rules. The sharp character (#) is the symbol for comments.

    A config example:

    Once wrote the config file, you should use the following commands to be able to load or save a configuration from or to a file.

  3. Apply and save the configuration

    Load config from file:

    Save config to file:

    Save config permanently (“sudo -i” is not needed if you logged as root) :

  • Firewall configuration

    You are free to pick all or only the configs you need to make your own personal configuration file (except the first 3, they are mandatory) or to run a series of concatenated iptables commands. Just remember to append COMMIT ad the end of your config file

    1. Read and clean up (LIST & FLUSH)

      Before starting your config, it might be necessary to remove or check the current applied rules on your system.

      List the current system rules (LIST):

      Cleanup the rule list (FLUSH):

    2. Filter policy

      Policies let you define the firewall default behavior against different types of connections. A good basic policy should deny (DROP) any incoming or forwarded (FORWARD) connection and allow all outgoing ones (OUTPUT).

      Basic policies definition in config file:

      Defining such policies by command line is pretty easy and not far from the config file, just remember to concatenate them with loopback, persistence and SSH access to prevent to end up without any chance to access your server remotely anymore:


      Allowing all incoming connection from loopback interface (kind of a service door for the system to communicate with itself: localhost /

    4. Connection persistence (ESTABLISHED and RELATED)

      Connections, in IpTables, can be of 3 types: New, Established and Related; so it’s necessary to grant access to Established and Related connection to allow automatically responses to connections established by the server itself to outside.

    5. SSH (must have for working remotely)

      Open the TCP port 22 to allow incoming ssh connections

    6. HTTP

      Open the TCP port 80 to allow incoming connection to your web server (like apache for example).

    7. HTTPS

      Open the TCP port 443 to allow incoming connection to your secure web server (like apache for example).

    8. DNS

      Open the UDP port 53 to be able to provide DNS services (like bind9 for example, you can read a complete guide here) to other computers inside your network or in the internet and allow requests on TCP at any port requested by starting port 53.

    9. SAMBA

      Open TCP ports 139,445, UDP 137 and 138 to let SAMBA server be reachable

    10. FTP

      Open the TCP port 21 to enable FTP access

    11. SMTP

      Open the TCP ports 25 and 587 for SMTP server

    12. IMAP

      Open the TCP port 143 to enable IMAP server access

    13. IMAPS

      Open the TCP port 993 for IMAP secure server

    14. POP3

      Open TCP ports 110 and 995 for POP3 server

    15. Hamachi

      Open TCP ports 12957, 32976 and UDP port 17771 to let the tunnelling logmein-hamachi service to work properly.

    16. COMMIT (only when using the config file)

      As said before, it’s necessary to insert that command at the end of the config file, while it’s not recognized when working with the command line because rules are applied immediately.

Questo post è disponibile anche in: Italian