Photo by Gabriel Heinzer on Unsplash
Posted on by patrickmarcpreuss

Linux – iptables insert rules

Here’s a guide on managing your iptables rules with line numbers, including adding, appending, deleting, and moving rules:

[TOC]

List rules with Line numbers

To view your current iptables rules with line numbers, use the following commands:

iptables -t filter -L INPUT --line-numbers -n
iptables -t filter -L OUTPUT --line-numbers -n
iptables -t filter -L FORWARD --line-numbers -n
iptables -t nat -L --line-numbers -n
Add a Rule

To add a rule to the INPUT chain, you can use the iptables -A command. For example, to allow incoming traffic on interface eno1, you can use the following command:

## append rule to INPUT chain ##
iptables -A INPUT -i eno1 -j ACCEPT
Append a rule

To append a rule to the end of an existing chain, you can use the same iptables -A command as above.

Look Up Line Numbers

To look up the line numbers of rules in a specific chain, you can use the -L command with the –line-numbers option. For example, to look up rules in the 02-INPUT-INTERNAL-SERVICES chain:

iptables -t filter -L 02-INPUT-INTERNAL-SERVICES --line-numbers -n -v

Chain 02-INPUT-INTERNAL-SERVICES (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1     8018 2633K ACCEPT     udp  --  eno1   *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
2        0     0 ACCEPT     udp  --  eno1   *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
3        0     0 ACCEPT     udp  --  eno1   *       0.0.0.0/0            0.0.0.0/0            udp dpt:69
4     5867  413K ACCEPT     udp  --  eno1   *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
5        0     0 ACCEPT     udp  --  eno1   *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
6       20  1520 ACCEPT     udp  --  eno1   *       0.0.0.0/0            0.0.0.0/0            udp dpt:123
7     141K   99M ACCEPT     udp  --  eno1   *       0.0.0.0/0            0.0.0.0/0            udp dpt:514
8       46 21188 ACCEPT     udp  --  eno1   *       0.0.0.0/0            0.0.0.0/0            udp dpt:1812
9        0     0 ACCEPT     udp  --  eno1   *       0.0.0.0/0            0.0.0.0/0            udp dpt:1813

10     892 95312 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
Insert a Rule Before a Specific Rule

To insert a rule before a specific rule number in a chain, use the iptables -I command. For example, to insert a rule before rule number 10 in the 02-INPUT-INTERNAL-SERVICES chain to accept ICMP fragmentation-needed packets:

iptables -I 02-INPUT-INTERNAL-SERVICES 10 -i eno1 -p icmp --icmp-type fragmentation-needed -m state --state NEW -j ACCEPT
Delete a rule

To delete a specific rule in a chain, you can use the iptables -D command. For example, to delete rule number 11 in the 02-INPUT-INTERNAL-SERVICES chain:

iptables -t filter -L 02-INPUT-INTERNAL-SERVICES --line-numbers -n -v

iptables -D 02-INPUT-INTERNAL-SERVICES {line}
Move a rule

To move a rule, you can essentially recreate the rule in a new position and then delete the old one. First, look up the old rule number using the iptables -t filter -L command. Then, insert the new rule using the iptables -I command, and finally, delete the old rule using the iptables -D command.

These commands should help you effectively manage your iptables rules with line numbers, making it easier to insert, delete, or move rules as needed in your firewall configuration.

iptables -t filter -L 02-INPUT-INTERNAL-SERVICES --line-numbers -n -v

Chain 02-INPUT-INTERNAL-SERVICES (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1     8439 2771K ACCEPT     udp  --  eno1   *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
....
9        0     0 ACCEPT     udp  --  eno1   *       0.0.0.0/0            0.0.0.0/0            udp dpt:1813
10       0     0 ACCEPT     icmp --  eno1   *       0.0.0.0/0            0.0.0.0/0            icmptype 3 code 4 state NEW
11     922 98957 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
Insert the new rule
iptables -I 02-INPUT-INTERNAL-SERVICES {newposition} -i eno1 -p icmp --icmp-type fragmentation-needed -m state --state NEW -j ACCEPT
iptables -I 02-INPUT-INTERNAL-SERVICES 2 -i eno1 -p icmp --icmp-type fragmentation-needed -m state --state NEW -j ACCEPT

If the Rule was inserted before the old rule the number will change.

iptables -t filter -L 02-INPUT-INTERNAL-SERVICES --line-numbers -n -v

Chain 02-INPUT-INTERNAL-SERVICES (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1     8439 2771K ACCEPT     udp  --  eno1   *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
2       0     0 ACCEPT     icmp --  eno1   *       0.0.0.0/0            0.0.0.0/0            icmptype 3 code 4 state NEW
3        0     0 ACCEPT     udp  --  eno1   *       0.0.0.0/0            0.0.0.0/0            udp dpt:68
...
10        0     0 ACCEPT     udp  --  eno1   *       0.0.0.0/0            0.0.0.0/0            udp dpt:1813
11       0     0 ACCEPT     icmp --  eno1   *       0.0.0.0/0            0.0.0.0/0            icmptype 3 code 4 state NEW

12     922 98957 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

than delete the old one.

iptables -D 02-INPUT-INTERNAL-SERVICES {line}
iptables -D 02-INPUT-INTERNAL-SERVICES 11
A More complete example
#!/bin/bash

iptables -F
iptables -X

# Define input chain to for loopback
iptables -N 00-INPUT-LO
iptables -A 00-INPUT-LO  -i lo -j ACCEPT
iptables -A 00-INPUT-LO -j RETURN

# Define chain to allow established connections
iptables -N 00-CHAIN-STATES
iptables -A 00-CHAIN-STATES -p tcp  -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A 00-CHAIN-STATES -p udp  -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A 00-CHAIN-STATES -p icmp -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A 00-CHAIN-STATES -j RETURN

# Define chain to allow particular source addresses
iptables -N 01-INPUT-INCOMING-SSH
iptables -A 01-INPUT-INCOMING-SSH -s 10.255.4.253 -j ACCEPT
iptables -A 01-INPUT-INCOMING-SSH -s 10.255.4.0/24 -j ACCEPT
iptables -A 01-INPUT-INCOMING-SSH -j DROP

# Define chain internal Services
iptables -N 02-INPUT-INTERNAL-SERVICES
iptables -A 02-INPUT-INTERNAL-SERVICES -i eno1 -p udp -m udp --dport 67 -j ACCEPT
iptables -A 02-INPUT-INTERNAL-SERVICES -i eno1 -p udp -m udp --dport 68 -j ACCEPT
iptables -A 02-INPUT-INTERNAL-SERVICES -i eno1 -p udp -m udp --dport 69 -j ACCEPT
iptables -A 02-INPUT-INTERNAL-SERVICES -i eno1 -p udp -m udp --dport 53 -j ACCEPT
iptables -A 02-INPUT-INTERNAL-SERVICES -i eno1 -p udp -m udp --dport 53 -j ACCEPT
iptables -A 02-INPUT-INTERNAL-SERVICES -i eno1 -p udp -m udp --dport 123 -j ACCEPT
iptables -A 02-INPUT-INTERNAL-SERVICES -i eno1 -p udp -m udp --dport 514 -j ACCEPT
iptables -A 02-INPUT-INTERNAL-SERVICES -i eno1 -p udp -m udp --dport 1812 -j ACCEPT
iptables -A 02-INPUT-INTERNAL-SERVICES -i eno1 -p udp -m udp --dport 1813 -j ACCEPT
iptables -A 02-INPUT-INTERNAL-SERVICES -j RETURN

#Append a rules before return
iptables -I 02-INPUT-INTERNAL-SERVICES 10 -i eno1 -p icmp --icmp-type fragmentation-needed -m state --state NEW -j ACCEPT
iptables -I 02-INPUT-INTERNAL-SERVICES 11 -i eno1 -p icmp --icmp-type source-quench -m state --state NEW -j ACCEPT
iptables -I 02-INPUT-INTERNAL-SERVICES 12 -i eno1 -p icmp -j ACCEPT

# Define output chain to for loopback
iptables -N 00-OUTPUT-LO
iptables -A 00-OUTPUT-LO -o lo -j ACCEPT
iptables -A 00-OUTPUT-LO -j RETURN

# Define chain outgoing Services
iptables -N 01-OUTPUT-OUTGOING-SERVICES
iptables -A 01-OUTPUT-OUTGOING-SERVICES -d 10.0.0.0/8 -j ACCEPT
iptables -A 01-OUTPUT-OUTGOING-SERVICES -p tcp --dport 53 -j ACCEPT
iptables -A 01-OUTPUT-OUTGOING-SERVICES -p udp --dport 53 -j ACCEPT
iptables -A 01-OUTPUT-OUTGOING-SERVICES -p tcp --dport 80 -j ACCEPT
iptables -A 01-OUTPUT-OUTGOING-SERVICES -p udp --dport 123 -j ACCEPT
iptables -A 01-OUTPUT-OUTGOING-SERVICES -p tcp --dport 443 -j ACCEPT
iptables -A 01-OUTPUT-OUTGOING-SERVICES -j RETURN
#Append a rules before return
iptables -I 01-OUTPUT-OUTGOING-SERVICES 1 -d 10.0.0.0/8 -p udp --dport 123 -j ACCEPT

#drop invalid packets
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

#combine the chains into INPUT and OUTPUT
iptables -A INPUT -j 00-INPUT-LO
iptables -A INPUT -j 00-CHAIN-STATES
iptables -A INPUT -p tcp --dport 22 -j 01-INPUT-INCOMING-SSH
iptables -A INPUT -s 10.0.0.0/8 -j 02-INPUT-INTERNAL-SERVICES
iptables -A INPUT -p icmp --icmp-type fragmentation-needed -m state --state NEW -j ACCEPT
iptables -A INPUT -p icmp --icmp-type source-quench -m state --state NEW -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT

iptables -A OUTPUT -j 00-INPUT-LO
iptables -A OUTPUT -j 00-CHAIN-STATES
iptables -A OUTPUT -j 01-OUTPUT-OUTGOING-SERVICES

## Drop everything else
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  DROP

Photo by Gabriel Heinzer on Unsplash

One-Time
Monthly
Yearly

Make a one-time donation

Make a monthly donation

Make a yearly donation

Choose an amount

€5.00
€15.00
€100.00
€5.00
€15.00
€100.00
€5.00
€15.00
€100.00

Or enter a custom amount

Your contribution is appreciated.

Your contribution is appreciated.

Your contribution is appreciated.

DonateDonate monthlyDonate yearly
Blog at WordPress.com.