Iptables is a firewall installed by default on all linux distributions to drop unwanted traffic/access to the server. Iptables interact with ‘netfilter’ packet filtering framework.

Using Iptables command you can add, edit and delete firewall filter rules. You must have server root access to make changes in Iptables firewall.

IMPORTANT: Be careful when you execute Iptables firewall commands on server backend because some commands might lock you out from the server. Before running the iptables command, you must double check the command and also you must know what all changes the rules will do on the server.

1. Log into your Linux Server as ‘root’ user

2. Run the below command to open incoming port

iptables -A INPUT -p tcp –dport portnumber -j ACCEPT

In the above command “portnumber” should be replaced with the incoming port number you wish to open

INPUT = INPUT means incoming traffic to the server. (The server port can be accessed from outside the server). An example is given below

root@server [~]# iptables -A INPUT -p tcp –dport 2525 -j ACCEPT
root@server [~]#

Incoming traffic on port 2525 will be accepted on the above server.

3. Run the command “service iptables save” to save the firewall rules

root@server1 [~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

You can also specify the interface name ‘eth0’ using ‘-i’ option. An example is given below :

iptables -A INPUT -i eth0 -p tcp –dport 80 -j ACCEPT

-A = To Append Rules

INPUT = Incoming packets

-i = Interface name (Example : eth0, eth1, venet0 etc)

-p = Protocol (example : tcp, udp etc)

–dport = Destination port

-j = Target

ACCEPT = Allow the packet

1. Log into your linux server via SSH as root

2. Run the below command to open outgoing port

iptables -A OUTPUT -p tcp –dport portnumber -j ACCEPT

“portnumber” in the above command should be replaced with the actual outgoing port number you wish to open.

OUTPUT = OUTPUT means outgoing traffic from the server. (From server to outside)

An example is given below :

root@server [~]# iptables -A OUTPUT -p tcp –dport 3032 -j ACCEPT
root@server [~]#

The above command will open the outgoing tcp port “3032” on the linux server.

3. Do not forget to save the IP tables rules : “service iptables save”

You must save the iptables rules after making any changes in iptables firewall. Rules will be removed if it is not saved.

Command to save the firewall rules : “service iptables save”

root@server [~]# service iptables save

OR

root@server [~]# /etc/init.d/iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

On the above server you can see that firewall rules are saved to file “/etc/sysconfig/iptables”. Open the file /etc/sysconfig/iptables using vi editor and you can see all the rules on the server, including the rules you have added.

On ubuntu servers “service iptables save” command will not work so you must use the command “iptables-save”

Ubuntu :

root@server [~]#iptables-save

You can type the command “iptables -nL” to show all iptables rules.

“iptables -nL | grep 3032” will show the above rule you have added on the server.

The below command will open incoming TCP port range (port 2000 – 3000)

iptables -A INPUT -p tcp –destination-port 2000:3000 -j ACCEPT

Use the below command to open UDP outgoing port range (Port 3000 – 4000)

iptables -A OUTPUT -p udp –destination-port 3000:4000 -j ACCEPT

You must save the iptables rules.

Use telnet command to check whether the port is open on the server. The below command will work only if the port is open and there is process running on that port.

Example : telnet 192.168.2.5 25

The above command will telnet to port 25 of the server “192.168.2.5”
Trying 192.168.2.5…
Connected to server.example.com
Escape character is ‘^]’.
220-server.example.com ESMTP Exim