While there are multiple ways to restrict user access to certain websites, such as using a network firewall or a proxy server, admins may want to restrict activity even before the user traffic hits the network layer. This is when the firewall daemon comes in handy.

When it comes to Linux-based operating systems, there is a kernel level firewall daemon known as iptables, which provides an array of browsing control mechanisms to administrators. In particular, iptables lets admins restrict and block a particular type of access to a website or a destination IP address/hostname on a specific network port.

Admins can define “rules” to block traffic at the packet level before a packet leaves the host machine. In this sense, iptables is effectively a local tool used for setting up and configuring firewalls within the machine. For this purpose, admins can make sets of rules in iptables known as “Chains.” Essentially, these chains filter the incoming and outgoing packets and block access to banned websites or destinations.

iptables includes the following elements:

1. TABLE – The primary role of a table is to process packets; tables contain rules known as FILTER, NAT (Network Address Translation), and MANGLE. 

2. CHAINS – CHAINS can be defined as the list of rules within the TABLE and are tagged to something known as “hook points” on the system. 

Each rule influences data packet management and connection status as described below: 

FILTER – Input, Output and Forward operations of the machines.

NAT – Maintains and manages IP packet Pre-Routing, Post-Routing and Output.

MANGLE – Assists in Pre-Routing, Post-Routing, Input, Output and Forward packet operations.

3. TARGETS 

The target tells the rule what to do with a packet that is a match with the match section of the rule.

When an IP packet matches with a particular rule in the IP table, it then gets redirected to a different number of targets, after which a decision is made regarding how the packet should be treated. In other words, this determines whether the packet can be allowed or denied/blocked before it leaves the host machine. In plain English, targets are effectively destination websites or IP addresses against which rules are validated. 

The following iptables actions facilitate making a final decision for a packet which matches with a particular TARGET.

ACCEPT – Allows the IP packet to leave the host machine via the network interface for reaching the destination website/IP address. 

DROP – Instantly drops the matched IP packet against the target, preventing it from leaving the host machine any further.

RETURN – Blocks the IP packet from further crossing through the CHAIN and instructs it to get back to the previous chain for any additional actions the rules dictate. 

The following instructions provide some examples and use cases of setting up iptables on a Linux machine.

Commands for installing the iptables package

sudo apt-get update

sudo apt-get install iptables

sudo apt-get install iptables-persistent

Note – Most Linux distributions have iptables pre-installed by default; the above commands are required only if the distribution is missing iptables. 

Examples of commonly used firewall rules

 1 .To block multiple websites that shouldn’t allow access from the host machine (this example uses the websites MakeMyTrip and Myntra): 

sudo iptables -A OUTPUT -p tcp -d www.makemytrip.com,www.myntra.com –dport 443 -j DROP

2. To block access to a particular website, (this example uses the website Zomato)

sudo iptables -A OUTPUT -p tcp -d www.zomato.com –dport 443 -j DROP

3. To block all the packets of the loopback address, i.e. localhost [127.0.0.1]:

sudo iptables -A INPUT -i lo -j DROP

4. To disable any particular port; in this example, an admin wants to restrict anyone from accessing the local system via SSH (secure shell), which necessitates blocking TCP port 22: 

sudo iptables -A INPUT -t filter -p tcp –dport 22 -j DROP

5. An admin can also set the target to ALLOW or DROP data packets based on the other port number, like for blocking http and https, block the source port 80 and 443:

sudo iptables -A INPUT -t filter -p tcp –sport 80 -j DROP

sudo iptables -A INPUT -t filter -p tcp –sport 443 -j DROP

6. To block an IP address; for example:

sudo iptables -A INPUT -s 192.168.2.61 -j DROP

Other useful iptables commands

1. sudo iptables-save: To save the iptables configuration

2. sudo iptables –flush: To remove all filtering rules and chains

3. sudo iptables-restore: Restoring iptables config 

Common issues with iptables and the script for fixing them

Sometimes iptables fails to start automatically after rebooting a host machine. In this scenario, the script below comes in handy to flush iptables and start the services successfully:

iptables -F

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD ACCEPT

iptables-save > /etc/iptables/rules.v4

service netfilter-persistent start