Blog

03/06/2019

Iptables insert rule at top of tables ( PREPEND rule on Linux )



I want to insert the iptables rule at the top of given tables such as filter table INPUT chain. How do I prepend iptables rules at the top of a filter table on Linux operating system?

iptables is Linux administration tool for IPv4 packet filtering and NAT. One can use iptables/ip6tables to set up, manage, and examine the tables of IPv4 and IPv6 packet filter rules in the Linux kernel. This page shows how to use Iptables to insert rule at top of tables.

How to list iptables rules with line numbers

Just use the following syntax:
sudo iptables -t filter -L INPUT --line-numbers -n
sudo iptables -t filter -L OUTPUT --line-numbers -n
sudo iptables -t filter -L FORWARD --line-numbers -n
sudo iptables -t nat -L --line-numbers -n

Iptables insert rule at top of tables Linux syntax

The iptables allows you to APPEND or INSERT or REPLACE firewall rules as follows.

Iptables append firewall rules to the end of the selected chain

The syntax is:
iptables -A chain firewall-rule
For examples when you use the -A or --append switch you add rule to the end of the chain such as INPUT, FORWARD and more :

## append rule to INPUT chain ##
sudo iptables -A INPUT -i eth0 -j ACCEPT
sudo iptables -A INPUT -i eth0 -d 192.168.1.254 -j ACCEPT
 
## append rule to FORWARD chain ## 
sudo iptables -A FORWARD -o virbr0 -d 192.168.122.42 -j ACCEPT
sudo iptables -A FORWARD -m state -s 192.168.2.0/24 -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT

## append rule to INPUT chain ## sudo iptables -A INPUT -i eth0 -j ACCEPT sudo iptables -A INPUT -i eth0 -d 192.168.1.254 -j ACCEPT ## append rule to FORWARD chain ## sudo iptables -A FORWARD -o virbr0 -d 192.168.122.42 -j ACCEPT sudo iptables -A FORWARD -m state -s 192.168.2.0/24 -d 192.168.122.0/24 –state NEW,RELATED,ESTABLISHED -j ACCEPT

Verify it with the following:
sudo iptables -t filter -L INPUT --line-numbers -n -v
sudo iptables -t filter -L FORWARD --line-numbers -n -v

Sample outputs:

Chain INPUT (policy ACCEPT 6 packets, 518 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     tcp  --  lxdbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* generated for LXD network lxdbr0 */
2      259 16615 ACCEPT     udp  --  lxdbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* generated for LXD network lxdbr0 */
3     1517  498K ACCEPT     udp  --  lxdbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67 /* generated for LXD network lxdbr0 */
4       36  2674 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
5        0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
6        4  1312 ACCEPT     udp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
7        0     0 ACCEPT     tcp  --  virbr0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:67
8        0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0

Chain INPUT (policy ACCEPT 6 packets, 518 bytes) num pkts bytes target prot opt in out source destination 1 0 0 ACCEPT tcp — lxdbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* generated for LXD network lxdbr0 */ 2 259 16615 ACCEPT udp — lxdbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* generated for LXD network lxdbr0 */ 3 1517 498K ACCEPT udp — lxdbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 /* generated for LXD network lxdbr0 */ 4 36 2674 ACCEPT udp — virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 5 0 0 ACCEPT tcp — virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 6 4 1312 ACCEPT udp — virbr0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 7 0 0 ACCEPT tcp — virbr0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:67 8 0 0 ACCEPT all — eth0 * 0.0.0.0/0 0.0.0.0/0

Iptables prepend firewall rules to the end of the selected chain

You need to use the following syntax:
iptables -I chain [rule-number] firewall-rule
For example:
sudo iptables -I INPUT 1 -i eth0 -j ACCEPT
The above command will insert rule in the INPUT chain as the given rule number. So, if the rule number is 1, the rule or rules are inserted at the head of the chain. This is also the default if no rule number is specified.

Example: Iptables insert rule at top of tables

I am going to INSERT the following rule at of filter table and FORWARD chain:
sudo iptables -I FORWARD 1 -m state -s 192.168.2.0/24 -d 192.168.122.0/24 --state NEW,RELATED,ESTABLISHED -j ACCEPT
Verify it:
sudo iptables -t filter -L FORWARD --line-numbers -n -v

Linux Iptables insert rule at top of tables command (click to enlarge file)

Linux Iptables insert/prepend rule at top of tables command summary

You need to use the following syntax:
sudo iptables -I chain [rule-number] firewall-rule
To view rules:
sudo iptables -t filter -L chain --line-numbers -n -v
Where,

  1. -I : Insert rule at given rule number
  2. -t : Specifies the packet matching table such as nat, filter, security, mangle, and raw.
  3. -L : List info for specific chain (such as INPUT/FORWARD/OUTPUT) of given packet matching table
  4. --line-numbers : See firewall rules with line numbers
  5. -n : Do not resolve names using dns i.e. only show numeric output for IP address and port numbers.
  6. -v : Verbose output. This option makes the list command show the interface name, the rule options (if any), and the TOS masks

For more info see iptables man page here or read on your system by typing the following man command:
man iptables
man ip6tables

(adsbygoogle = window.adsbygoogle || []).push({});

Posted by: SXI ADMIN

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

14/08/2019

How to KVM, QEMU start or stop virtual machine from command line (CLI)

KVM or Kernel Based Virtual Machine is a popular virtualization technology. It allows you to run virtual guest machines over a host machine. To start...
14/08/2019

How to Docker backup Saving and restoring your volumes

Running a Docker volume backup First, we spin up a temporary container, and we mount the backup folder and the target Docker volume to this container....
12/08/2019

How to Start and Enable Firewalld on CentOS 7

In this article, we discuss how to start and enable firewalld. It is highly recommended that you have a firewall protecting your server.Pre-Flight CheckThese...