Red Hat Knowledgebase

The first step in using iptables is to start the iptables service. This can be done with the command:

service iptables start

Warning: The ip6tables services should be turned off to use the iptables service with the following commands:

service ip6tables stop
chkconfig ip6tables off

To make iptables start by default whenever the system is booted, you must change runlevel status on the service using chkconfig.

The syntax of iptables is separated into tiers. The main tier is the chain. A chain specifies the state at which a packet will be manipulated. The usage is as follows:

The -A appends a rule at the end of an existing ruleset. The chain is the name of the chain for a rule. The three built-in chains of iptables (that is, the chains that affect every packet which traverses a network) are INPUT, OUTPUT, and FORWARD. These chains are permanent and cannot be deleted.

Important: When creating an iptables ruleset, it is critical to remember that order is important. For example, if a chain that specifies that any packets from the local 192.168.100.0/24 subnet be dropped, and then a chain is appended (-A) which allows packets from 192.168.100.13 (which is within the dropped restricted subnet), then the appended rule is ignored. You must set a rule to allow 192.168.100.13 first, and then set a drop rule on the subnet.

To arbitrarily insert a rule in an existing chain of rules, use -I , followed by the chain in which you want to insert the rule, and a rule number (1,2,3,...,n) where you want to rule to reside. For example:

iptables -I INPUT 1 -i lo -p all -j ACCEPT

The rule is inserted as the first rule in the INPUT chain to allow local loopback device traffic.