OSETC TECH

Linux/Iptables: Insert Rule at A specific Position (Prepend Firewall Rule)

This post will guide you how to insert firewall rule at a specific position in your Linux system. How do I prepend rules at the top of tables or at the end of filter table. How to insert a firewall rule at a specific rule line in the firewall table.

In Linux system, you can use the IPTABLES command to configure the firewall policy including insert, delete, append, prepend rules at a specific position.

List Firewall Rules with Line Numbers


You can use the iptables command with some options to list the current firewall rules in your Linux system. Just run one of the following commands:

To List all Firewall rules, type the following command:

# iptables -t filter -L --line-numbers -n

Outputs:

[root@osetc fioTests]# iptables -t filter -L --line-numbers -n
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
3 INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
4 INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
5 INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
7 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
3 FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
4 FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
5 FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
6 FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
7 FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
8 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
9 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 OUTPUT_direct all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD_IN_ZONES (1 references)
num target prot opt source destination
1 FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
2 FWDI_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]

Chain FORWARD_IN_ZONES_SOURCE (1 references)
num target prot opt source destination

Chain FORWARD_OUT_ZONES (1 references)
num target prot opt source destination
1 FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
2 FWDO_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
num target prot opt source destination

Chain FORWARD_direct (1 references)
num target prot opt source destination

Chain FWDI_public (2 references)
num target prot opt source destination
1 FWDI_public_log all -- 0.0.0.0/0 0.0.0.0/0
2 FWDI_public_deny all -- 0.0.0.0/0 0.0.0.0/0
3 FWDI_public_allow all -- 0.0.0.0/0 0.0.0.0/0

Chain FWDI_public_allow (1 references)
num target prot opt source destination

Chain FWDI_public_deny (1 references)
num target prot opt source destination

Chain FWDI_public_log (1 references)
num target prot opt source destination

Chain FWDO_public (2 references)
num target prot opt source destination
1 FWDO_public_log all -- 0.0.0.0/0 0.0.0.0/0
2 FWDO_public_deny all -- 0.0.0.0/0 0.0.0.0/0
3 FWDO_public_allow all -- 0.0.0.0/0 0.0.0.0/0

Chain FWDO_public_allow (1 references)
num target prot opt source destination

Chain FWDO_public_deny (1 references)
num target prot opt source destination

Chain FWDO_public_log (1 references)
num target prot opt source destination

Chain INPUT_ZONES (1 references)
num target prot opt source destination
1 IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]
2 IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto]

Chain INPUT_ZONES_SOURCE (1 references)
num target prot opt source destination

Chain INPUT_direct (1 references)
num target prot opt source destination

Chain IN_public (2 references)
num target prot opt source destination
1 IN_public_log all -- 0.0.0.0/0 0.0.0.0/0
2 IN_public_deny all -- 0.0.0.0/0 0.0.0.0/0
3 IN_public_allow all -- 0.0.0.0/0 0.0.0.0/0

Chain IN_public_allow (1 references)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW

Chain IN_public_deny (1 references)
num target prot opt source destination

Chain IN_public_log (1 references)
num target prot opt source destination

Chain OUTPUT_direct (1 references)
num target prot opt source destination

If you just only want to list all INPUT Chain firewall rules, just type the following command:

# iptables -t filter -L INPUT --line-numbers -n

Outputs:

[root@osetc fioTests]# iptables -t filter -L INPUT --line-numbers -n
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
3 INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
4 INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
5 INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
7 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

If you only want to list all OUTPUT Chain firewall rules, just type the following commands:

# iptables -t filter -L OUTPUT --line-numbers -n

Outputs:

[root@osetc fioTests]# iptables -t filter -L OUTPUT --line-numbers -n
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 OUTPUT_direct all -- 0.0.0.0/0 0.0.0.0/0

If you only want to list all FORWARD Chain firewall rules, just type the following commands:

# iptables -t filter -L FORWARD --line-numbers -n

Outputs:

[root@osetc fioTests]# iptables -t filter -L FORWARD --line-numbers -n
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
3 FORWARD_direct all -- 0.0.0.0/0 0.0.0.0/0
4 FORWARD_IN_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
5 FORWARD_IN_ZONES all -- 0.0.0.0/0 0.0.0.0/0
6 FORWARD_OUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
7 FORWARD_OUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
8 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
9 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Append Firewall Rule at end of the Selected Chain


If you want to append one rule at the end of the INPUT Chain in the firewall policy table, you need to run the iptables command with -A option. For example, append the following rules into the INPUT Chain, type:

# iptables -A INPUT -i eth0 -d 10.147.87.220 -j ACCEPT

Type the following command to check if the rule is appended:

[root@osetc fioTests]# iptables -t filter -L INPUT --line-numbers -n
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
3 INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
4 INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
5 INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
6 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
7 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
8 ACCEPT all -- 0.0.0.0/0 10.147.87.220

Insert Firewall Rule at a Specific Position of the Selected Chain


If you want to insert a firewall rule at a specific position or rule line of the selected Chain, you need to use the iptables command with -I option and the rule number. For example, you want to insert firewall rules to the top of INPUT Chain, you just need to run the following command:

#iptables -I INPUT 1 -i eth2 -d 10.147.88.2 -j ACCEPT

check the firewall rule if it is inserted at the top of policy table, type:

[root@osetc fioTests]# iptables -t filter -L INPUT --line-numbers -n
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 10.147.88.2
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
3 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
4 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
5 INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0
6 INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0
7 INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0
8 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
9 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
10 ACCEPT all -- 0.0.0.0/0 10.147.87.220

More Info about Iptables


If you want to get more information about the iptables tools, you just need to run one of the following commands:

#iptables --help

Outputs:

[root@osetc fioTests]# iptables --help
iptables v1.4.21

Usage: iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)

Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--ipv4 -4 Nothing (line is ignored by ip6tables-restore)
--ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--wait -w [seconds] wait for the xtables lock
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version.

Or

# man iptables