Firewall Rule Specifications

The course is part of this learning path

Linux Security and Hardening
Start course
1h 7m

In this course, you'll learn some techniques and strategies to secure network services. You'll also learn how the local firewall works in Linux and how to configure it. We'll talk about information leakage and ways to prevent it. Next, you'll learn how to test for open ports and perform port scans. You'll also learn about xinetd, what it does, and how to secure it. We'll also cover how to secure SSH. This course includes some guided demonstrations so that you can see the concepts being used in real-world environments.

Learning Objectives

  • Learn how to secure SSH
  • Understand the fundamentals of Linux firewall security, including configuring a firewall from the command line and setting up firewall rules
  • Learn how to use TCP wrappers to secure your Linux system

Intended Audience

This course is intended for anyone who wants to understand how to secure their Linux systems.


To get the most out of this course, you should already have a good working knowledge of Linux. If you want to brush up on your Linux skills, consider taking our Learn Linux in 5 Days learning path first.


I'm gonna go over some commonly used rule specification options. For a full list, see the iptables man page. If you want to match a packet by source, use -s followed by the source, this will either be an IP address, a network specification, or a host name. If you're using a host name, it's very important to be aware that the host name is resolved once when the rule is added and the IP address of that host name is used. It's best to use an IP address or a network specification. You can use classless inter-domain routing notation, which is sometimes referred to a slash notation or CIDR. You can also specify the network address and a sub-net mask if you wish. to specify a destination, use the -d option. Again, here you specify an IP, a network, or a name. If you want to match a packet by protocol, use the -p option followed by the network protocol to match. For example, totally matched TCP packets use -p tcp. The -m option is used to enable extended packet matching modules. You follow the -m with the name of the extended module which enables additional command line options provided by that module. From there, you can use those additional options on the command line. You can use multiple extended match modules in a rule if you want or need to. For a list of these modules and their options, view the iptables-extensions man page. If you want to specify a destination port, first specify the protocol with -p, then enable the extended module by using -m followed by the protocol. Now you can use the --dport option followed by the port. For example, if you wanted to match all TCP packets that are destined to port 80, you would use -p tcp -m tcp --dport 80. There's a built-in shortcut for this however, when you use the -p tcp option, all the options for the TCP module become available so you don't have to explicitly use -m tcp. The shorthand version of the previous example would be -p tcp --dport 80. The same concept holds true for UDP. When you use UDP as the protocol, the UDP module options become available to you by default. You can also do the same thing for source ports, in this case use the --sport option followed by the port. If you want to match based on the ICMP protocol use -p icmp. Just like TCP and UDP, When you specify the ICMP protocol, it enables the ICMP module and additional options become available to you. You can specify the ICMP type by using --imcp-type followed by the name or number of the type. to get a full list of types, run iptables -p icmp -h. To match pings, use echo-request and to match pongs, use echo-reply. The limit module can be used to match packets based on rate. For example, you could match all packets that do not exceed a given rate. You can use this module to control how often logs are written or to limit the effects of a denial of service attack. The --limit option is used to set an average rate and the --limit-burst option is used to set an initial burst rate. With --limit five /m --limit dash-burst 10, the first 10 consecutive packets will be matched, and then from then on, only five packets per minute will be matched. The limit-burst count is reset, every time the limit rate is not broken. If you don't specify a limit, it defaults to three per hour, if you don't specify a limit burst, it defaults to five. You can also use the exclamation mark to invert the match. For ! --limit five /s, this means a match will occur after the limit of five packets per second is broken. So that takes care of the matching section of a rule. The other section, the target section is really pretty simple. You specify the target with -j followed by the target name. This could be a built-in target, like ACCEPT or DROP, or it could be the name of a custom chain that you created. You can think of these targets as jumps, when -j is encountered, the matching packet will jump to the specified target.

About the Author
Jason Cannon
Founder, Linux Training Academy
Learning Paths

Jason is the founder of the Linux Training Academy as well as the author of "Linux for Beginners" and "Command Line Kung Fu." He has over 20 years of professional Linux experience, having worked for industry leaders such as Hewlett-Packard, Xerox, UPS, FireEye, and Nothing gives him more satisfaction than knowing he has helped thousands of IT professionals level up their careers through his many books and courses.