iptables allow just internet connection


How does your computer get its IP address? If it is via DHCP, then you need to allow UDP replies to port 68 (or from port 67, see later on):

sudo iptables -A INPUT -p udp --sport 67 --dport 68 -m state --state RELATED,ESTABLISHED -j ACCEPT

If your objective is to just allow website browsing, then the connection would always be initiated from your end so you only need to allow the related traffic back in (in this example the assumption is that eth0 is your NIC name):

sudo iptables -A INPUT -i eth0 -p tcp -m multiport --sport 80,443,8080 -m state --state ESTABLISHED,RELATED -j ACCEPT

Now, you may or may not need to allow the local interface (depends on what you are doing with your computer):

sudo iptables -A INPUT -i lo -j ACCEPT

In the end , you can combine some of these things and end up with:

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -i eth0 -p udp -m multiport --sport 53,67 -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -i eth0 -p tcp -m multiport --sport 53,80,443,8080 -m state --state ESTABLISHED,RELATED -j ACCEPT

I coded this on one of my test computers and it worked fine (the SSH port 22 stuff is for me, because I don't actually sit at that computer):

# test extremely basic 2015.06.10 Ver:0.01
#     run as sudo

echo "Loading test rule set version $FWVER..\n"

# The location of the iptables program

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network

#Clearing any previous configuration
echo "  Clearing any existing rules and setting default policy to ACCEPT.."
$IPTABLES -t nat -F
# Delete user defined chains
# Reset all IPTABLES counters

echo about to load rules.

$IPTABLES -A INPUT -i $EXTIF -p udp -m multiport --sport 53,67 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -m multiport --sport 53,80,443,8080 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT

echo Test rule set version $FWVER done.

I made it start automatically via my /etc/network/interfaces file:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
pre-up /home/doug/test_iptables_06

# The primary network interface
auto eth0
iface eth0 inet dhcp

Note that more typically, users will merely allow whatever related traffic back in, with a more generic rule (using the variables names of my script above):



Sometimes to help understand / debug adding some logging can help. For example:

echo about to load rules.

$IPTABLES -A INPUT -i lo -j LOG --log-prefix "ILO:" --log-level info
$IPTABLES -A INPUT -i $EXTIF -p udp -m multiport --sport 53,67 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp -m multiport --sport 53,80,443,8080 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -j LOG --log-prefix "IDROP:" --log-level info

echo Test rule set version $FWVER done.

then observe /var/log/syslog for the entries. Be careful with logging, so that you don't flood the log file.


Related videos on Youtube

Hasan Kaya
Author by

Hasan Kaya

Updated on September 18, 2022


  • Hasan Kaya
    Hasan Kaya over 1 year

    let me explain what I did before;

    # Only INPUT policy DROP, others are ACCEPT
    sudo iptables -P INPUT DROP
    sudo iptables -A INPUT -p tcp --sport 80 -j ACCEPT

    I also try this; for these ports to 443 and 8080

    sudo iptables -A INPUT -p tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

    Then I realized that, I should allow dns server too,

    sudo iptables -A INPUT -p udp --sport 53 -j ACCEPT
    sudo iptables -A INPUT -p tcp --sport 53 -j ACCEPT

    Apply this rules but I can not connect internet,

    But when I allow all udp port I can connect.

    Do I forget something? or do wrong something?

  • Hasan Kaya
    Hasan Kaya almost 9 years
    thank you so much . very good , I want to ask that Why we need to allow lo interface?. My rules works after allow lo, and also add input chain --dport 80,443 . It does not make sense for me . Why I have to add --dport 80,443 to browse internet?
  • Doug Smythies
    Doug Smythies almost 9 years
    Why lo? You might not need it. On my computer, after adding some logging, I see some DNS stuff during startup and some cups (port 631) stuff. I did not try it on my computer without the lo ACCEPT. Why --dport 80,443? I do not know, you should not need it, I don't have it. I'll need more information to be able to help further.