This Linux based firewall is controlled by the user space utility iptables to handles filtering for IPv4, and ip6tables handles filtering for IPv6. This post list most common iptables examples, not much on concept and terms. See detail introduction in Linux Brief Concepts and Configuration

Examples below all tested on RHEL 6.6,  should also work with other Linux distributions

Start and stop iptables

#Service iptables start/stop

Disable/enable iptables partial services

You can use the iptables command itself to stop the firewall and delete all rules:
# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD ACCEPT

Where,

-F : Deleting (flushing) all the rules.
-X : Delete chain.
-t : build in table_name : Select table (called nat or mangle) and delete/flush rules.
-P : Set the default policy (such as DROP, REJECT, or ACCEPT).

Display the rules,  of firewall

# iptables -v -n -L 
Chain INPUT (policy DROP 186 packets, 8957 bytes)
 pkts bytes target     prot opt in  out  source         destination         
    0     0 DROP       udp  --  *   *    0.0.0.0/0      0.0.0.0/0     udp dpt:67
    0     0 DROP       all  --  *   *    0.0.0.0/0      224.0.0.1     
  43M   90G ACCEPT     all  --  *   *    0.0.0.0/0      0.0.0.0/0     state RELATED,ESTABLISHED
1338K  136M ACCEPT     all  --  lo  *    0.0.0.0/0      0.0.0.0/0     
   80  4012 ACCEPT     icmp --  *   *    0.0.0.0/0      0.0.0.0/0           
  11M 1648M ACCEPT     all  --  *   *    10.12.1.0/24  0.0.0.0/0     
5775K  858M ACCEPT     all  --  *   *    10.0.0.0/16    0.0.0.0/0     
   21  1260 ACCEPT     tcp  --  *   *   10.90.96.0/19 0.0.0.0/0     state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *   *    10.90.90.0/24 0.0.0.0/0     state NEW tcp dpt:22
    0     0 ACCEPT     tcp  --  *   *    10.90.114.33  0.0.0.0/0     state NEW tcp dpt:2215
    4   240 ACCEPT     tcp  --  *   *    10.90.97.85   0.0.0.0/0     state NEW tcp dpt:2215
...

Where

-L : List rules.
-v : Display detailed information.
This option makes the list command show the interface name, the rule options,
and the TOS masks. The packet and byte counters are also listed, with the suffix 'K', 'M'
or 'G' for 1000, 1,000,000 and 1,000,000,000 multipliers respectively.
-n : Display IP address and port in numeric format. Do not use DNS to resolve names.
This will speed up listing.

Note: If you don't see any rules, either your iptables service is not running, or no rule onfigured.

To display INPUT or OUTPUT chain rules

# iptables -L INPUT -n -v
# iptables -L OUTPUT -n -v --line-numbers

Note: --line-number shows the

Delete Firewall Rules

To identify the No. of the rule you want to delete, use --line-numbers option


# iptables -L -n --line-numbers
Chain INPUT (policy DROP)
num  target     prot opt source           destination         
1    DROP       udp  --  0.0.0.0/0        0.0.0.0/0      udp dpt:67
2    DROP       all  --  0.0.0.0/0        224.0.0.1      
...
7    ACCEPT     all  --  10.0.0.0/16      0.0.0.0/0      
8    ACCEPT     tcp  --  10.90.96.0/16    0.0.0.0/0      state NEW tcp dpt:22
9    ACCEPT     tcp  --  10.90.90.0/24   0.0.0.0/0      state NEW tcp dpt:22

Suppose you want to delete the No. 8 rule, run

# iptables -D INPUT 4

OR delete the rule by ip:

# iptables -D INPUT -s 10.90.96.0/16 -j DROP

Where,

-D : Delete one or more rules from the selected chain

Insert Firewall Rules

Suppose you have rules like below:

Chain INPUT (policy DROP)
num  target     prot opt source         destination
1    DROP       all  --  20.54.1.1      0.0.0.0/0
2    ACCEPT     all  --  10.10.0.0/0    0.0.0.0/0       state NEW,ESTABLISHED

To insert rule between 1 and 2, enter:

# iptables -I INPUT 2 -s 202.54.1.2 -j DROP

Save Firewall Rules

To save changed iptables rules to /etc/sysconfig/iptables(RHEL,SL,CentOS,Fedora)

# service iptables save

Restore Firewall Rules

Roll back the changes to latest saved point on CentOS / RHEL / Fedora /SL Linux

# service iptables restart

Set the Default Firewall Policies

Messed up the configuration, want a refresh start?
Remove all entries in /etc/sysconfig/iptables, then

# service iptables restart

Block Incoming Traffic

To drop all incoming / forwarded packets, but allow outgoing traffic:

# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT

Block Private Network access On some Interfaces

# iptables -A INPUT -i eth1 -s 10.1.1.0/8 -j DROP

In the case above, private ip 10.1.1.0.0/8 access to eth1 is blocked

Blocking an IP Address  or range of ips access to the host

To block a or a range of address called 33.65.1.9, or a range of ips

# iptables -A INPUT -s 33.65.1.9 -j DROP
# iptables -A INPUT -s 192.168.0.0/24 -j DROP

Block Incoming Port Requests

To block all service requests on port 8080, enter:
# iptables -A INPUT -p tcp --dport 8080 -j DROP

You can combine source ip and local port blocking to narrow blocking

# iptables -A INPUT -p tcp -s 33.65.1.9 --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROP

 Block Outgoing IP Address

Similar to incoming traffic blocking, you can also try outgoing traffic, suppose you want to block one or a range of ips outgoing traffic

# iptables -A OUTPUT -d 23.229.159.161 -j DROP
# iptables -A OUTPUT -d 192.168.1.0/24 -j DROP

Block some sites Domain

Suppose you want to block your employee to access youtube.com, use

# iptables -A OUTPUT -p tcp -d www.youbube.com -j DROP
# iptables -A OUTPUT -p tcp -d youtube.com -j DROP

Log and Drop Packets

To log some dropped packets,

# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-prefix "IP_SPOOF A: "
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

By default packet message is logged syslog /var/log/messages.

# tail -f /var/log/messages
# grep --color 'IP SPOOF' /var/log/messages

More info about iptables logging, see How to enable Linux iptables logging


Block or Allow ICMP Ping Request

# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP

Open port or Range of Ports

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 1094:1099 -j ACCEPT

Block or Open Common Ports 

Replace ACCEPT with DROP to block port:
## open port ssh tcp port 22 ##
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
 
## open cups (printing service) udp/tcp port 631 for LAN users ##
iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT
 
## allow time sync via NTP for lan users (open udp port 123) ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT
 
## open tcp port 25 (smtp) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
 
# open dns server ports for all ##
iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
 
## open http/https (Apache) server port to all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
 
## open tcp port 110 (pop3) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT
 
## open tcp port 143 (imap) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT
 
## open access to Samba file server for lan users only ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT
 
## open access to proxy server for lan users only ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 3128 -j ACCEPT
 
## open access to mysql server for lan users only ##
iptables -I INPUT -p tcp --dport 3306 -j ACCEPT

Restrict the Number of Parallel Connections To a Server Per Client IP

 To allow 3 ssh connections per client host

# iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT

Set HTTP requests to 20:

# iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP

Where,

--connlimit-above 3 : Match if the number of existing connections is above 3.
--connlimit-mask 24 : Group hosts using the prefix length. For IPv4,
this must be a number between (including) 0 and 32.