{"id":23600,"date":"2025-06-02T11:46:54","date_gmt":"2025-06-02T11:46:54","guid":{"rendered":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/?lw_help_doc=security\/firewall-management\/iptables-firewall"},"modified":"2026-06-30T16:37:39","modified_gmt":"2026-06-30T20:37:39","slug":"iptables-firewall","status":"publish","type":"lw_help_doc","link":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/hosting\/security\/firewall-management\/iptables-firewall\/","title":{"rendered":"Manage your server&#8217;s firewall with iptables"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\"><code>iptables<\/code> is a powerful, command-line firewall utility built into Linux operating systems, allowing you to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Understanding <code>iptables<\/code> improves your ability to secure your server and manage your network, enabling you to control access to services, block malicious traffic, and ensure your server communicates securely.<\/p>\n\n\n\n<h2 class=\"wp-block-heading has-large-font-size\" id=\"h-basic-concepts-tables-and-chains\">Basic concepts: tables and chains<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><code>iptables<\/code> organizes its rules into <strong>tables<\/strong>, and within each table, there are <strong>chains<\/strong>.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Tables:<\/strong> There are three main tables used for basic firewalling:\n<ul class=\"wp-block-list\">\n<li><strong><code>filter<\/code> (Default):<\/strong> This is the most common table and is used for general packet filtering (allowing or denying traffic). If you don&#8217;t specify a table, <code>iptables<\/code> uses the <code>filter<\/code> table by default.<\/li>\n\n\n\n<li><strong><code>nat<\/code> (Network Address Translation):<\/strong> Used for modifying packet addresses (e.g., port forwarding, masquerading).<\/li>\n\n\n\n<li><strong><code>mangle<\/code>:<\/strong> Used for modifying packet headers (e.g., changing Quality of Service bits).<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Chains:<\/strong> Within the <code>filter<\/code> table, there are three built-in chains that define where rules are applied:\n<ul class=\"wp-block-list\">\n<li><strong><code>INPUT<\/code>:<\/strong> Rules in this chain apply to packets <strong>entering<\/strong> the server, destined for a local process. This is the most frequently modified chain for server security.<\/li>\n\n\n\n<li><strong><code>OUTPUT<\/code>:<\/strong> Rules in this chain apply to packets <strong>originating from<\/strong> the server, going to an external destination.<\/li>\n\n\n\n<li><strong><code>FORWARD<\/code>:<\/strong> Rules in this chain apply to packets that are being <strong>routed through<\/strong> the server (i.e., not destined for the server itself, but passing through to another network). This is typically used on routers or gateways.<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Policies:<\/strong> Each chain has a default policy (e.g., <code>ACCEPT<\/code>, <code>DROP<\/code>, <code>REJECT<\/code>).\n<ul class=\"wp-block-list\">\n<li><strong><code>ACCEPT<\/code>:<\/strong> Allows the packet to pass.<\/li>\n\n\n\n<li><strong><code>DROP<\/code>:<\/strong> Silently discards the packet. The sender receives no notification.<\/li>\n\n\n\n<li><strong><code>REJECT<\/code>:<\/strong> Discards the packet and sends an error message (e.g., ICMP port unreachable) back to the sender.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\" id=\"h-rule-matching-directives\">Rule matching directives<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Use various directives when creating <code>iptables<\/code> rules to specify what kind of traffic the rule should match:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>[!] -p, --protocol protocol<\/code>:<\/strong> Specifies the protocol (e.g., <code>tcp<\/code>, <code>udp<\/code>, <code>icmp<\/code>, <code>all<\/code>). The <code>!<\/code> inverts the match.<\/li>\n\n\n\n<li><strong><code>[!] -s, --source address[\/mask]<\/code>:<\/strong> Specifies the source IP address or network from which the packet originates.<\/li>\n\n\n\n<li><strong><code>[!] -d, --destination address[\/mask]<\/code>:<\/strong> Specifies the destination IP address or network where the packet is headed.<\/li>\n\n\n\n<li><strong><code>-j, --jump target<\/code>:<\/strong> Specifies the action to take if the packet matches the rule. Common targets are <code>ACCEPT<\/code>, <code>DROP<\/code>, <code>REJECT<\/code>, or jumping to a user-defined chain.<\/li>\n\n\n\n<li><strong><code>[!] --dport port<\/code>:<\/strong> (Used with <code>-p tcp<\/code> or <code>-p udp<\/code>) Specifies the destination port number or service name (e.g., <code>80<\/code>, <code>ssh<\/code>).<\/li>\n\n\n\n<li><strong><code>[!] --sport port<\/code>:<\/strong> (Used with <code>-p tcp<\/code> or <code>-p udp<\/code>) Specifies the source port number or service name.<\/li>\n\n\n\n<li><strong><code>[!] -i, --in-interface name<\/code>:<\/strong> Matches packets received via a specific network interface (e.g., <code>eth0<\/code>).<\/li>\n\n\n\n<li><strong><code>[!] -o, --out-interface name<\/code>:<\/strong> Matches packets being sent via a specific network interface.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading has-large-font-size\" id=\"h-common-iptables-commands\">Common iptables commands<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Here are the most frequently used <code>iptables<\/code> commands for managing your firewall rules:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>-L<\/code> (List Rules):<\/strong> Lists all rules in a specified chain or all chains if none is specified.\n<ul class=\"wp-block-list\">\n<li><code>iptables -L INPUT<\/code>: Lists all rules in the <code>INPUT<\/code> chain.<\/li>\n\n\n\n<li><code>iptables -L -v -n<\/code>: Lists all rules in all chains with verbose (detailed) and numeric (IPs instead of hostnames) output. This is very useful for troubleshooting.<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong><code>-F<\/code> (Flush Rules):<\/strong> Deletes all rules from a specified chain. If no chain is specified, it flushes all rules from all chains.\n<ul class=\"wp-block-list\">\n<li><code>iptables -F INPUT<\/code>: Flushes all rules from the <code>INPUT<\/code> chain.<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong><code>-A<\/code> (Append Rule):<\/strong> Adds a new rule to the end of a specified chain.\n<ul class=\"wp-block-list\">\n<li><code>iptables -A INPUT -p tcp --dport 80 -j ACCEPT<\/code>: <br>Appends a rule to the <code>INPUT<\/code> chain to accept incoming TCP traffic on port 80.<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong><code>-D<\/code> (Delete Rule):<\/strong> Deletes a rule from a specified chain. You can specify the rule by its exact description or by its line number (obtained with <code>iptables -L --line-numbers<\/code>).\n<ul class=\"wp-block-list\">\n<li><code>iptables -D INPUT 5<\/code>: Deletes the rule at line number 5 from the <code>INPUT<\/code> chain.<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong><code>-I<\/code> (Insert Rule):<\/strong> Inserts a new rule at a specific line number in a chain. If no line number is given, it inserts the rule at the top (line 1).\n<ul class=\"wp-block-list\">\n<li><code>iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT<\/code>: Inserts a rule to accept SSH traffic at the very beginning of the <code>INPUT<\/code> chain.<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong><code>-P<\/code> (Set Policy):<\/strong> Sets the default policy for a chain.\n<ul class=\"wp-block-list\">\n<li><code>iptables -P INPUT DROP<\/code>: Sets the default policy for the <code>INPUT<\/code> chain to <code>DROP<\/code> (meaning all incoming traffic is blocked by default unless explicitly allowed by a rule).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading has-large-font-size\" id=\"h-connection-tracking-states\">Connection tracking states<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><code>iptables<\/code> can track the state of network connections, allowing for more intelligent rule sets. This is managed by the <code>conntrack<\/code> module.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong><code>NEW<\/code>:<\/strong> A packet that is starting a new connection.<\/li>\n\n\n\n<li><strong><code>ESTABLISHED<\/code>:<\/strong> A packet that belongs to an existing, established connection (traffic has been seen in both directions).<\/li>\n\n\n\n<li><strong><code>RELATED<\/code>:<\/strong> A packet that is starting a new connection but is related to an existing one (e.g., an FTP data transfer connection opening after a control connection).<\/li>\n\n\n\n<li><strong><code>INVALID<\/code>:<\/strong> A packet that does not belong to any known connection or is malformed. These are often dropped for security.<\/li>\n<\/ul>\n\n\n<div class=\"kb-row-layout-wrap kb-row-layout-id380633_00d985-0f alignnone wp-block-kadence-rowlayout\"><div class=\"kt-row-column-wrap kt-has-1-columns kt-row-layout-equal kt-tab-layout-inherit kt-mobile-layout-row kt-row-valign-top kb-theme-content-width\">\n\n<div class=\"wp-block-kadence-column kadence-column380633_7e03af-d1\"><div class=\"kt-inside-inner-col\"><\/div><\/div>\n\n<\/div><\/div>\n\n\n<h2 class=\"wp-block-heading has-large-font-size\" id=\"h-save-rules-to-make-them-persistent\">Save rules to make them persistent<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Rules you add with <code>iptables<\/code> commands are active immediately but are <strong>not persistent<\/strong> across server reboots. To make them permanent, you need to save them.<\/p>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\" id=\"h-centos-rhel\"><strong>CentOS\/RHEL<\/strong><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Save the current rules to <code>\/etc\/sysconfig\/iptables<\/code>: <br><code><strong>service iptables save<\/strong><\/code><br><\/li>\n\n\n\n<li>Ensure <code>iptables<\/code> starts on boot:<br><code><strong>chkconfig iptables on<\/strong><\/code><\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading has-large-font-size\" id=\"h-backup-and-restore-rules\"><strong>Backup and Restore Rules<\/strong><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Back up your current <code>iptables<\/code> rules:<br><code><strong>iptables-save &gt; \/root\/my_iptables_rules.bak<\/strong><\/code><br><\/li>\n\n\n\n<li>Restore previously backed up rules:<br><code><strong>iptables-restore &lt; \/root\/my_iptables_rules.bak<\/strong><\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-wide\" style=\"margin-top:0;margin-bottom:0\"\/>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<div class=\"wp-block-kadence-column kadence-column380633_685524-70\"><div class=\"kt-inside-inner-col\"><p class=\"wp-block-paragraph\"><strong>Practical iptables examples<\/strong><\/p>\n<p class=\"wp-block-paragraph\">Here are common scenarios and how to implement them with <code>iptables<\/code>.<\/p>\n<details class=\"wp-block-details\"><summary><strong><strong>Drop all incoming traffic to a specific port<\/strong><\/strong><\/summary><div class=\"nx-details__body is-layout-flow wp-block-details-is-layout-flow\">\n<p class=\"wp-block-paragraph\">Port <code>25<\/code> is used in the following example, but any port can be used. The service name can be used (ex. <code>smtp<\/code> instead of <code>25)<\/code> if the service name is in <code>\/etc\/services<\/code>.<\/p>\n\n<p class=\"wp-block-paragraph\"><code>iptables -A INPUT -p tcp --dport 25 -j DROP<\/code><\/p>\n<\/div><\/details><details class=\"wp-block-details\"><summary><strong><strong>Lock down <strong>SSH access<\/strong><\/strong> to s<strong>pecific IP addresses <\/strong><\/strong><\/summary><div class=\"nx-details__body is-layout-flow wp-block-details-is-layout-flow\">\n<p class=\"wp-block-paragraph\">This requires two rules: one to allow the trusted IP, and a second, broader rule to drop all other SSH attempts. The order of rules matters!<br><br>The IP address 192.168.1.3 is used in this example, but any IP that is trusted can be used: <br><strong><code>iptables -A INPUT -p tcp -s 192.168.1.3 --dport 22 -j ACCEPT <\/code><\/strong><br><strong><code>iptables -A INPUT -p tcp --dport 22 -j DROP<\/code><\/strong><\/p>\n<\/div><\/details><details class=\"wp-block-details\"><summary><strong><strong>Block a specific IP address<\/strong><\/strong><\/summary><div class=\"nx-details__body is-layout-flow wp-block-details-is-layout-flow\">\n<p class=\"wp-block-paragraph\">Insert a rule at the top of the <code>INPUT<\/code> chain to immediately drop all traffic from a malicious IP.<br><br>The IP address 192.0.2.50 is used in this example, but any potentially malicious IP can be used: <br><code><strong>iptables -I INPUT -s 192.0.2.50 -j DROP<\/strong><\/code><\/p>\n<\/div><\/details><\/div><\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-wide\" style=\"margin-top:0;margin-bottom:0\"\/>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<div class=\"wp-block-kadence-column kadence-column380633_ad155f-e7\"><div class=\"kt-inside-inner-col\"><p class=\"wp-block-paragraph\"><strong>Troubleshooting iptables<\/strong><\/p><details class=\"wp-block-details\"><summary><strong><strong><strong>Clearing Your Firewall (for Debugging)<\/strong><\/strong><\/strong><\/summary><div class=\"nx-details__body is-layout-flow wp-block-details-is-layout-flow\">\n<p class=\"wp-block-paragraph\">If you suspect your firewall rules are causing issues, you can temporarily clear them.<\/p>\n\n<div class=\"wp-block-kadence-infobox kt-info-box380633_1d6f8e-f2\"><span class=\"kt-blocks-info-box-link-wrap info-box-link kt-blocks-info-box-media-align-left kt-info-halign-left\"><div class=\"kt-blocks-info-box-media-container\"><div class=\"kt-blocks-info-box-media kt-info-media-animate-none\"><div class=\"kadence-info-box-icon-container kt-info-icon-animate-none\"><div class=\"kadence-info-box-icon-inner-container\"><span class=\"kb-svg-icon-wrap kb-svg-icon-fas_sticky-note kt-info-svg-icon\"><svg viewBox=\"0 0 448 512\"  fill=\"currentColor\" xmlns=\"https:\/\/round-lake.dustinice.workers.dev:443\/http\/www.w3.org\/2000\/svg\"  aria-hidden=\"true\"><path d=\"M312 320h136V56c0-13.3-10.7-24-24-24H24C10.7 32 0 42.7 0 56v400c0 13.3 10.7 24 24 24h264V344c0-13.2 10.8-24 24-24zm129 55l-98 98c-4.5 4.5-10.6 7-17 7h-6V352h128v6.1c0 6.3-2.5 12.4-7 16.9z\"\/><\/svg><\/span><\/div><\/div><\/div><\/div><div class=\"kt-infobox-textcontent\"><span class=\"kt-blocks-info-box-title\">Note<\/span><p class=\"kt-blocks-info-box-text\"><strong>Use with extreme caution on production servers, as this opens all ports!<\/strong> <strong>Be sure to take a backup.<\/strong><\/p><\/div><\/span><\/div>\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n<p class=\"wp-block-paragraph\">The following commands will reset your iptables firewall rule set:<\/p>\n\n<pre class=\"wp-block-code\"><code>iptables -P INPUT ACCEPT    # Set default policy to ACCEPT for incoming<br>iptables -P OUTPUT ACCEPT   # Set default policy to ACCEPT for outgoing<br>iptables -P FORWARD ACCEPT  # Set default policy to ACCEPT for forwarding<br>iptables -F                 # Flush all rules from all chains<br>iptables -X                 # Delete all user-defined chains<br>iptables -Z                 # Zero out all packet and byte counters<\/code><\/pre>\n<\/div><\/details><details class=\"wp-block-details\"><summary><strong><strong><strong>&#8220;Resource temporarily unavailable&#8221; Error<\/strong><\/strong><\/strong><\/summary><div class=\"nx-details__body is-layout-flow wp-block-details-is-layout-flow\">\n<p class=\"wp-block-paragraph\">If you see messages like <code>Starting APF:iptables: Resource temporarily unavailable<\/code> when restarting your firewall, it often means the server is low on available memory. Check your server&#8217;s memory usage. If it&#8217;s critically low, temporarily shut down non-essential services, restart the firewall, and then bring your services back online.<\/p>\n<\/div><\/details><details class=\"wp-block-details\"><summary><strong><strong><strong>Trouble with IP Addresses Ending in .255<\/strong><\/strong><\/strong><\/summary><div class=\"nx-details__body is-layout-flow wp-block-details-is-layout-flow\">\n<p class=\"wp-block-paragraph\">Some firewall configurations (especially older ones or those with default rules) might implicitly drop traffic to IP addresses ending in <code>.255<\/code> (which are often used as broadcast addresses). If you have a legitimate server IP ending in <code>.255<\/code> and experience connectivity issues, you might need to remove these blocking rules.<\/p>\n\n<ol class=\"wp-block-list\">\n<li>Find the rule&#8217;s line number:<br><code>iptables -L INPUT --line-numbers | grep \".255\"<br><\/code>\n<ul class=\"wp-block-list\">\n<li>You might see output similar to this: <br><code>27 DROP icmp -- anywhere 0.0.0.255\/0.0.0.255<br>28 DROP all -- anywhere 0.0.0.255\/0.0.0.255<\/code><br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Delete the first rule by its line number. Then, delete the next rule, remembering that its line number will have shifted up by one.<br><code>iptables -D INPUT 27 # Deletes the first rule (e.g., original was on line 27)<br>iptables -D INPUT 27 # Deletes the new rule at line 27 (original was on line 28)<\/code><\/li>\n<\/ol>\n\n<p class=\"wp-block-paragraph\">This will allow traffic to the .255 IP to route properly.<\/p>\n<\/div><\/details><\/div><\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-conclusion\">Conclusion<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><code>iptables<\/code> is a fundamental tool for securing and managing network traffic on your Linux server. By understanding its basic concepts, commands, and troubleshooting techniques, you can effectively control access, protect your services, and diagnose connectivity issues. Always exercise caution when modifying firewall rules, and remember to save your changes to ensure they persist across reboots. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>iptables can act as your server&#8217;s gatekeeper, deciding which network traffic is allowed in, out, or through your server.<\/p>\n","protected":false},"author":133,"featured_media":0,"parent":23088,"menu_order":0,"template":"","meta":{"footnotes":"","_nx_search_keywords":"","_nx_search_boost":0},"vertical":[256],"lw_resource_category":[3031,2750,2752,2764],"lw_resource_topic":[],"lw_resource_section":[3561],"class_list":["post-23600","lw_help_doc","type-lw_help_doc","status-publish","hentry","vertical-hosting","lw_resource_category-firewalls","lw_resource_category-security","lw_resource_category-troubleshooting","lw_resource_category-tutorials","lw_resource_section-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.9 (Yoast SEO v27.9) - https:\/\/round-lake.dustinice.workers.dev:443\/https\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Manage your server&#039;s firewall with iptables - Nexcess Documentation<\/title>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Manage your server&#039;s firewall with iptables\" \/>\n<meta property=\"og:description\" content=\"iptables can act as your server&#039;s gatekeeper, deciding which network traffic is allowed in, out, or through your server.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/hosting\/security\/firewall-management\/iptables-firewall\/\" \/>\n<meta property=\"og:site_name\" content=\"Nexcess Documentation\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-30T20:37:39+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/docs.nexcess.com\\\/hosting\\\/security\\\/firewall-management\\\/iptables-firewall\\\/\",\"url\":\"https:\\\/\\\/docs.nexcess.com\\\/hosting\\\/security\\\/firewall-management\\\/iptables-firewall\\\/\",\"name\":\"Manage your server's firewall with iptables - Nexcess Documentation\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/docs.nexcess.com\\\/#website\"},\"datePublished\":\"2025-06-02T11:46:54+00:00\",\"dateModified\":\"2026-06-30T20:37:39+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/docs.nexcess.com\\\/hosting\\\/security\\\/firewall-management\\\/iptables-firewall\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/docs.nexcess.com\\\/hosting\\\/security\\\/firewall-management\\\/iptables-firewall\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/docs.nexcess.com\\\/hosting\\\/security\\\/firewall-management\\\/iptables-firewall\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/docs.nexcess.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security Overview\",\"item\":\"https:\\\/\\\/docs.nexcess.com\\\/hosting\\\/security\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Firewall Management\",\"item\":\"https:\\\/\\\/docs.nexcess.com\\\/hosting\\\/security\\\/firewall-management\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Manage your server&#8217;s firewall with iptables\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/docs.nexcess.com\\\/#website\",\"url\":\"https:\\\/\\\/docs.nexcess.com\\\/\",\"name\":\"Nexcess Documentation\",\"description\":\"Search the docs, or browse by product, category, and topic across Hosting and WordPress.\",\"publisher\":{\"@id\":\"https:\\\/\\\/docs.nexcess.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/docs.nexcess.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/docs.nexcess.com\\\/#organization\",\"name\":\"Nexcess Documentation\",\"url\":\"https:\\\/\\\/docs.nexcess.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/docs.nexcess.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/docs.nexcess.com\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/favicon-1.webp\",\"contentUrl\":\"https:\\\/\\\/docs.nexcess.com\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/favicon-1.webp\",\"width\":512,\"height\":512,\"caption\":\"Nexcess Documentation\"},\"image\":{\"@id\":\"https:\\\/\\\/docs.nexcess.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Manage your server's firewall with iptables - Nexcess Documentation","robots":{"index":"noindex","follow":"follow"},"og_locale":"en_US","og_type":"article","og_title":"Manage your server's firewall with iptables","og_description":"iptables can act as your server's gatekeeper, deciding which network traffic is allowed in, out, or through your server.","og_url":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/hosting\/security\/firewall-management\/iptables-firewall\/","og_site_name":"Nexcess Documentation","article_modified_time":"2026-06-30T20:37:39+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/hosting\/security\/firewall-management\/iptables-firewall\/","url":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/hosting\/security\/firewall-management\/iptables-firewall\/","name":"Manage your server's firewall with iptables - Nexcess Documentation","isPartOf":{"@id":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/#website"},"datePublished":"2025-06-02T11:46:54+00:00","dateModified":"2026-06-30T20:37:39+00:00","breadcrumb":{"@id":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/hosting\/security\/firewall-management\/iptables-firewall\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/hosting\/security\/firewall-management\/iptables-firewall\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/hosting\/security\/firewall-management\/iptables-firewall\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/"},{"@type":"ListItem","position":2,"name":"Security Overview","item":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/hosting\/security\/"},{"@type":"ListItem","position":3,"name":"Firewall Management","item":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/hosting\/security\/firewall-management\/"},{"@type":"ListItem","position":4,"name":"Manage your server&#8217;s firewall with iptables"}]},{"@type":"WebSite","@id":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/#website","url":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/","name":"Nexcess Documentation","description":"Search the docs, or browse by product, category, and topic across Hosting and WordPress.","publisher":{"@id":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/#organization","name":"Nexcess Documentation","url":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/#\/schema\/logo\/image\/","url":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/wp-content\/uploads\/2026\/07\/favicon-1.webp","contentUrl":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/wp-content\/uploads\/2026\/07\/favicon-1.webp","width":512,"height":512,"caption":"Nexcess Documentation"},"image":{"@id":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/wp-json\/wp\/v2\/lw_help_doc\/23600","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/wp-json\/wp\/v2\/lw_help_doc"}],"about":[{"href":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/wp-json\/wp\/v2\/types\/lw_help_doc"}],"author":[{"embeddable":true,"href":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/wp-json\/wp\/v2\/users\/133"}],"version-history":[{"count":1,"href":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/wp-json\/wp\/v2\/lw_help_doc\/23600\/revisions"}],"predecessor-version":[{"id":47324,"href":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/wp-json\/wp\/v2\/lw_help_doc\/23600\/revisions\/47324"}],"up":[{"embeddable":true,"href":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/wp-json\/wp\/v2\/lw_help_doc\/23088"}],"wp:attachment":[{"href":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/wp-json\/wp\/v2\/media?parent=23600"}],"wp:term":[{"taxonomy":"vertical","embeddable":true,"href":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/wp-json\/wp\/v2\/vertical?post=23600"},{"taxonomy":"lw_resource_category","embeddable":true,"href":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/wp-json\/wp\/v2\/lw_resource_category?post=23600"},{"taxonomy":"lw_resource_topic","embeddable":true,"href":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/wp-json\/wp\/v2\/lw_resource_topic?post=23600"},{"taxonomy":"lw_resource_section","embeddable":true,"href":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/docs.nexcess.com\/wp-json\/wp\/v2\/lw_resource_section?post=23600"}],"curies":[{"name":"wp","href":"https:\/\/round-lake.dustinice.workers.dev:443\/https\/api.w.org\/{rel}","templated":true}]}}