How do I configure iptables or nftables to allow traffic to my Amazon EC2 Linux instance?

Short description

Use iptables and nftables to manage network traffic on Linux systems, including Amazon EC2 Linux instances. Choose nftables for new deployments and use iptables in legacy environments. For more information about iptables, see IptablesHowTo on the Ubuntu website.

Resolution

Configure iptables

To install and activate the iptables service, run the following commands:

sudo yum install iptables-services -y
sudo systemctl enable iptables
sudo systemctl start iptables

Note: If you installed iptables with preconfigured rules, then clear these rules and configure the new rules. To list rules, run the following command:

sudo iptables -L

To flush all the rules, run the following command:

sudo iptables -F

To open a specific port, run the following command:

sudo iptables -A INPUT -p tcp --dport example_port -j ACCEPT

Note: Replace example_port with your port number.

To allow inbound traffic on a specific port to a specific IP address or subnet, run the following command:

sudo iptables -A INPUT -p tcp -s your_server_ip --dport example_port -j ACCEPT

Note: Replace your_server_ip with your IP address or subnet and example_port with your port.

Change the ports and protocols based on your use case. The following are commonly used ports and protocols:

• TCP port 80 --HTTP Server
• TCP port 443 --HTTPS Server
• TCP port 25 --Mail Server
• TCP port 22 --OpenSSH (remote) secure shell server
• TCP port 110 --POP3 (Post Office Protocol v3) server
• TCP port 143 --Internet Message Access Protocol (IMAP) -- management of email messages
• TCP/UDP port 53 --Domain Name System (DNS)

To list iptables rules, run the following command:

sudo iptables -L

To delete the iptables rule by chain and number, complete the following steps:

1. To list rules with line numbers, run the following command:

   sudo iptables -L --line-numbers

2. To delete a rule, run the following command:

   sudo iptables -D example_chain example_number

   Note: Replace example_chain and example_number with the name of your chain and rule number.

3. To save the iptables rules, run the following command:

   sudo service iptables save

The set of rules is automatically saved to /etc/sysconfig/iptables and restored on every boot.

Configure nftables

The nft command doesn't automatically create tables and chains. You must manually create tables and chains. For more information about nftables, see Getting started with nftables on the Red Hat Enterprise Linux (RHEL) website.

To install and activate nftables, run the following commands:

sudo yum install nftables -y
sudo systemctl enable nftables
sudo systemctl start nftables

Use nft commands to manage tables, chains, or rules

Prerequisite: To perform the following tasks, you must have sudo permissions or be a root user.

You must assign an address family to each table. The address family defines the packet types that the table processes.

The following are address families and the packets that they match:

• ip: Matches only IPv4 packets.
  Note: If you don't specify an address family, then ip is the default.
• ip6: Matches only IPv6 packets.
• inet: Matches IPv4 and IPv6 packets.
• arp: Matches IPv4 address resolution protocol (ARP) packets.
• bridge: Matches packets that pass through a bridge device.
• netdev: Matches packets from ingress.

To create a table with the inet address family so that the table can process both IPv4 and IPv6 packets, first create a table that's named test_rules. Then, run the following command:

sudo nft add table inet test_rules

To add a base chain that's named INPUT that processes incoming network traffic, run the following command:

sudo nft add chain inet test_rules INPUT '{ type filter hook input priority 0 ; policy accept ; }'

To add rules to the INPUT chain to allow TCP port 443, 22 and 80, run the following commands in the order that you want nft to add the rules:

sudo nft add rule inet test_rules INPUT tcp dport 443 accept
sudo nft add rule inet test_rules INPUT tcp dport 22 accept
sudo nft add rule inet test_rules INPUT tcp dport 80 accept

Note: Replace TCP port 443, 22 and 80 with your port numbers.

To display the current rules, run the following command:

sudo nft -a list table inet test_rules

To insert a rule before the existing rule with handle 2, run the following command:

sudo nft insert rule inet test_rules INPUT position 2 tcp dport 8080 accept

Note: Replace 2 with your position and 8080 with your port numbers.

To append a rule after the existing rule with handle 2, run the following command:

sudo nft add rule inet test_rules INPUT position 2 tcp dport 621 accept

Note: Replace 2 with your position and 621 with your port numbers.

To remove a rule with handle 3, run the following command:

sudo nft delete rule inet test_rules INPUT handle 3

Note: Replace 3 with your position number.

To remove all the rules, run the following command:

sudo nft flush chain inet test_rules INPUT

To save your ruleset, run the following command:

sudo bash -c "nft list ruleset > /etc/sysconfig/nftables.conf"

Related information

Comparison of common iptables and nftables commands on the RHEL website

Troubleshoot issues connecting to your Amazon EC2 Linux instance