This article was tested using iptables v1.3.5 running on CentOS.
Displaying Currently Active Rule
iptables -L -v -n
-v flag turns on verbose mode, and -n causes hostname to be resolved into IP when displaying.
Adding A New Rule
iptables -A INPUT -j ACCEPT -s 18.104.22.168 -m comment --comment 'Reverse proxy'
Above rule will be added to the end of INPUT chain, and when rule matches (packing coming from ip 22.214.171.124), it will be accepted
Rejecting Packets Created From Inbound Conenctions
In the following example all packets from inbound connection are rejected, but not outbound. The only inbound packets allowed are from 126.96.36.199 and 188.8.131.52/22
Chain INPUT (policy ACCEPT 704K packets, 218M bytes) pkts bytes target prot opt in out source destination 36M 4776M ACCEPT all -- * * 184.108.40.206 0.0.0.0/0 /* Allow incoming from Reverse Proxy*/ 4439K 577M ACCEPT all -- * * 220.127.116.11/22 0.0.0.0/0 /* Allow incoming from Reverse Proxy */ 10M 2897M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Accept incoming packets from already established conn */ 14586 878K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* Reject everything else */ reject-with icmp-port-unreachable
This is achieved by checking state. If incoming packet is associated with TCP connection with RELATED / ESTABLISHED then it will be allowed.
Such rule can be added using
iptables -A INPUT -j REJECT -m state --state ESTABLISHED,RELATED -m comment --comment 'Reject everything else'
Use /sbin/service iptables save to persist changes for the next time the server is rebooted.
Looking up Command for Currently Configure Rules
When you saved your iptables settings, the command used to reconstruct the rules can be looked up on /etc/sysconfig/iptables file