Difference between revisions of "Iptables"
Jump to navigation
Jump to search
↑ http://jensd.be/343/linux/forward-a-tcp-port-to-another-ip-or-port-using-nat-with-iptables
↑ https://serverfault.com/a/200658
↑ https://serverfault.com/a/608976
Tags: Mobile web edit, Mobile edit |
|||
(38 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | <code>[[wikipedia:iptables|iptables]]</code> [[Linux Commands|command line]] utility allows to modify [[Linux]] kernel [[firewall]] rules. | + | <code>[[wikipedia:iptables|iptables]]</code> ([[1998]]) [[Linux Commands|command line]] utility allows to modify [[Linux]] kernel [[firewall]] rules. |
+ | * Man page: https://ipset.netfilter.org/iptables.man.html | ||
+ | Tables: <code>[[filter]], [[nat]], [[mangle]], [[raw]] and [[security]]</code> | ||
== Basic commands == | == Basic commands == | ||
* <code>[[iptables -L]]</code> | * <code>[[iptables -L]]</code> | ||
+ | * [[iptables -S]] | ||
* [[NAT]]: <code>[[iptables -t nat -L]]</code> | * [[NAT]]: <code>[[iptables -t nat -L]]</code> | ||
− | |||
* <code> apt-get install iptables-persistent</code> | * <code> apt-get install iptables-persistent</code> | ||
+ | ** <code>iptables-save</code> and <code>[[iptables-restore]]</code> | ||
+ | === Options === | ||
* Add: <code>iptables -A</code> | * Add: <code>iptables -A</code> | ||
* Delete: <code>iptables -D</code> | * Delete: <code>iptables -D</code> | ||
+ | * Insert: <code>iptables -I</code> | ||
== Examples == | == Examples == | ||
[[KVM]] [[VNC]] remote viewer | [[KVM]] [[VNC]] remote viewer | ||
[[iptables]] -t nat -A PREROUTING -i eno1 -p tcp --dport 5900 -j DNAT --to 127.0.0.1:5900 | [[iptables]] -t nat -A PREROUTING -i eno1 -p tcp --dport 5900 -j DNAT --to 127.0.0.1:5900 | ||
− | [[sysctl]] | + | [[sysctl -w]] [[net.ipv4.ip_forward]]=1 |
− | sysctl -p /etc/sysctl.conf | + | sysctl -p [[/etc/sysctl.conf]] |
− | + | ===Port forwarding=== | |
+ | <ref>http://jensd.be/343/linux/forward-a-tcp-port-to-another-ip-or-port-using-nat-with-iptables</ref> | ||
+ | *<code>iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to-destination IP_DESTINATION</code> | ||
+ | *<code>iptables -t nat -A POSTROUTING -p tcp -d IP_DESTINATION --dport 2222 -j MASQUERADE</code> | ||
+ | *<code>echo 1 > [[/proc/]]sys/net/ipv4/ip_forward</code> | ||
+ | |||
* Block all output traffic: <code>iptables -A OUTPUT -o ethXXX -j DROP</code> | * Block all output traffic: <code>iptables -A OUTPUT -o ethXXX -j DROP</code> | ||
* Open a port: <code>iptables -I INPUT -p tcp --dport XXX -j ACCEPT</code> | * Open a port: <code>iptables -I INPUT -p tcp --dport XXX -j ACCEPT</code> | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | * Block all but one IP | + | ===Block all but a range=== |
− | + | *<code>iptables -I OUTPUT -m iprange --dst-range <remote_ip> -j ACCEPT</code> | |
− | + | *<code>iptables -I INPUT -m iprange --src-range <remote_ip> -j ACCEPT</code> | |
− | + | *<code>iptables -P INPUT DROP</code> | |
− | + | *<code>iptables -P OUTPUT DROP</code> | |
− | + | *<code>[[netfilter-persistent]] save</code> | |
− | + | ||
+ | ===Block all but one IP=== | ||
+ | *<code>iptables -I OUTPUT -d <remote_ip> -j ACCEPT</code> | ||
+ | *<code>iptables -I INPUT -s <remote_ip> -j ACCEPT</code> | ||
+ | *<code>iptables -I OUTPUT -d <remote_ip> -j ACCEPT</code> | ||
+ | *<code>iptables -I INPUT -s <remote_ip> -j ACCEPT</code> | ||
+ | *<code>iptables -P INPUT DROP</code> | ||
+ | *<code>iptables -P OUTPUT DROP</code> | ||
+ | |||
+ | ===Allow [[ssh]] connections only from specific IPs=== | ||
+ | *<code>iptables -A INPUT -p tcp --dport [[22]] -s YourIP -j ACCEPT</code> | ||
+ | *<code>iptables -A INPUT -p tcp --dport 22 -j DROP</code> | ||
+ | *<code>[[netfilter-persistent]] save</code> | ||
+ | |||
+ | ===Clear iptables rules=== | ||
+ | <ref>https://serverfault.com/a/200658</ref> | ||
+ | *<code>iptables -P INPUT ACCEPT</code> | ||
+ | *<code>iptables -P FORWARD ACCEPT</code> | ||
+ | *<code>iptables -P OUTPUT ACCEPT</code> | ||
+ | *<code>iptables -t nat -F</code> | ||
+ | *<code>iptables -t mangle -F</code> | ||
+ | *<code>iptables -F</code> | ||
+ | *<code>iptables -X</code> | ||
+ | |||
+ | |||
+ | ===Flush=== | ||
+ | ** <code>iptables -F</code> | ||
+ | ::: (no output) | ||
+ | ** <code>iptables -t nat -F</code> | ||
− | * | + | ** <code>iptables -t YOUR_TABLE_NAME -F</code> |
− | |||
− | |||
− | |||
== Activities == | == Activities == | ||
Line 49: | Line 78: | ||
# Read Stackoverflow iptables questions: https://stackoverflow.com/questions/tagged/iptables?tab=Votes | # Read Stackoverflow iptables questions: https://stackoverflow.com/questions/tagged/iptables?tab=Votes | ||
# Review your current iptables configuration | # Review your current iptables configuration | ||
− | # <code>[[iptables-save]]</code> | + | # <code>[[iptables-save]]</code>, <code>[[iptables-restore]]</code> |
== Related terms == | == Related terms == | ||
− | * [[fail2ban]] | + | * <code>[[fail2ban]]</code> |
* [[Shorewall]] | * [[Shorewall]] | ||
+ | * <code>[[arptables]]</code> | ||
+ | * <code>[[resolvconf]]</code> | ||
+ | * <code>[[table]]</code>, <code>[[chain]]</code> | ||
+ | * [[IP forwarding]] | ||
+ | * [[eBPF]] | ||
== See also == | == See also == | ||
+ | * {{iptables}} | ||
* {{Firewall commands}} | * {{Firewall commands}} | ||
* <code>[[nftables]]</code> | * <code>[[nftables]]</code> |
Latest revision as of 08:15, 26 February 2024
iptables
(1998) command line utility allows to modify Linux kernel firewall rules.
Tables: filter, nat, mangle, raw and security
Contents
Basic commands[edit]
apt-get install iptables-persistent
iptables-save
andiptables-restore
Options[edit]
- Add:
iptables -A
- Delete:
iptables -D
- Insert:
iptables -I
Examples[edit]
KVM VNC remote viewer iptables -t nat -A PREROUTING -i eno1 -p tcp --dport 5900 -j DNAT --to 127.0.0.1:5900 sysctl -w net.ipv4.ip_forward=1 sysctl -p /etc/sysctl.conf
Port forwarding[edit]
iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to-destination IP_DESTINATION
iptables -t nat -A POSTROUTING -p tcp -d IP_DESTINATION --dport 2222 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
- Block all output traffic:
iptables -A OUTPUT -o ethXXX -j DROP
- Open a port:
iptables -I INPUT -p tcp --dport XXX -j ACCEPT
Block all but a range[edit]
iptables -I OUTPUT -m iprange --dst-range <remote_ip> -j ACCEPT
iptables -I INPUT -m iprange --src-range <remote_ip> -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP
netfilter-persistent save
Block all but one IP[edit]
iptables -I OUTPUT -d <remote_ip> -j ACCEPT
iptables -I INPUT -s <remote_ip> -j ACCEPT
iptables -I OUTPUT -d <remote_ip> -j ACCEPT
iptables -I INPUT -s <remote_ip> -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP
Allow ssh connections only from specific IPs[edit]
iptables -A INPUT -p tcp --dport 22 -s YourIP -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
netfilter-persistent save
Clear iptables rules[edit]
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
Flush[edit]
iptables -F
- (no output)
iptables -t nat -F
iptables -t YOUR_TABLE_NAME -F
Activities[edit]
- Read
iptables
Ubuntu howto: https://help.ubuntu.com/community/IptablesHowTo - Read archlinux documentation: https://wiki.archlinux.org/index.php/iptables
- Read Stackoverflow iptables questions: https://stackoverflow.com/questions/tagged/iptables?tab=Votes
- Review your current iptables configuration
iptables-save
,iptables-restore
Related terms[edit]
See also[edit]
iptables
,ufw
, firewalld, nftables firewall-cmd,netfilter-persistent, iptables -L
,iptables-save
,iptables-restore
, Netfilteriptables
ufw
firewalld
nftables
firewall-cmd
ipfw (FreeBSD)
PF (OpenBSD)
, netsh advfirewallnftables
- Palo Alto firewalls: PAN-OS
- Port knocking,
fail2ban
[3]fwknop
, DenyHosts
Advertising: