Difference between revisions of "Iptables"

From wikieduonline
Jump to navigation Jump to search
Line 55: Line 55:
 
*<code>[[netfilter-persistent]] save</code>
 
*<code>[[netfilter-persistent]] save</code>
  
Clear iptables rules <ref>https://serverfault.com/a/200658</ref>
+
===Clear iptables rules===
iptables -P INPUT ACCEPT
+
<ref>https://serverfault.com/a/200658</ref>
iptables -P FORWARD ACCEPT
+
*<code>iptables -P INPUT ACCEPT</code>
iptables -P OUTPUT ACCEPT
+
*<code>iptables -P FORWARD ACCEPT</code>
iptables -t nat -F
+
*<code>iptables -P OUTPUT ACCEPT</code>
iptables -t mangle -F
+
*<code>iptables -t nat -F</code>
iptables -F
+
*<code>iptables -t mangle -F</code>
iptables -X
+
*<code>iptables -F</code>
 +
*<code>iptables -X</code>
  
  

Revision as of 14:50, 4 October 2021

iptables (1998) command line utility allows to modify Linux kernel firewall rules.

Tables: filter, nat, mangle, raw and security

Basic commands



Options

  • Add: iptables -A
  • Delete: iptables -D
  • Insert: iptables -I

Examples

KVM VNC remote viewer
iptables -t nat -A PREROUTING -i eno1 -p tcp --dport 5900 -j DNAT --to 127.0.0.1:5900
sysctl -w net.ipv4.ip_forward=1
sysctl -p /etc/sysctl.conf


Port forwarding

[1]

  • iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to-destination IP_DESTINATION
  • iptables -t nat -A POSTROUTING -p tcp -d IP_DESTINATION --dport 2222 -j MASQUERADE
  • echo 1 > /proc/sys/net/ipv4/ip_forward
  • Block all output traffic: iptables -A OUTPUT -o ethXXX -j DROP
  • Open a port: iptables -I INPUT -p tcp --dport XXX -j ACCEPT

Block all but a range

  • iptables -I OUTPUT -m iprange --dst-range <remote_ip> -j ACCEPT
  • iptables -I INPUT -m iprange --src-range <remote_ip> -j ACCEPT
  • iptables -P INPUT DROP
  • iptables -P OUTPUT DROP
  • netfilter-persistent save

Block all but one IP

  • iptables -I OUTPUT -d <remote_ip> -j ACCEPT
  • iptables -I INPUT -s <remote_ip> -j ACCEPT
  • iptables -I OUTPUT -d <remote_ip> -j ACCEPT
  • iptables -I INPUT -s <remote_ip> -j ACCEPT
  • iptables -P INPUT DROP
  • iptables -P OUTPUT DROP

Allow ssh connections only from specific IPs

  • iptables -A INPUT -p tcp --dport 22 -s YourIP -j ACCEPT
  • iptables -A INPUT -p tcp --dport 22 -j DROP
  • netfilter-persistent save

Clear iptables rules

[2]

  • iptables -P INPUT ACCEPT
  • iptables -P FORWARD ACCEPT
  • iptables -P OUTPUT ACCEPT
  • iptables -t nat -F
  • iptables -t mangle -F
  • iptables -F
  • iptables -X


  • Flush
    • iptables -F
(no output)
    • iptables -t nat -F
    • iptables -t YOUR_TABLE_NAME -F

Activities

  1. Read iptables Ubuntu howto: https://help.ubuntu.com/community/IptablesHowTo
  2. Read archlinux documentation: https://wiki.archlinux.org/index.php/iptables
  3. Read Stackoverflow iptables questions: https://stackoverflow.com/questions/tagged/iptables?tab=Votes
  4. Review your current iptables configuration
  5. iptables-save, iptables-restore

Related terms

See also

  • http://jensd.be/343/linux/forward-a-tcp-port-to-another-ip-or-port-using-nat-with-iptables
  • https://serverfault.com/a/200658
  • https://serverfault.com/a/608976
  • Advertising: