Difference between revisions of "Iptables"

From wikieduonline
Jump to navigation Jump to search
Tags: Mobile web edit, Mobile edit
 
(46 intermediate revisions by 2 users not shown)
Line 1: Line 1:
<code>[[wikipedia:iptables|iptables]]</code> [[Linux Commands|command line]] utility allows to modify [[Linux]] kernel [[firewall]] rules.
+
<code>[[wikipedia:iptables|iptables]]</code> ([[1998]]) [[Linux Commands|command line]] utility allows to modify [[Linux]] kernel [[firewall]] rules.
 +
* Man page: https://ipset.netfilter.org/iptables.man.html
  
 +
Tables: <code>[[filter]], [[nat]], [[mangle]], [[raw]] and [[security]]</code>
  
 
== Basic commands ==
 
== Basic commands ==
 
* <code>[[iptables -L]]</code>
 
* <code>[[iptables -L]]</code>
 +
* [[iptables -S]]
 
* [[NAT]]: <code>[[iptables -t nat -L]]</code>
 
* [[NAT]]: <code>[[iptables -t nat -L]]</code>
  
  
* <code>iptables-save</code> and <code>iptables-restore</code>
 
 
* <code> apt-get install iptables-persistent</code>
 
* <code> apt-get install iptables-persistent</code>
 +
** <code>iptables-save</code> and <code>[[iptables-restore]]</code>
  
  
 +
=== Options ===
 
* Add: <code>iptables -A</code>
 
* Add: <code>iptables -A</code>
 
* Delete: <code>iptables -D</code>
 
* Delete: <code>iptables -D</code>
 +
* Insert: <code>iptables -I</code>
  
 
== Examples ==
 
== Examples ==
 
  [[KVM]] [[VNC]] remote viewer
 
  [[KVM]] [[VNC]] remote viewer
 
  [[iptables]] -t nat -A PREROUTING -i eno1 -p tcp --dport 5900 -j DNAT --to 127.0.0.1:5900
 
  [[iptables]] -t nat -A PREROUTING -i eno1 -p tcp --dport 5900 -j DNAT --to 127.0.0.1:5900
  [[sysctl]] -w net.ipv4.ip_forward=1
+
  [[sysctl -w]] [[net.ipv4.ip_forward]]=1
  sysctl -p /etc/sysctl.conf
+
  sysctl -p [[/etc/sysctl.conf]]
  
  
* Block all output traffic:
+
===Port forwarding===
<code>iptables -A OUTPUT -o ethXXX -j DROP</code>
+
<ref>http://jensd.be/343/linux/forward-a-tcp-port-to-another-ip-or-port-using-nat-with-iptables</ref>
 +
*<code>iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to-destination IP_DESTINATION</code>
 +
*<code>iptables -t nat -A POSTROUTING -p tcp -d IP_DESTINATION --dport 2222 -j MASQUERADE</code>
 +
*<code>echo 1 > [[/proc/]]sys/net/ipv4/ip_forward</code>
  
 +
* Block all output traffic: <code>iptables -A OUTPUT -o ethXXX -j DROP</code>
 +
* Open a port: <code>iptables -I INPUT -p tcp --dport XXX -j ACCEPT</code>
  
* Open a port
+
===Block all but a range===
<code>iptables -I INPUT -p tcp --dport XXX -j ACCEPT</code>
+
*<code>iptables -I OUTPUT -m iprange --dst-range <remote_ip>  -j ACCEPT</code>
 +
*<code>iptables -I INPUT -m iprange --src-range <remote_ip> -j ACCEPT</code>
 +
*<code>iptables -P INPUT DROP</code>
 +
*<code>iptables -P OUTPUT DROP</code>
 +
*<code>[[netfilter-persistent]] save</code>
  
 +
===Block all but one IP===
 +
*<code>iptables -I OUTPUT -d <remote_ip>  -j ACCEPT</code>
 +
*<code>iptables -I INPUT -s <remote_ip> -j ACCEPT</code>
 +
*<code>iptables -I OUTPUT -d <remote_ip> -j ACCEPT</code>
 +
*<code>iptables -I INPUT -s <remote_ip> -j ACCEPT</code>
 +
*<code>iptables -P INPUT DROP</code>
 +
*<code>iptables -P OUTPUT DROP</code>
  
Block all but a range
+
===Allow [[ssh]] connections only from specific IPs===
iptables -I OUTPUT -m iprange --dst-range <remote_ip>  -j ACCEPT
+
*<code>iptables -A INPUT -p tcp --dport [[22]] -s YourIP -j ACCEPT</code>
iptables -I INPUT -m iprange --src-range <remote_ip> -j ACCEPT
+
*<code>iptables -A INPUT -p tcp --dport 22 -j DROP</code>
iptables -P INPUT DROP
+
*<code>[[netfilter-persistent]] save</code>
iptables -P OUTPUT DROP
 
[[netfilter-persistent]] save
 
  
 +
===Clear iptables rules===
 +
<ref>https://serverfault.com/a/200658</ref>
 +
*<code>iptables -P INPUT ACCEPT</code>
 +
*<code>iptables -P FORWARD ACCEPT</code>
 +
*<code>iptables -P OUTPUT ACCEPT</code>
 +
*<code>iptables -t nat -F</code>
 +
*<code>iptables -t mangle -F</code>
 +
*<code>iptables -F</code>
 +
*<code>iptables -X</code>
  
Block all but one IP
 
iptables -I OUTPUT -d <remote_ip>  -j ACCEPT
 
iptables -I INPUT -s <remote_ip> -j ACCEPT
 
iptables -I OUTPUT -d <remote_ip> -j ACCEPT
 
iptables -I INPUT -s <remote_ip> -j ACCEPT
 
iptables -P INPUT DROP
 
iptables -P OUTPUT DROP
 
  
 +
===Flush===
 +
** <code>iptables -F</code>
 +
::: (no output)
 +
** <code>iptables -t nat -F</code>
  
Allow [[ssh]] connections only from specific IPs:
+
** <code>iptables -t YOUR_TABLE_NAME -F</code>
iptables -A INPUT -p tcp --dport [[22]] -s YourIP -j ACCEPT
 
iptables -A INPUT -p tcp --dport 22 -j DROP
 
[[netfilter-persistent]] save
 
  
 
== Activities ==
 
== Activities ==
Line 56: Line 78:
 
# Read Stackoverflow iptables questions: https://stackoverflow.com/questions/tagged/iptables?tab=Votes
 
# Read Stackoverflow iptables questions: https://stackoverflow.com/questions/tagged/iptables?tab=Votes
 
# Review your current iptables configuration
 
# Review your current iptables configuration
# <code>[[iptables-save]]</code>
+
# <code>[[iptables-save]]</code>, <code>[[iptables-restore]]</code>
  
 
== Related terms ==
 
== Related terms ==
* [[fail2ban]]
+
* <code>[[fail2ban]]</code>
 
* [[Shorewall]]
 
* [[Shorewall]]
 +
* <code>[[arptables]]</code>
 +
* <code>[[resolvconf]]</code>
 +
* <code>[[table]]</code>, <code>[[chain]]</code>
 +
* [[IP forwarding]]
 +
* [[eBPF]]
  
 
== See also ==
 
== See also ==
 +
* {{iptables}}
 
* {{Firewall commands}}
 
* {{Firewall commands}}
 
* <code>[[nftables]]</code>
 
* <code>[[nftables]]</code>

Latest revision as of 08:15, 26 February 2024

iptables (1998) command line utility allows to modify Linux kernel firewall rules.

Tables: filter, nat, mangle, raw and security

Basic commands[edit]



Options[edit]

  • Add: iptables -A
  • Delete: iptables -D
  • Insert: iptables -I

Examples[edit]

KVM VNC remote viewer
iptables -t nat -A PREROUTING -i eno1 -p tcp --dport 5900 -j DNAT --to 127.0.0.1:5900
sysctl -w net.ipv4.ip_forward=1
sysctl -p /etc/sysctl.conf


Port forwarding[edit]

[1]

  • iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to-destination IP_DESTINATION
  • iptables -t nat -A POSTROUTING -p tcp -d IP_DESTINATION --dport 2222 -j MASQUERADE
  • echo 1 > /proc/sys/net/ipv4/ip_forward
  • Block all output traffic: iptables -A OUTPUT -o ethXXX -j DROP
  • Open a port: iptables -I INPUT -p tcp --dport XXX -j ACCEPT

Block all but a range[edit]

  • iptables -I OUTPUT -m iprange --dst-range <remote_ip> -j ACCEPT
  • iptables -I INPUT -m iprange --src-range <remote_ip> -j ACCEPT
  • iptables -P INPUT DROP
  • iptables -P OUTPUT DROP
  • netfilter-persistent save

Block all but one IP[edit]

  • iptables -I OUTPUT -d <remote_ip> -j ACCEPT
  • iptables -I INPUT -s <remote_ip> -j ACCEPT
  • iptables -I OUTPUT -d <remote_ip> -j ACCEPT
  • iptables -I INPUT -s <remote_ip> -j ACCEPT
  • iptables -P INPUT DROP
  • iptables -P OUTPUT DROP

Allow ssh connections only from specific IPs[edit]

  • iptables -A INPUT -p tcp --dport 22 -s YourIP -j ACCEPT
  • iptables -A INPUT -p tcp --dport 22 -j DROP
  • netfilter-persistent save

Clear iptables rules[edit]

[2]

  • iptables -P INPUT ACCEPT
  • iptables -P FORWARD ACCEPT
  • iptables -P OUTPUT ACCEPT
  • iptables -t nat -F
  • iptables -t mangle -F
  • iptables -F
  • iptables -X


Flush[edit]

    • iptables -F
(no output)
    • iptables -t nat -F
    • iptables -t YOUR_TABLE_NAME -F

Activities[edit]

  1. Read iptables Ubuntu howto: https://help.ubuntu.com/community/IptablesHowTo
  2. Read archlinux documentation: https://wiki.archlinux.org/index.php/iptables
  3. Read Stackoverflow iptables questions: https://stackoverflow.com/questions/tagged/iptables?tab=Votes
  4. Review your current iptables configuration
  5. iptables-save, iptables-restore

Related terms[edit]

See also[edit]

  • http://jensd.be/343/linux/forward-a-tcp-port-to-another-ip-or-port-using-nat-with-iptables
  • https://serverfault.com/a/200658
  • https://serverfault.com/a/608976
  • Advertising: