IPTables is a command line utility that is the standard interface for managing the firewall.
Keys for working with chains:
-A – add a new rule.
-D – delete the rule.
-F – remove all rules.
-R – replace the rule.
-L – list all rules.
INPUT – incoming traffic.
OUTPUT – outgoing traffic.
FORWARD – forwarded (transit) traffic.
Options:
-p – protocol, can be all, icmp, tcp, udp.
-s – source ip address / host.
-d – destination ip address / host.
-i – interface to which the packet came.
-o – the interface from which the packet leaves.
–sport – source port.
–dport – destination port.
Actions:
ACCEPT – allow packets.
REJECT – block packets with a failure message.
DROP – block packets (less CPU load for mass requests, a higher priority option than REJECT).
RETURN – stop checking the current chain and continue with the parent.
MARK and CONNMARK – labeling packets.
LOG – packet logging in syslog.
Examples of viewing the rules:
iptables -nvL
iptables -nvL | grep 192.168.0
iptables -n -L -v --line-numbers
iptables -L INPUT -n -v
iptables -L OUTPUT -n -v --line-numbers
iptables -L OUTPUT -n --line-numbers | less
iptables -L OUTPUT -n --line-numbers | grep 192.168.2.14
iptables -L INPUT --line-numbers
ip6tables -nvL
ip6tables -t filter -nvL
iptables -S
iptables -t raw -S
iptables -t mangle -S
iptables -L -t nat
iptables -L -t mangle
Examples of deleting rules:
iptables -D INPUT 3
iptables -D INPUT -s 192.168.2.14 -j DROP
An example of adding a rule to the first place in the INPUT chain:
iptables -nL --line-numbers
iptables -I INPUT 1 -s 1.2.3.4/32 -m comment --comment "ixnfo.com" -j ACCEPT
I will give an example of a simple NAT rule (where 10.0.0.0/24 is a local area network, and 10.50.50.1 looks on the Internet):
iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source 10.50.50.1 --persistent
An example of removing and adding NAT rules:
iptables -t nat -D POSTROUTING -s 172.16.2.0/16 -o eth1 -j SNAT --to-source 192.168.1.251-192.168.1.254 --persistent
iptables -t nat -A POSTROUTING -s 172.16.2.0/17 -o eth1 -j SNAT --to-source 192.168.1.218-192.168.1.222 --persistent
If NAT is configured and you need to forward the port to the local IP (where 192.168.0.18 is the local IP, and 10.50.50.2 looks at eth0 on the Internet):
iptables -t nat -A PREROUTING -d 10.50.50.2/32 -i eth0 -p tcp -m tcp --dport 81 -j DNAT --to-destination 192.168.0.18:81
Suppose NAT for the network 192.168.0.0/24 is configured through 10.50.50.1, and 192.168.0.18 must be started through 10.50.50.2:
iptables -t nat -A POSTROUTING -s 192.168.0.18/32 -o eth0 -j SNAT --to-source 10.50.50.2
Full reset rules (carefully with this rule):
iptables -F
Service Management:
service iptables stop/start/restart/save
Example of allowing rules for pop3, pop3s:
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 995 -j ACCEPT
Example for imap, imaps:
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT
Setting the default INPUT and FORWARD policies to drop (careful with these rules):
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
To allow ping:
iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT
Examples of blocking and unblocking an IP address or network:
iptables -A INPUT -s xx.xx.xx.xx -j DROP
iptables -A INPUT -s xx.xx.xx.xx/24 -j DROP
iptables -A INPUT -s xx.xx.xx.xx/24 -j REJECT --reject-with icmp-port-unreachable
iptables -D INPUT -s xx.xx.xx.xx -j DROP
When adding a rule, it is advisable to add a comment, for example:
iptables -A INPUT -s xx.xx.xx.xx -m comment --comment "text" -j DROP
Limit the number of connections to 200 per specific port, for example, 443 and 80 (note that connlimit with very high traffic can heavily load the processor):
iptables -A INPUT -p tcp -m tcp --dport 443 -m connlimit --connlimit-above 200 --connlimit-mask 32 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
iptables -A INPUT -s 172.16.0.0/12 -p tcp --dport 80 -m connlimit --connlimit-above 200 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -p tcp --dport 80 -j ACCEPT
Opening port 80 with connection limits:
iptables -A INPUT -p tcp --dport 80 -m limit --limit 50/second -j ACCEPT
If you need to specify several ports in the rule, then you need to add multiport, for example:
-m multiport --dports 80,8080
An example of labeling packages:
iptables -t mangle -A PREROUTING -s 192.168.5.0/24 -j MARK --set-mark 38
Option to prohibit port scanning (IP is blocked for 300 seconds, from which packets come in addition to the allowed ports):
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -p all -i eth0 -j ACCEPT
iptables -A OUTPUT -p all -o eth0 -j ACCEPT
iptables -A INPUT -m recent --rcheck --seconds 300 --name STOPSCAN -j DROP
iptables -A INPUT -p tcp -m multiport ! --dports 80,443 -m recent --set --name STOPSCAN -j DROP
iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 443 -j ACCEPT
iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
You can backup the rules to a file, and also restore them from it with the commands:
iptables-save > iptables.dump
iptables-restore < iptables.dump
ip6tables-save > ip6tables.dump
ip6tables-restore < ip6tables.dump
You can search the text according to the rules as follows:
iptables-save|grep 172.16.2.0/24
Since there may be vulnerabilities through RPC, it is better to close port 111 (and even better to open only the necessary ports and make the default INPUT DROP):
rpcinfo -p localhost
/sbin/iptables -A INPUT -p tcp --dport 111 -j DROP
/sbin/iptables -A INPUT -p udp --dport 111 -j DROP
See also my articles:
IPTables rules for: Accel-ppp, BGP, DHCP, DNS, FreeRADIUS, WEB, Asterisk, TFTP, SSH, Samba, FTP, NTP and SNTP, SNMP, MySQL, ntopng, nprobe, Zabbix
- How to save IPTables rules
- Installing and using ipset
- Blocking by MAC address
- Setting up nftables
- Others tagged with iptables
- Logging activity using IPTables
- The solution to the error “Another app is currently holding the xtables lock”
- Port forwarding in iptables on NAT server
Iptables rules for other services are looking for in my articles on installing these services.