How to configure IPTables

IPTables is a command line utility that is the standard interface for managing the firewall.

Keys for working with chains:
-A – add a new rule.
-D – delete the rule.
-F – remove all rules.
-R – replace the rule.
-L – list all rules.

INPUT – incoming traffic.
OUTPUT – outgoing traffic.
FORWARD – forwarded (transit) traffic.

Options:
-p – protocol, can be all, icmp, tcp, udp.
-s – source ip address / host.
-d – destination ip address / host.
-i – interface to which the packet came.
-o – the interface from which the packet leaves.
–sport – source port.
–dport – destination port.

Actions:
ACCEPT – allow packets.
REJECT – block packets with a failure message.
DROP – block packets (less CPU load for mass requests, a higher priority option than REJECT).

Examples of viewing the rules:

iptables -nvL
iptables -n -L -v --line-numbers
iptables -L INPUT -n -v
iptables -L OUTPUT -n -v --line-numbers
iptables -L OUTPUT -n --line-numbers | less
iptables -L OUTPUT -n --line-numbers | grep 192.168.2.14
iptables -L INPUT --line-numbers

ip6tables -nvL
ip6tables -t filter -nvL

View NAT and mangle rules:

iptables -L -t nat
iptables -L -t mangle

Examples of deleting rules:

iptables -D INPUT 3
iptables -D INPUT -s 192.168.2.14 -j DROP

I will give an example of a simple NAT rule (where 10.0.0.0/24 is a local area network, and 10.50.50.1 looks on the Internet):

iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source 10.50.50.1 --persistent

An example of removing and adding NAT rules:

iptables -t nat -D POSTROUTING -s 172.16.2.0/16 -o eth1 -j SNAT --to-source 192.168.1.251-192.168.1.254 --persistent
iptables -t nat -A POSTROUTING -s 172.16.2.0/17 -o eth1 -j SNAT --to-source 192.168.1.218-192.168.1.222 --persistent

If NAT is configured and you need to forward the port to the local IP (where 192.168.0.18 is the local IP, and 10.50.50.2 looks at eth0 on the Internet):

iptables -t nat -A PREROUTING -d 10.50.50.2/32 -i eth0 -p tcp -m tcp --dport 81 -j DNAT --to-destination 192.168.0.18:81

Suppose NAT for the network 192.168.0.0/24 is configured through 10.50.50.1, and 192.168.0.18 must be started through 10.50.50.2:

iptables -t nat -A POSTROUTING -s 192.168.0.18/32 -o eth0 -j SNAT --to-source 10.50.50.2

Full reset rules (carefully with this rule):

iptables -F

Service Management:

service iptables stop/start/restart/save

Example of allowing rules for pop3, pop3s:

iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 995 -j ACCEPT

Example for imap, imaps:

iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT

Setting the default INPUT and FORWARD policies to drop (careful with these rules):

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

To allow ping:

iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

Examples of blocking and unblocking an IP address or network:

iptables -A INPUT -s xx.xx.xx.xx -j DROP
iptables -A INPUT -s xx.xx.xx.xx/24 -j DROP
iptables -A INPUT -s xx.xx.xx.xx/24 -j REJECT --reject-with icmp-port-unreachable
iptables -D INPUT -s xx.xx.xx.xx -j DROP

Limit the number of connections to 200 per specific port, for example, 443 and 80:

iptables -A INPUT -p tcp -m tcp --dport 443 -m connlimit --connlimit-above 200 --connlimit-mask 32 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

iptables -A INPUT -s 172.16.0.0/12 -p tcp --dport 80 -m connlimit --connlimit-above 200 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -p tcp --dport 80 -j ACCEPT

Opening port 80 with connection limits:

iptables -A INPUT -p tcp --dport 80 -m limit --limit 50/second -j ACCEPT

If you need to specify several ports in the rule, then you need to add multiport, for example:

-m multiport --dports 80,8080

An example of labeling packages:

iptables -t mangle -A PREROUTING -s 192.168.5.0/24 -j MARK --set-mark 38

Option to prohibit port scanning (IP is blocked for 300 seconds, from which packets come in addition to the allowed ports):

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -p all -i eth0 -j ACCEPT
iptables -A OUTPUT -p all -o eth0 -j ACCEPT
iptables -A INPUT -m recent --rcheck --seconds 300 --name STOPSCAN -j DROP
iptables -A INPUT -p tcp -m multiport ! --dports 80,443 -m recent --set --name STOPSCAN -j DROP
iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 443 -j ACCEPT
iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

You can backup the rules to a file, and also restore them from it with the commands:

iptables-save > iptables.dump
iptables-restore < iptables.dump

ip6tables-save > ip6tables.dump
ip6tables-restore < ip6tables.dump

You can search the text according to the rules as follows:

iptables-save|grep 172.16.2.0/24

Since there may be vulnerabilities through RPC, it is better to close port 111 (and even better to open only the necessary ports and make the default INPUT DROP):

rpcinfo -p localhost
/sbin/iptables -A INPUT -p tcp --dport 111 -j DROP
/sbin/iptables -A INPUT -p udp --dport 111 -j DROP

See also my articles:
IPTables rules for: Accel-ppp, DHCP, DNS, FreeRADIUS, WEB, Asterisk, TFTP, SSH, Samba, FTP, NTP and SNTP, MySQL, ntopng, nprobe, Zabbix
Installing and using ipset
Others tagged with iptables
Logging activity using IPTables
The solution to the error “Another app is currently holding the xtables lock”

Iptables rules for other services are looking for in my articles on installing these services.

Did my article help you? How about buying me a cup of coffee as an encouragement? Buy me a coffe.

Leave a comment

Leave a Reply