How to configure IPTables

IPTables is a command line utility that is the standard interface for managing the firewall.

Keys for working with chains:
-A – add a new rule.
-D – delete the rule.
-F – remove all rules.
-R – replace the rule.
-L – list all rules.

INPUT – incoming traffic.
OUTPUT – outgoing traffic.
FORWARD – forwarded (transit) traffic.

Options:
-p – protocol, can be all, icmp, tcp, udp.
-s – source ip address / host.
-d – destination ip address / host.
-i – interface to which the packet came.
-o – the interface from which the packet leaves.
–sport – source port.
–dport – destination port.

Actions:
ACCEPT – allow packets.
REJECT – block packets with a failure message.
DROP – block packets (less CPU load for mass requests, a higher priority option than REJECT).
RETURN – stop checking the current chain and continue with the parent.
MARK and CONNMARK – labeling packets.
LOG – packet logging in syslog.

Examples of viewing the rules:

iptables -nvL
iptables -nvL | grep 192.168.0
iptables -n -L -v --line-numbers
iptables -L INPUT -n -v
iptables -L OUTPUT -n -v --line-numbers
iptables -L OUTPUT -n --line-numbers | less
iptables -L OUTPUT -n --line-numbers | grep 192.168.2.14
iptables -L INPUT --line-numbers

ip6tables -nvL
ip6tables -t filter -nvL

View NAT and mangle rules:

iptables -L -t nat
iptables -L -t mangle

Examples of deleting rules:

iptables -D INPUT 3
iptables -D INPUT -s 192.168.2.14 -j DROP

I will give an example of a simple NAT rule (where 10.0.0.0/24 is a local area network, and 10.50.50.1 looks on the Internet):

iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source 10.50.50.1 --persistent

An example of removing and adding NAT rules:

iptables -t nat -D POSTROUTING -s 172.16.2.0/16 -o eth1 -j SNAT --to-source 192.168.1.251-192.168.1.254 --persistent
iptables -t nat -A POSTROUTING -s 172.16.2.0/17 -o eth1 -j SNAT --to-source 192.168.1.218-192.168.1.222 --persistent

If NAT is configured and you need to forward the port to the local IP (where 192.168.0.18 is the local IP, and 10.50.50.2 looks at eth0 on the Internet):

iptables -t nat -A PREROUTING -d 10.50.50.2/32 -i eth0 -p tcp -m tcp --dport 81 -j DNAT --to-destination 192.168.0.18:81

Suppose NAT for the network 192.168.0.0/24 is configured through 10.50.50.1, and 192.168.0.18 must be started through 10.50.50.2:

iptables -t nat -A POSTROUTING -s 192.168.0.18/32 -o eth0 -j SNAT --to-source 10.50.50.2

Full reset rules (carefully with this rule):

iptables -F

Service Management:

service iptables stop/start/restart/save

Example of allowing rules for pop3, pop3s:

iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 995 -j ACCEPT

Example for imap, imaps:

iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT

Setting the default INPUT and FORWARD policies to drop (careful with these rules):

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

To allow ping:

iptables -A INPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p icmp -j ACCEPT

Examples of blocking and unblocking an IP address or network:

iptables -A INPUT -s xx.xx.xx.xx -j DROP
iptables -A INPUT -s xx.xx.xx.xx/24 -j DROP
iptables -A INPUT -s xx.xx.xx.xx/24 -j REJECT --reject-with icmp-port-unreachable
iptables -D INPUT -s xx.xx.xx.xx -j DROP

When adding a rule, it is advisable to add a comment, for example:

iptables -A INPUT -s xx.xx.xx.xx -m comment --comment "text" -j DROP

Limit the number of connections to 200 per specific port, for example, 443 and 80 (note that connlimit with very high traffic can heavily load the processor):

iptables -A INPUT -p tcp -m tcp --dport 443 -m connlimit --connlimit-above 200 --connlimit-mask 32 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT

iptables -A INPUT -s 172.16.0.0/12 -p tcp --dport 80 -m connlimit --connlimit-above 200 -j DROP
iptables -A INPUT -s 172.16.0.0/12 -p tcp --dport 80 -j ACCEPT

Opening port 80 with connection limits:

iptables -A INPUT -p tcp --dport 80 -m limit --limit 50/second -j ACCEPT

If you need to specify several ports in the rule, then you need to add multiport, for example:

-m multiport --dports 80,8080

An example of labeling packages:

iptables -t mangle -A PREROUTING -s 192.168.5.0/24 -j MARK --set-mark 38

Option to prohibit port scanning (IP is blocked for 300 seconds, from which packets come in addition to the allowed ports):

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -p all -i eth0 -j ACCEPT
iptables -A OUTPUT -p all -o eth0 -j ACCEPT
iptables -A INPUT -m recent --rcheck --seconds 300 --name STOPSCAN -j DROP
iptables -A INPUT -p tcp -m multiport ! --dports 80,443 -m recent --set --name STOPSCAN -j DROP
iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 443 -j ACCEPT
iptables -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

You can backup the rules to a file, and also restore them from it with the commands:

iptables-save > iptables.dump
iptables-restore < iptables.dump

ip6tables-save > ip6tables.dump
ip6tables-restore < ip6tables.dump

You can search the text according to the rules as follows:

iptables-save|grep 172.16.2.0/24

Since there may be vulnerabilities through RPC, it is better to close port 111 (and even better to open only the necessary ports and make the default INPUT DROP):

rpcinfo -p localhost
/sbin/iptables -A INPUT -p tcp --dport 111 -j DROP
/sbin/iptables -A INPUT -p udp --dport 111 -j DROP

See also my articles:
IPTables rules for: Accel-ppp, BGP, DHCP, DNS, FreeRADIUS, WEB, Asterisk, TFTP, SSH, Samba, FTP, NTP and SNTP, SNMP, MySQL, ntopng, nprobe, Zabbix

Iptables rules for other services are looking for in my articles on installing these services.

Leave a comment

Leave a Reply