Iptables

quick 'n dirty guide to iptables as a firewall

list rules: iptables --list

save rules: (they will not stay when your interface goes down) iptables-save > /etc/iptalbes.conf

restore rules: iptables-restore < /etc/iptables.conf

auto appy rules: echo "iptables-restore < /etc/iptables" > /etc/network/if-up.d/iptables chmod +x /etc/network/if-up.d/iptables

after you make changes do not forget to save them with iptables-save > /etc/iptalbes.conf

set default policy: iptables -P INPUT DROP iptables -P OUTPUT ACCEPT

accept established connections: (let what goes out come back in) iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

-A adds a rule to the end of a chain replace with a -I to add a rule at the begenning of a chain

allow communication through loopback or localhost: iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT

the interface will not show in iptables --list so this will look broken. iptables -S will tell the true story

allow ssh in: iptables -A INPUT -p tcp --dport 22 -j ACCEPT

allow ssh from a specific network: iptables -A INPUT -p tcp -s 192.168.100.0/24 --dport 22 -j ACCEPT

allow ping from outside to inside: iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

allow ping from inside to outside: iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

find more filters: man iptables many options starting with a -- require a module to be called ahead of it ex: iptables -I OUTPUT --uid-owner 1000 -j ACCEPT will fail with an unknown option "--uid-owner" if you load the correct moudle first, iptables -I OUTPUT -m owner --uid-owner 1000 -j ACCEPT it will work.

log dropped packets: iptables -A OUTPUT -m conntrack --ctstate NEW -j LOG --log-prefix "OUTPUT_DROP: " --log-level 7 --log-ip-options

the order of rules matters rules are processed from top down when an ACCEPT or DROP is hit processing of a packet will stop

misc blocks for common attacks: iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -I INPUT -f -j DROP iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP

block DoS attacks: iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

other cool stuff:

load balance web traffic: iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443 iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443 iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443

allow a specific user access through a port: iptables -I OUTPUT -p tcp --dport 80 -m owner --uid-owner 1000 -j ACCEPT

allow a specific process access through a port: iptables -I OUTPUT -p tcp --dport 23 -m owner --pid-owner 23945 -j ACCEPT

allow a specific command access through a port: iptables -I OUTPUT -p tcp --dport 110 -m owner --cmd-owner claws-mail -j ACCEPT

sources: http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html http://www.cyberciti.biz/tips/linux-iptables-10-how-to-block-common-attack.html http://www.thegeekstuff.com/2011/06/iptables-rules-examples/ Linux iptables Pocke Reference - O'Reilly

Iptables

quick 'n dirty guide to iptables as a firewall

Navigation menu

Search