Iptables: Difference between revisions

From KlavoWiki
Jump to navigationJump to search
No edit summary
Line 36: Line 36:
== Current tables ==
== Current tables ==
<pre>
<pre>
iptables -L -v
iptables -L -vn
</pre>
</pre>
or
<pre>
iptables -vnL
</pre>
<pre>
<pre>
-L List
-L List
-v verbose
-v verbose
-n no reverse lookup
</pre>
</pre>



Revision as of 00:15, 16 January 2015

Chains

INPUT
OUTPUT
FORWARD

Default Behaviour

Drop

Drop all packets by default

iptables -P INPUT DROP

Accept

Accepts all packets by default

iptables -P INPUT ACCEPT

Drop

Drop from Source

iptables -I INPUT -s 23.253.232.189 -j DROP
-I Insert
-A Append

-s Source
-d Destination


List

Current tables

iptables -L -vn

or

iptables -vnL
-L List
-v verbose
-n no reverse lookup

with Line Numbers

iptables -L -n --line-numbers

List Chain

iptables -L INPUT -n --line-numbers

Delete

by Rule Number

iptables -D INPUT 3

by Rule Name

iptables -D INPUT -s 23.253.232.189 -j DROP

Delete All

Delete all rules

iptables --flush
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

Rules

Saving

iptables-save > /opt/firewall.conf

Restoring

iptables-restore < /opt/firewall.conf

Automatic Load on Restart

Based on Debian, once your tables are operating as required

iptables-save > /etc/iptables.up.rules
vi /etc/network/if-up.d/iptables

add the following lines

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules
chmod +x /etc/network/if-up.d/iptables

dscp class

Set Class EF

iptables -A OUTPUT -t mangle -p udp --dport 5060 -j DSCP --set-dscp-class EF
iptables -A OUTPUT -t mangle -p udp --dport 4569 -j DSCP --set-dscp-class EF
iptables -A OUTPUT -t mangle -p udp --dport 4520 -j DSCP --set-dscp-class EF
  • 5060 SIP
  • 4569 IAX
  • 4520 DUNDI

nat

This accepts all traffic from wlan0 and passes it to eth0 as if the traffic originated from eth0. Traffic to wlan0 is not allowed unless related or established from wlan0.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

View Defined Classes

mangle

iptables -t mangle -nvL

nat

iptables -t nat -nvL