Iptables: Difference between revisions

From KlavoWiki
Jump to navigationJump to search
No edit summary
Line 17: Line 17:
<pre>
<pre>
iptables -P INPUT ACCEPT
iptables -P INPUT ACCEPT
</pre>
= Accept =
Accept from Source
<pre>
iptables -A INPUT -s 172.16.28.0/22 -j ACCEPT
</pre>
Accept from Source on specific interface
<pre>
iptables -A INPUT -i eth0 -s 23.253.232.189 -j ACCEPT
</pre>
Accept all TCP 22 packets
<pre>
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
</pre>
</pre>



Revision as of 00:31, 14 April 2015

Chains

INPUT
OUTPUT
FORWARD

Default Behaviour

Drop

Drop all packets by default

iptables -P INPUT DROP

Accept

Accepts all packets by default

iptables -P INPUT ACCEPT


Accept

Accept from Source

iptables -A INPUT -s 172.16.28.0/22 -j ACCEPT


Accept from Source on specific interface

iptables -A INPUT -i eth0 -s 23.253.232.189 -j ACCEPT

Accept all TCP 22 packets

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Drop

Drop from Source

iptables -A INPUT -s 23.253.232.189 -j DROP


Drop from Source on specific interface

iptables -A INPUT -i eth0 -s 23.253.232.189 -j DROP

Drop all TCP 22 packets

iptables -A INPUT -p tcp --dport 22 -j DROP
-I Insert
-A Append

-s Source
-d Destination

-p protocol
--dport destination port number
-j target

List

Current tables

iptables -L -vn

or

iptables -vnL
-L List
-v verbose
-n no reverse lookup

with Line Numbers

iptables -L -n --line-numbers

List Chain

iptables -L INPUT -n --line-numbers

Delete

by Rule Number

iptables -D INPUT 3

by Rule Name

iptables -D INPUT -s 23.253.232.189 -j DROP

Delete All

Delete all rules

iptables --flush
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

Rules

Saving

iptables-save > /opt/firewall.conf

Restoring

iptables-restore < /opt/firewall.conf

Automatic Load on Restart

Based on Debian, once your tables are operating as required

iptables-save > /etc/iptables.up.rules
vi /etc/network/if-up.d/iptables

add the following lines

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules
chmod +x /etc/network/if-up.d/iptables

dscp class

Set Class EF

iptables -A OUTPUT -t mangle -p udp --dport 5060 -j DSCP --set-dscp-class EF
iptables -A OUTPUT -t mangle -p udp --dport 4569 -j DSCP --set-dscp-class EF
iptables -A OUTPUT -t mangle -p udp --dport 4520 -j DSCP --set-dscp-class EF
  • 5060 SIP
  • 4569 IAX
  • 4520 DUNDI

nat

This accepts all traffic from wlan0 and passes it to eth0 as if the traffic originated from eth0. Traffic to wlan0 is not allowed unless related or established from wlan0.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

View Defined Classes

mangle

iptables -t mangle -nvL

nat

iptables -t nat -nvL