Iptables
From KlavoWiki
Chains
INPUT OUTPUT FORWARD
Parameters
-I Insert -A Append -s Source -d Destination -p protocol --dport destination port number -j target
Default Behaviour
Drop
Drop all packets by default
iptables -P INPUT DROP
Accept
Accepts all packets by default
iptables -P INPUT ACCEPT
Accept
Accept from Source
iptables -A INPUT -s 172.16.28.0/22 -j ACCEPT
Accept from Source on specific interface
iptables -A INPUT -i eth0 -s 23.253.232.189 -j ACCEPT
Accept all TCP 22 packets
Insert at line 2
iptables -I 2 INPUT -p tcp --dport 22 -j ACCEPT
Drop
Drop from Source
iptables -A INPUT -s 23.253.232.189 -j DROP
Drop from Source on specific interface
iptables -A INPUT -i eth0 -s 23.253.232.189 -j DROP
Drop all TCP 22 packets
Insert rule at line 3
iptables -I 3 INPUT -p tcp --dport 22 -j DROP
List
Current tables
iptables -L -vn
or
iptables -vnL
-L List -v verbose -n no reverse lookup
with Line Numbers
iptables -L -n --line-numbers
List Chain
iptables -L INPUT -n --line-numbers
Delete
by Rule Number
iptables -D INPUT 3
by Rule Name
iptables -D INPUT -s 23.253.232.189 -j DROP
Delete All
Delete all rules
iptables --flush
iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X
Rules
Saving
iptables-save > /opt/firewall.conf
Restoring
iptables-restore < /opt/firewall.conf
Automatic Load on Restart
Debian
Based on Debian, once your tables are operating as required
iptables-save > /etc/iptables.up.rules
vi /etc/network/if-up.d/iptables
add the following lines
#!/bin/sh /sbin/iptables-restore < /etc/iptables.up.rules
chmod +x /etc/network/if-up.d/iptables
CentOS 7.x
Tables are save on reboot or stopping service.
yum -y install iptables systemctl start iptables systemctl enable iptables
dscp class
Set Class EF
iptables -A OUTPUT -t mangle -p udp --dport 5060 -j DSCP --set-dscp-class EF iptables -A OUTPUT -t mangle -p udp --dport 4569 -j DSCP --set-dscp-class EF iptables -A OUTPUT -t mangle -p udp --dport 4520 -j DSCP --set-dscp-class EF
- 5060 SIP
- 4569 IAX
- 4520 DUNDI
nat
This accepts all traffic from wlan0 and passes it to eth0 as if the traffic originated from eth0. Traffic to wlan0 is not allowed unless related or established from wlan0.
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
View Defined Classes
mangle
iptables -t mangle -nvL
nat
iptables -t nat -nvL
