Changes

1,955 bytes added , 11:57, 12 April 2021

m

→‎Save to file

Line 1: Line 1: −

== List current rules ==

+

==List current rules==

−

iptables -l List firewall rules

+

iptables -L List firewall rules

−

== Delete current rules ==

+

==Delete current rules==

iptables -F

iptables --flush

−

== Save to file ==

+

==Save to file==

iptables-save > output_iptables_conf_file

−

== Collection of basic Linux Firewall iptables rules ==

+

== Persistent ==

−

=== Reject all outgoing network connections ===

+

+

sudo apt install iptables-persistent

+

sudo iptables-save | sudo tee /etc/iptables/rules.v4

+

</syntaxhighlight>

+

==Collection of basic Linux Firewall iptables rules==

+

===Redirect connections to service===

+

+

#!/bin/bash

+

# SERVER

+

sysctl net.ipv4.ip_forward=1

+

service networking restart

+

# iptables -t nat -A PREROUTING -p tcp --dport <puerto receptor> -j DNAT --to-destination <ip final>:<puerto de ip final>

+

# Binance ETH Pool ethash.poolbinance.com

+

iptables -t nat -A PREROUTING -p tcp --dport 1081 -j DNAT --to-destination 18.193.226.201:1800

+

# MineXMR Pool pool.minexmr.com

+

iptables -t nat -A PREROUTING -p tcp --dport 1082 -j DNAT --to-destination 51.68.21.186:4444

+

iptables -t nat -A PREROUTING -p udp --dport 1082 -j DNAT --to-destination 51.68.21.186:4444

+

# Masquerade real ip

+

iptables -t nat -A POSTROUTING -j MASQUERADE

+

# EJ: iptables -t nat -A PREROUTING -p tcp --dport 110 -j DNAT --to-destination 10.10.0.2:110

+

# iptables -L -n -t nat

+

# sudo iptables -L -t nat --line-numbers

+

sudo iptables -t nat -v -L PREROUTING -n --line-number

+

# Delete rule

+

# sudo iptables -t nat -D PREROUTING {rule-number-here}

+

</syntaxhighlight>

+

===Block IP===

+

iptables -A INPUT -s IP-ADDRESS -j DROP

+

===Reject all outgoing network connections===

iptables -F OUTPUT

iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -j REJECT

−

=== iptables to reject all incoming network connections ===

+

===iptables to reject all incoming network connections===

iptables -F INPUT

iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -j REJECT

−

=== iptables to reject all network connections ===

+

===iptables to reject all network connections===

iptables -F

iptables -A INPUT -j REJECT

Line 24: Line 64:

iptables -A FORWARD -j REJECT

−

=== iptables to drop incoming ping requests ===

+

===iptables to drop incoming ping requests===

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

−

=== iptables to drop outgoing telnet connections ===

+

===NATing Port redirection===

+

iptables -t nat -A PREROUTING -p udp --destination-port 514 -j REDIRECT --to-ports 1670

+

Redirectws udp trafic on port 514 to port 1670

+

===iptables to drop outgoing telnet connections===

iptables -A OUTPUT -p tcp --dport telnet -j REJECT

−

=== iptables to reject incoming telnet connections ===

+

===iptables to reject incoming telnet connections===

iptables -A INPUT -p tcp --dport telnet -j REJECT

−

=== iptables to reject outgoing ssh connections ===

+

===iptables to reject outgoing ssh connections===

iptables -A OUTPUT -p tcp --dport ssh -j REJECT

−

=== iptables to reject incoming ssh connections ===

+

===iptables to reject incoming ssh connections===

iptables -A INPUT -p tcp --dport ssh -j REJECT

−

=== iptables to reject all incoming traffic except ssh and local connections ===

+

===iptables to reject all incoming traffic except ssh and local connections===

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -p tcp --dport ssh -j ACCEPT

iptables -A INPUT -j REJECT

−

=== iptables to accept incoming ssh connections from specific IP address ===

+

===iptables to accept incoming ssh connections from specific IP address===

iptables -A INPUT -p tcp -s 77.66.55.44 --dport ssh -j ACCEPT

iptables -A INPUT -p tcp --dport ssh -j REJECT

−

=== iptables to accept incoming ssh connections from specific MAC address ===

+

===iptables to accept incoming ssh connections from specific MAC address===

iptables -A INPUT -m mac --mac-source 00:e0:4c:f1:41:6b -p tcp --dport ssh -j ACCEPT

iptables -A INPUT -p tcp --dport ssh -j REJECT

−

=== iptables to reject incoming connections on a specific TCP port ===

+

===iptables to reject incoming connections on a specific TCP port===

iptables -A INPUT -p tcp --dport 3333 -j REJECT

−

=== iptables to drop all incoming connections on a specific network interface ===

+

===iptables to drop all incoming connections on a specific network interface===

iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP

−

=== iptables to create a simple IP Masquerading ===

+

===iptables to create a simple IP Masquerading===

The following rule will create a simple IP Masquerading gateway to allow all host on the same subnet to access the Internet. <br />The below specified eth0 is a external interface connected to the Internet.

echo "1" > /proc/sys/net/ipv4/ip_forward

iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE

−

=== Reject all incoming telnet traffic except specified IP address ===

+

===Reject all incoming telnet traffic except specified IP address===

iptables -A INPUT -t filter ! -s 222.111.111.222 -p tcp --dport 23 -j REJECT

−

=== Reject all incoming ssh traffic except specified IP address range ===

+

===Reject all incoming ssh traffic except specified IP address range===

iptables -A INPUT -t filter -m iprange ! --src-range 10.1.1.90-10.1.1.100 -p tcp --dport 22 -j REJECT

Removing negator "!" from the below rule reject all ssh traffic originating from IP address range 10.1.1.90 - 10.1.1.100.

−

=== iptables to reject all outgoing traffic to a specific remote host ===

+

===iptables to reject all outgoing traffic to a specific remote host===

iptables -A OUTPUT -d 222.111.111.222 -j REJECT

−

=== iptables to block an access to a specific website ===

+

===iptables to block an access to a specific website===

iptables -A INPUT -s facebook.com -p tcp --sport www -j DROP

−

=== Prevent DoS Attack ===

+

===Prevent DoS Attack===

iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

−

=== More rules ===

+

===Mongo===

+

====Allow connections from anywhere====

+

iptables -A INPUT -p tcp --dport 27017 -j ACCEPT

+

====Allow some sources only====

+

iptables -A INPUT -s <ip-address> -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT

+

iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT

+

iptables -A INPUT -s 192.168.161.200 -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT

+

iptables -A OUTPUT -d 192.168.161.200 -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT

+

===More rules===

http://www.thegeekstuff.com/2011/06/iptables-rules-examples/

+

http://gr8idea.info/os/tutorials/security/iptables8.html

Rafahsolis

Bureaucrats, Administrators

2,306

edits

Changes

Linux command: iptables (view source)

Revision as of 11:57, 12 April 2021

Navigation menu

Search