Difference between revisions of "Linux command: iptables"
Jump to navigation
Jump to search
Rafahsolis (talk | contribs) m (Protected "Linux command: iptables" ([Edit=Allow only administrators] (indefinite) [Move=Allow only administrators] (indefinite))) |
Rafahsolis (talk | contribs) |
||
| Line 1: | Line 1: | ||
| + | == List current rules == | ||
iptables -l List firewall rules | iptables -l List firewall rules | ||
| + | |||
| + | == Collection of basic Linux Firewall iptables rules == | ||
| + | === Reject all outgoing network connections === | ||
| + | iptables -F OUTPUT | ||
| + | iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT | ||
| + | iptables -A OUTPUT -j REJECT | ||
| + | |||
| + | === iptables to reject all incoming network connections === | ||
| + | iptables -F INPUT | ||
| + | iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT | ||
| + | iptables -A INPUT -j REJECT | ||
| + | |||
| + | === iptables to reject all network connections === | ||
| + | iptables -F | ||
| + | iptables -A INPUT -j REJECT | ||
| + | iptables -A OUTPUT -j REJECT | ||
| + | iptables -A FORWARD -j REJECT | ||
| + | |||
| + | === iptables to drop incoming ping requests === | ||
| + | iptables -A INPUT -p icmp --icmp-type echo-request -j DROP | ||
| + | |||
| + | === iptables to drop outgoing telnet connections === | ||
| + | iptables -A OUTPUT -p tcp --dport telnet -j REJECT | ||
| + | |||
| + | === iptables to reject incoming telnet connections === | ||
| + | iptables -A INPUT -p tcp --dport telnet -j REJECT | ||
| + | |||
| + | === iptables to reject outgoing ssh connections === | ||
| + | iptables -A OUTPUT -p tcp --dport ssh -j REJECT | ||
| + | |||
| + | === iptables to reject incoming ssh connections === | ||
| + | iptables -A INPUT -p tcp --dport ssh -j REJECT | ||
| + | |||
| + | === iptables to reject all incoming traffic except ssh and local connections === | ||
| + | iptables -A INPUT -i lo -j ACCEPT | ||
| + | iptables -A INPUT -p tcp --dport ssh -j ACCEPT | ||
| + | iptables -A INPUT -j REJECT | ||
| + | |||
| + | === iptables to accept incoming ssh connections from specific IP address === | ||
| + | iptables -A INPUT -p tcp -s 77.66.55.44 --dport ssh -j ACCEPT | ||
| + | iptables -A INPUT -p tcp --dport ssh -j REJECT | ||
| + | |||
| + | === iptables to accept incoming ssh connections from specific MAC address === | ||
| + | iptables -A INPUT -m mac --mac-source 00:e0:4c:f1:41:6b -p tcp --dport ssh -j ACCEPT | ||
| + | iptables -A INPUT -p tcp --dport ssh -j REJECT | ||
| + | |||
| + | === iptables to reject incoming connections on a specific TCP port === | ||
| + | iptables -A INPUT -p tcp --dport 3333 -j REJECT | ||
| + | |||
| + | === iptables to drop all incoming connections on a specific network interface === | ||
| + | iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP | ||
| + | |||
| + | === iptables to create a simple IP Masquerading === | ||
| + | The following rule will create a simple IP Masquerading gateway to allow all host on the same subnet to access the Internet. <br />The below specified eth0 is a external interface connected to the Internet. | ||
| + | echo "1" > /proc/sys/net/ipv4/ip_forward | ||
| + | iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE | ||
| + | |||
| + | === Reject all incoming telnet traffic except specified IP address === | ||
| + | iptables -A INPUT -t filter ! -s 222.111.111.222 -p tcp --dport 23 -j REJECT | ||
| + | |||
| + | === Reject all incoming ssh traffic except specified IP address range === | ||
| + | iptables -A INPUT -t filter -m iprange ! --src-range 10.1.1.90-10.1.1.100 -p tcp --dport 22 -j REJECT | ||
| + | Removing negator "!" from the below rule reject all ssh traffic originating from IP address range 10.1.1.90 - 10.1.1.100. | ||
| + | |||
| + | === iptables to reject all outgoing traffic to a specific remote host === | ||
| + | iptables -A OUTPUT -d 222.111.111.222 -j REJECT | ||
| + | |||
| + | === iptables to block an access to a specific website === | ||
| + | iptables -A INPUT -s facebook.com -p tcp --sport www -j DROP | ||
Revision as of 07:47, 3 March 2016
List current rules
iptables -l List firewall rules
Collection of basic Linux Firewall iptables rules
Reject all outgoing network connections
iptables -F OUTPUT iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -j REJECT
iptables to reject all incoming network connections
iptables -F INPUT iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -j REJECT
iptables to reject all network connections
iptables -F iptables -A INPUT -j REJECT iptables -A OUTPUT -j REJECT iptables -A FORWARD -j REJECT
iptables to drop incoming ping requests
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables to drop outgoing telnet connections
iptables -A OUTPUT -p tcp --dport telnet -j REJECT
iptables to reject incoming telnet connections
iptables -A INPUT -p tcp --dport telnet -j REJECT
iptables to reject outgoing ssh connections
iptables -A OUTPUT -p tcp --dport ssh -j REJECT
iptables to reject incoming ssh connections
iptables -A INPUT -p tcp --dport ssh -j REJECT
iptables to reject all incoming traffic except ssh and local connections
iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -j REJECT
iptables to accept incoming ssh connections from specific IP address
iptables -A INPUT -p tcp -s 77.66.55.44 --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j REJECT
iptables to accept incoming ssh connections from specific MAC address
iptables -A INPUT -m mac --mac-source 00:e0:4c:f1:41:6b -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j REJECT
iptables to reject incoming connections on a specific TCP port
iptables -A INPUT -p tcp --dport 3333 -j REJECT
iptables to drop all incoming connections on a specific network interface
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables to create a simple IP Masquerading
The following rule will create a simple IP Masquerading gateway to allow all host on the same subnet to access the Internet.
The below specified eth0 is a external interface connected to the Internet.
echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE
Reject all incoming telnet traffic except specified IP address
iptables -A INPUT -t filter ! -s 222.111.111.222 -p tcp --dport 23 -j REJECT
Reject all incoming ssh traffic except specified IP address range
iptables -A INPUT -t filter -m iprange ! --src-range 10.1.1.90-10.1.1.100 -p tcp --dport 22 -j REJECT
Removing negator "!" from the below rule reject all ssh traffic originating from IP address range 10.1.1.90 - 10.1.1.100.
iptables to reject all outgoing traffic to a specific remote host
iptables -A OUTPUT -d 222.111.111.222 -j REJECT
iptables to block an access to a specific website
iptables -A INPUT -s facebook.com -p tcp --sport www -j DROP