Difference between revisions of "Linux command: iptables"
Jump to navigation
Jump to search
Rafahsolis (talk | contribs) |
Rafahsolis (talk | contribs) |
||
| Line 1: | Line 1: | ||
== List current rules == | == List current rules == | ||
| − | iptables - | + | iptables -L List firewall rules |
| + | |||
== Delete current rules == | == Delete current rules == | ||
iptables -F | iptables -F | ||
Revision as of 07:42, 4 March 2016
List current rules
iptables -L List firewall rules
Delete current rules
iptables -F iptables --flush
Save to file
iptables-save > output_iptables_conf_file
Collection of basic Linux Firewall iptables rules
Reject all outgoing network connections
iptables -F OUTPUT iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -j REJECT
iptables to reject all incoming network connections
iptables -F INPUT iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -j REJECT
iptables to reject all network connections
iptables -F iptables -A INPUT -j REJECT iptables -A OUTPUT -j REJECT iptables -A FORWARD -j REJECT
iptables to drop incoming ping requests
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables to drop outgoing telnet connections
iptables -A OUTPUT -p tcp --dport telnet -j REJECT
iptables to reject incoming telnet connections
iptables -A INPUT -p tcp --dport telnet -j REJECT
iptables to reject outgoing ssh connections
iptables -A OUTPUT -p tcp --dport ssh -j REJECT
iptables to reject incoming ssh connections
iptables -A INPUT -p tcp --dport ssh -j REJECT
iptables to reject all incoming traffic except ssh and local connections
iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -j REJECT
iptables to accept incoming ssh connections from specific IP address
iptables -A INPUT -p tcp -s 77.66.55.44 --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j REJECT
iptables to accept incoming ssh connections from specific MAC address
iptables -A INPUT -m mac --mac-source 00:e0:4c:f1:41:6b -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j REJECT
iptables to reject incoming connections on a specific TCP port
iptables -A INPUT -p tcp --dport 3333 -j REJECT
iptables to drop all incoming connections on a specific network interface
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables to create a simple IP Masquerading
The following rule will create a simple IP Masquerading gateway to allow all host on the same subnet to access the Internet.
The below specified eth0 is a external interface connected to the Internet.
echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE
Reject all incoming telnet traffic except specified IP address
iptables -A INPUT -t filter ! -s 222.111.111.222 -p tcp --dport 23 -j REJECT
Reject all incoming ssh traffic except specified IP address range
iptables -A INPUT -t filter -m iprange ! --src-range 10.1.1.90-10.1.1.100 -p tcp --dport 22 -j REJECT
Removing negator "!" from the below rule reject all ssh traffic originating from IP address range 10.1.1.90 - 10.1.1.100.
iptables to reject all outgoing traffic to a specific remote host
iptables -A OUTPUT -d 222.111.111.222 -j REJECT
iptables to block an access to a specific website
iptables -A INPUT -s facebook.com -p tcp --sport www -j DROP
Prevent DoS Attack
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
More rules
http://www.thegeekstuff.com/2011/06/iptables-rules-examples/ http://gr8idea.info/os/tutorials/security/iptables8.html