Difference between revisions of "Linux command: iptables"

From RHS Wiki
Jump to navigation Jump to search
Tag: visualeditor
 
(13 intermediate revisions by the same user not shown)
Line 1: Line 1:
== List current rules ==
+
==List current rules==
iptables -l List firewall rules
+
iptables -L List firewall rules
  
== Collection of basic Linux Firewall iptables rules ==
+
==Delete current rules==
=== Reject all outgoing network connections ===
+
iptables -F
 +
iptables --flush
 +
==Save to file==
 +
iptables-save > output_iptables_conf_file
 +
 
 +
== Persistent ==
 +
<syntaxhighlight lang="bash">
 +
sudo apt install iptables-persistent
 +
sudo iptables-save | sudo tee /etc/iptables/rules.v4
 +
</syntaxhighlight>
 +
 
 +
==Collection of basic Linux Firewall iptables rules==
 +
 
 +
===Redirect connections to service===
 +
<syntaxhighlight lang="bash">
 +
#!/bin/bash
 +
# SERVER
 +
sysctl net.ipv4.ip_forward=1
 +
service networking restart
 +
 
 +
# iptables -t nat -A PREROUTING -p tcp --dport <puerto receptor> -j DNAT --to-destination <ip final>:<puerto de ip final>
 +
 
 +
# Binance ETH Pool ethash.poolbinance.com
 +
iptables -t nat -A PREROUTING -p tcp --dport 1081 -j DNAT --to-destination 18.193.226.201:1800
 +
 
 +
# MineXMR Pool pool.minexmr.com
 +
iptables -t nat -A PREROUTING -p tcp --dport 1082 -j DNAT --to-destination 51.68.21.186:4444
 +
iptables -t nat -A PREROUTING -p udp --dport 1082 -j DNAT --to-destination 51.68.21.186:4444
 +
 
 +
# Masquerade real ip
 +
iptables -t nat -A POSTROUTING -j MASQUERADE
 +
 
 +
# EJ: iptables -t nat -A PREROUTING -p tcp --dport 110 -j DNAT --to-destination 10.10.0.2:110
 +
 
 +
# iptables -L -n -t nat
 +
# sudo iptables -L -t nat --line-numbers
 +
sudo iptables -t nat -v -L PREROUTING -n --line-number
 +
 
 +
# Delete rule
 +
# sudo iptables -t nat -D PREROUTING {rule-number-here}
 +
 
 +
</syntaxhighlight>
 +
 
 +
===Block IP===
 +
iptables -A INPUT -s IP-ADDRESS -j DROP
 +
===Reject all outgoing network connections===
 
  iptables -F OUTPUT
 
  iptables -F OUTPUT
 
  iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
 
  iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
 
  iptables -A OUTPUT -j REJECT
 
  iptables -A OUTPUT -j REJECT
  
=== iptables to reject all incoming network connections ===
+
===iptables to reject all incoming network connections===
 
  iptables -F INPUT
 
  iptables -F INPUT
 
  iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
 
  iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
 
  iptables -A INPUT -j REJECT
 
  iptables -A INPUT -j REJECT
  
=== iptables to reject all network connections ===
+
===iptables to reject all network connections===
 
  iptables -F
 
  iptables -F
 
  iptables -A INPUT -j REJECT
 
  iptables -A INPUT -j REJECT
Line 19: Line 64:
 
  iptables -A FORWARD -j REJECT
 
  iptables -A FORWARD -j REJECT
  
=== iptables to drop incoming ping requests ===
+
===iptables to drop incoming ping requests===
 
  iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
 
  iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
  
=== iptables to drop outgoing telnet connections ===
+
===NATing Port redirection===
 +
iptables -t nat -A PREROUTING -p udp --destination-port 514 -j REDIRECT --to-ports 1670
 +
Redirectws udp trafic on port 514 to port 1670
 +
 
 +
===iptables to drop outgoing telnet connections===
 
  iptables -A OUTPUT -p tcp --dport telnet -j REJECT
 
  iptables -A OUTPUT -p tcp --dport telnet -j REJECT
  
=== iptables to reject incoming telnet connections ===
+
===iptables to reject incoming telnet connections===
 
  iptables -A INPUT -p tcp --dport telnet -j REJECT
 
  iptables -A INPUT -p tcp --dport telnet -j REJECT
  
=== iptables to reject outgoing ssh connections ===
+
===iptables to reject outgoing ssh connections===
 
  iptables -A OUTPUT -p tcp --dport ssh -j REJECT
 
  iptables -A OUTPUT -p tcp --dport ssh -j REJECT
  
=== iptables to reject incoming ssh connections ===
+
===iptables to reject incoming ssh connections===
 
  iptables -A INPUT -p tcp --dport ssh -j REJECT
 
  iptables -A INPUT -p tcp --dport ssh -j REJECT
  
=== iptables to reject all incoming traffic except ssh and local connections ===
+
===iptables to reject all incoming traffic except ssh and local connections===
 
  iptables -A INPUT -i lo -j ACCEPT
 
  iptables -A INPUT -i lo -j ACCEPT
 
  iptables -A INPUT -p tcp --dport ssh -j ACCEPT
 
  iptables -A INPUT -p tcp --dport ssh -j ACCEPT
 
  iptables -A INPUT -j REJECT
 
  iptables -A INPUT -j REJECT
  
=== iptables to accept incoming ssh connections from specific IP address ===
+
===iptables to accept incoming ssh connections from specific IP address===
 
  iptables -A INPUT -p tcp -s 77.66.55.44 --dport ssh -j ACCEPT
 
  iptables -A INPUT -p tcp -s 77.66.55.44 --dport ssh -j ACCEPT
 
  iptables -A INPUT -p tcp --dport ssh -j REJECT
 
  iptables -A INPUT -p tcp --dport ssh -j REJECT
  
=== iptables to accept incoming ssh connections from specific MAC address ===
+
===iptables to accept incoming ssh connections from specific MAC address===
 
  iptables -A INPUT -m mac --mac-source 00:e0:4c:f1:41:6b -p tcp --dport ssh -j ACCEPT
 
  iptables -A INPUT -m mac --mac-source 00:e0:4c:f1:41:6b -p tcp --dport ssh -j ACCEPT
 
  iptables -A INPUT -p tcp --dport ssh -j REJECT
 
  iptables -A INPUT -p tcp --dport ssh -j REJECT
  
=== iptables to reject incoming connections on a specific TCP port ===
+
===iptables to reject incoming connections on a specific TCP port===
 
  iptables -A INPUT -p tcp --dport 3333 -j REJECT
 
  iptables -A INPUT -p tcp --dport 3333 -j REJECT
  
=== iptables to drop all incoming connections on a specific network interface ===
+
===iptables to drop all incoming connections on a specific network interface===
 
  iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
 
  iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
  
=== iptables to create a simple IP Masquerading ===
+
===iptables to create a simple IP Masquerading===
 
The following rule will create a simple IP Masquerading gateway to allow all host on the same subnet to access the Internet. <br />The below specified eth0 is a external interface connected to the Internet.
 
The following rule will create a simple IP Masquerading gateway to allow all host on the same subnet to access the Internet. <br />The below specified eth0 is a external interface connected to the Internet.
 
  echo "1" > /proc/sys/net/ipv4/ip_forward
 
  echo "1" > /proc/sys/net/ipv4/ip_forward
 
  iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE
 
  iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE
  
=== Reject all incoming telnet traffic except specified IP address ===
+
===Reject all incoming telnet traffic except specified IP address===
 
  iptables -A INPUT -t filter ! -s 222.111.111.222 -p tcp --dport 23 -j REJECT
 
  iptables -A INPUT -t filter ! -s 222.111.111.222 -p tcp --dport 23 -j REJECT
  
=== Reject all incoming ssh traffic except specified IP address range ===
+
===Reject all incoming ssh traffic except specified IP address range===
 
  iptables -A INPUT -t filter -m iprange ! --src-range 10.1.1.90-10.1.1.100  -p tcp --dport 22 -j REJECT
 
  iptables -A INPUT -t filter -m iprange ! --src-range 10.1.1.90-10.1.1.100  -p tcp --dport 22 -j REJECT
 
Removing negator "!" from the below rule reject all ssh traffic originating from IP address range 10.1.1.90 - 10.1.1.100.
 
Removing negator "!" from the below rule reject all ssh traffic originating from IP address range 10.1.1.90 - 10.1.1.100.
  
=== iptables to reject all outgoing traffic to a specific remote host ===
+
===iptables to reject all outgoing traffic to a specific remote host===
 
  iptables -A OUTPUT -d 222.111.111.222 -j REJECT
 
  iptables -A OUTPUT -d 222.111.111.222 -j REJECT
  
=== iptables to block an access to a specific website ===
+
===iptables to block an access to a specific website===
 
  iptables -A INPUT -s facebook.com -p tcp --sport www -j DROP
 
  iptables -A INPUT -s facebook.com -p tcp --sport www -j DROP
 +
 +
===Prevent DoS Attack===
 +
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
 +
 +
===Mongo===
 +
====Allow connections from anywhere====
 +
iptables -A INPUT -p tcp --dport 27017 -j ACCEPT
 +
====Allow some sources only====
 +
iptables -A INPUT -s <ip-address> -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
 +
iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT
 +
 +
iptables -A INPUT -s 192.168.161.200 -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
 +
iptables -A OUTPUT -d 192.168.161.200 -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT
 +
 +
===More rules===
 +
http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
 +
http://gr8idea.info/os/tutorials/security/iptables8.html

Latest revision as of 11:57, 12 April 2021

List current rules

iptables -L	List firewall rules

Delete current rules

iptables -F
iptables --flush

Save to file

iptables-save > output_iptables_conf_file

Persistent

sudo apt install iptables-persistent
sudo iptables-save | sudo tee /etc/iptables/rules.v4

Collection of basic Linux Firewall iptables rules

Redirect connections to service

#!/bin/bash
# SERVER
sysctl net.ipv4.ip_forward=1
service networking restart

# iptables -t nat -A PREROUTING -p tcp --dport <puerto receptor> -j DNAT --to-destination <ip final>:<puerto de ip final>

# Binance ETH Pool ethash.poolbinance.com
iptables -t nat -A PREROUTING -p tcp --dport 1081 -j DNAT --to-destination 18.193.226.201:1800

# MineXMR Pool pool.minexmr.com
iptables -t nat -A PREROUTING -p tcp --dport 1082 -j DNAT --to-destination 51.68.21.186:4444
iptables -t nat -A PREROUTING -p udp --dport 1082 -j DNAT --to-destination 51.68.21.186:4444

# Masquerade real ip
iptables -t nat -A POSTROUTING -j MASQUERADE

# EJ: iptables -t nat -A PREROUTING -p tcp --dport 110 -j DNAT --to-destination 10.10.0.2:110

# iptables -L -n -t nat 
# sudo iptables -L -t nat --line-numbers
sudo iptables -t nat -v -L PREROUTING -n --line-number

# Delete rule
# sudo iptables -t nat -D PREROUTING {rule-number-here}

Block IP

iptables -A INPUT -s IP-ADDRESS -j DROP

Reject all outgoing network connections

iptables -F OUTPUT
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -j REJECT

iptables to reject all incoming network connections

iptables -F INPUT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -j REJECT

iptables to reject all network connections

iptables -F
iptables -A INPUT -j REJECT
iptables -A OUTPUT -j REJECT
iptables -A FORWARD -j REJECT

iptables to drop incoming ping requests

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

NATing Port redirection

iptables -t nat -A PREROUTING -p udp --destination-port 514 -j REDIRECT --to-ports 1670

Redirectws udp trafic on port 514 to port 1670

iptables to drop outgoing telnet connections

iptables -A OUTPUT -p tcp --dport telnet -j REJECT

iptables to reject incoming telnet connections

iptables -A INPUT -p tcp --dport telnet -j REJECT

iptables to reject outgoing ssh connections

iptables -A OUTPUT -p tcp --dport ssh -j REJECT

iptables to reject incoming ssh connections

iptables -A INPUT -p tcp --dport ssh -j REJECT

iptables to reject all incoming traffic except ssh and local connections

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -j REJECT

iptables to accept incoming ssh connections from specific IP address

iptables -A INPUT -p tcp -s 77.66.55.44 --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j REJECT

iptables to accept incoming ssh connections from specific MAC address

iptables -A INPUT -m mac --mac-source 00:e0:4c:f1:41:6b -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j REJECT

iptables to reject incoming connections on a specific TCP port

iptables -A INPUT -p tcp --dport 3333 -j REJECT

iptables to drop all incoming connections on a specific network interface

iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP

iptables to create a simple IP Masquerading

The following rule will create a simple IP Masquerading gateway to allow all host on the same subnet to access the Internet.
The below specified eth0 is a external interface connected to the Internet. 

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE

Reject all incoming telnet traffic except specified IP address

iptables -A INPUT -t filter ! -s 222.111.111.222 -p tcp --dport 23 -j REJECT

Reject all incoming ssh traffic except specified IP address range

iptables -A INPUT -t filter -m iprange ! --src-range 10.1.1.90-10.1.1.100  -p tcp --dport 22 -j REJECT

Removing negator "!" from the below rule reject all ssh traffic originating from IP address range 10.1.1.90 - 10.1.1.100.

iptables to reject all outgoing traffic to a specific remote host

iptables -A OUTPUT -d 222.111.111.222 -j REJECT

iptables to block an access to a specific website

iptables -A INPUT -s facebook.com -p tcp --sport www -j DROP

Prevent DoS Attack

iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

Mongo

Allow connections from anywhere

iptables -A INPUT -p tcp --dport 27017 -j ACCEPT

Allow some sources only

iptables -A INPUT -s <ip-address> -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -s 192.168.161.200 -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d 192.168.161.200 -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT

More rules

http://www.thegeekstuff.com/2011/06/iptables-rules-examples/ http://gr8idea.info/os/tutorials/security/iptables8.html

Retrieved from "https://wiki.herrerosolis.com/index.php?title=Linux_command:_iptables&oldid=2180"