Changes

Jump to navigation Jump to search

Linux command: iptables (view source)

Revision as of 07:47, 3 March 2016

3,001 bytes added ,  07:47, 3 March 2016
no edit summary
Line 1: Line 1:  +
== List current rules ==
 
iptables -l List firewall rules
 
iptables -l List firewall rules
 +
 +
== Collection of basic Linux Firewall iptables rules ==
 +
=== Reject all outgoing network connections ===
 +
iptables -F OUTPUT
 +
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
 +
iptables -A OUTPUT -j REJECT
 +
 +
=== iptables to reject all incoming network connections ===
 +
iptables -F INPUT
 +
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
 +
iptables -A INPUT -j REJECT
 +
 +
=== iptables to reject all network connections ===
 +
iptables -F
 +
iptables -A INPUT -j REJECT
 +
iptables -A OUTPUT -j REJECT
 +
iptables -A FORWARD -j REJECT
 +
 +
=== iptables to drop incoming ping requests ===
 +
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
 +
 +
=== iptables to drop outgoing telnet connections ===
 +
iptables -A OUTPUT -p tcp --dport telnet -j REJECT
 +
 +
=== iptables to reject incoming telnet connections ===
 +
iptables -A INPUT -p tcp --dport telnet -j REJECT
 +
 +
=== iptables to reject outgoing ssh connections ===
 +
iptables -A OUTPUT -p tcp --dport ssh -j REJECT
 +
 +
=== iptables to reject incoming ssh connections ===
 +
iptables -A INPUT -p tcp --dport ssh -j REJECT
 +
 +
=== iptables to reject all incoming traffic except ssh and local connections ===
 +
iptables -A INPUT -i lo -j ACCEPT
 +
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
 +
iptables -A INPUT -j REJECT
 +
 +
=== iptables to accept incoming ssh connections from specific IP address ===
 +
iptables -A INPUT -p tcp -s 77.66.55.44 --dport ssh -j ACCEPT
 +
iptables -A INPUT -p tcp --dport ssh -j REJECT
 +
 +
===  iptables to accept incoming ssh connections from specific MAC address ===
 +
iptables -A INPUT -m mac --mac-source 00:e0:4c:f1:41:6b -p tcp --dport ssh -j ACCEPT
 +
iptables -A INPUT -p tcp --dport ssh -j REJECT
 +
 +
===  iptables to reject incoming connections on a specific TCP port ===
 +
iptables -A INPUT -p tcp --dport 3333 -j REJECT
 +
 +
=== iptables to drop all incoming connections on a specific network interface ===
 +
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
 +
 +
===  iptables to create a simple IP Masquerading ===
 +
The following rule will create a simple IP Masquerading gateway to allow all host on the same subnet to access the Internet. <br />The below specified eth0 is a external interface connected to the Internet.
 +
echo "1" > /proc/sys/net/ipv4/ip_forward
 +
iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE
 +
 +
=== Reject all incoming telnet traffic except specified IP address ===
 +
iptables -A INPUT -t filter ! -s 222.111.111.222 -p tcp --dport 23 -j REJECT
 +
 +
=== Reject all incoming ssh traffic except specified IP address range ===
 +
iptables -A INPUT -t filter -m iprange ! --src-range 10.1.1.90-10.1.1.100  -p tcp --dport 22 -j REJECT
 +
Removing negator "!" from the below rule reject all ssh traffic originating from IP address range 10.1.1.90 - 10.1.1.100.
 +
 +
=== iptables to reject all outgoing traffic to a specific remote host ===
 +
iptables -A OUTPUT -d 222.111.111.222 -j REJECT
 +
 +
===  iptables to block an access to a specific website ===
 +
iptables -A INPUT -s facebook.com -p tcp --sport www -j DROP
Retrieved from "https://wiki.herrerosolis.com/index.php/Special:MobileDiff/722"

Navigation menu