IPtables frequently used rules

tables_traverse1. Delete existing rules

$ iptables -F 

 

2. Set default chains policie

$ iptables -P INPUT DROP
$ iptables -P FORWARD DROP
$ iptables -P OUTPUT DROP

 

3. Block a specific IP

$ iptables -A INPUT -s “IP_ADDRESS” -j DROP

 

4. Allow incoming SSH connections

$ iptables -A INPUT -p tcp –dport 22 -m state –state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -p tcp –sport 22 -m state –state ESTABLISHED -j ACCEPT

 

5. Allows incoming SSH, HTTP & HTTPS using multiports

$ iptables -A INPUT -p tcp -m multiport –dports 22,80,443 -m state –state NEW,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -p tcp -m multiport –sports 22,80,443 -m state –state ESTABLISHED -j ACCEPT

 

6. Allows outgoing SSH, HTTP & HTTPS using multiports

$ iptables -A OUTPUT -p tcp -m multiport –dports 22,80,443 -m state –state NEW,ESTABLISHED -j ACCEPT
$ iptables -A INPUT -p tcp -m multiport –sports 22,80,443 -m state –state ESTABLISHED -j ACCEPT

 

7. Allow internal Network eth0 to external network eth1

$ iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

 

8. Load balance incoming traffic (for example on 443 port)

$ iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 0 -j DNAT –to-destination 10.10.1.2:443
$ iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 1 -j DNAT –to-destination 10.10.1.3:443
$ iptables -A PREROUTING -i eth0 -p tcp –dport 443 -m state –state NEW -m nth –counter 0 –every 3 –packet 2 -j DNAT –to-destination 10.10.1.4:443

 

9. Prevent DoS attack

The following iptables rule will help you prevent the DoS attack on your web server.

$ iptables -A INPUT -p tcp –dport 80 -m limit –limit 25/minute –limit-burst 100 -j ACCEPT

-m limit – this uses the “limit” iptables extension
–limit 25/minute – this limits the only maximum of 25 connection per minute. 
–limit-burst 100 – this value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level.

 

10. Log incoming & outgoing connections

$ iptables -I INPUT -m state –state NEW -j LOG –log-prefix “New Connection: “
$ iptables -I OUTPUT -m state –state NEW -j LOG –log-prefix “New Connection: “

 

11. Forward incoming to DMZ server (port 22) to Internal server (port 22)

$ iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp -d 10.10.0.1 –dport 22 -j DNAT –to-destination 10.10.0.2:22

$ iptables -t nat -A POSTROUTING -p tcp -m tcp -d 10.10.0.2 –dport 22 -j SNAT –to-source10.10.0.1

 
12. Delete rule

$ iptables -D INPUT 3 or

$ iptables -D INPUT -s 202.54.1.1 -j DROP

 

13. Close trafic by MAC address

$ iptables -A INPUT -m mac –mac-source 00:0F:EA:91:04:08 -j DROP

 

14. Set up IP FORWARDing and masquerading

$ iptables –t nat -A POSTROUTING -o eth0 -j MASQUERADE

$ iptables -A FORWARD -i eth1 -j ACCEPT

eth0 – Internet, eth1 – local net

 

15. Save & load rules

$ iptables-save > /etc/iptables.rules

$ iptables-restore < /etc/iptables.rules

for a more convenient way use iptables-persistent

 

16. Show all rules with lines numbers

$ iptables -n -L -v –line-numbers

 

 

 

iptables example for stand-alone web server

in Ubuntu Gufw can be used for a GUI for firewall

Leave a comment