IPTables¶
Multiple Ports¶
https://serverfault.com/questions/353130/iptables-and-multiple-ports
iptables -A INPUT -p tcp --match multiport --dports 110,143,993,995 -j ACCEPT
Adding a Rule¶
iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT
Specific Position¶
iptables -I INPUT 1 -i eth2 -d 10.147.88.2 -j ACCEPT
Comments¶
iptables -A INPUT -p tcp --dport 22 -m comment --comment "allow ssh"
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
Allowing Incoming Traffic after Changing Default Policy¶
https://serverfault.com/questions/356282/cannot-ping-outside-network-with-these-ip-rules https://www.linuxquestions.org/questions/linux-newbie-8/iptables-dns-resolve-issue-4175493915/
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Deleting a Rule¶
https://stackoverflow.com/questions/10197405/how-can-i-remove-specific-rules-from-iptables
# replace -A with -D
iptables -A
# becomes
iptables -D
DNS Resolve Issues¶
https://www.linuxquestions.org/questions/linux-newbie-8/iptables-dns-resolve-issue-4175493915/
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
Port Forwarding¶
echo '1' | sudo tee /proc/sys/net/ipv4/conf/eth0/forwarding
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 3333 -j DNAT --to-destination 10.0.0.4:3333
iptables -A FORWARD -p tcp -s 10.3.0.4 —dport 3333 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -p tcp -m tcp --dport 3333 -j MASQUERADE
Persistent Rules¶
netfilter-persistent save
netfilter-persistent reload
https://upcloud.com/community/tutorials/configure-iptables-ubuntu/
iptables-save > /etc/iptables/rules.v4
https://www.cyberciti.biz/faq/how-to-save-iptables-firewall-rules-permanently-on-linux/
sudo apt install iptables-persistent
Listing Rules¶
iptables -v -L
Allow Only Certain IP Ranges¶
https://www.linode.com/community/questions/17544/how-do-i-allow-only-certain-ips-with-iptables
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -m comment --comment "Allow loopback connections" -j ACCEPT
iptables -A INPUT -p icmp -m comment --comment "Allow Ping to work as expected" -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -s 198.51.100.0 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
Logging¶
-A INPUT -j LOG --log-prefix "Dropped INPUT Packet: "
-A FORWARD -j LOG --log-prefix "Dropped FORWARD Packet: "
Docker¶
-A DOCKER-USER -s 172.0.0.0/8 -m comment --comment "Allow docker to talk to itself" -j ACCEPT
-A DOCKER-USER -s 34.107.59.86/32 -m comment --comment "whitelist a specific IP Address" -j ACCEPT
-A DOCKER-USER -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A DOCKER-USER -j DROP