Examples of iptable rules

Home

1 iptables.org

See the file iptables.org for details. This is just examples.

2 Default Policy rules

  • iptables -P INPUT ACCEPT # temporarily allows everything in # danger!!
  • iptables -P FORWARD DROP
  • iptables -P OUTPUT ACCEPT

3 Matching Rules examples

-i lo -i ens33

= -m state –state ESTABLISHED,RELATED -m mac –mac-source 00:0c:be:ef:fe:ed

-p tcp –dport 22 -p tcp –dport 22 -m state –state NEW -p tcp –dport 22 -p tcp –dport 20:21 -p tcp –dport 53

-p tcp –sport 21 ?

-p tcp -p udp -p icmp -p all

-s 192.168.128.0/255.255.255.0 -s 192.168.128.20

-d 192.168.111.0/255.255.255.0

-p icmp -s 192.168.0.0/255.255.0.0 -d 192.168.0.0/255.255.0.0 -p tcp –dport 22 -s 192.168.128.0/255.255.255.0

4 Actions

-j ACCEPT -j DROP -j LOG -j LOG –log-prefix "rule description" -j LOG –log-prefix "RULE4:" –log-level 7

The last was an example to insert a rule at position #4 in the FORWARD chain that logs packets information:

sudo iptables -I FORWARD 4 -j LOG –log-prefix "RULE4:" –log-level 7

5 Combining match and action into complete commands:

sudo iptables -P INPUT DROP

sudo iptables -I INPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT -m comment –comment "Allow dport ssh on INPUT" sudo iptables -D INPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT to take that out again.

(easier if you –listnumbers then sudo iptables -D INPUT 7 ) for seventth line

sudp iptables -I INPUT 1 -p tcp –dport 22 -s 192.168.0.0/24 -j ACCEPT

sudo iptables -I INPUT 2 -p tcp –dport 22 -j REJECT

iptables -A INPUT -p tcp –dport 6901 -j ACCEPT

iptables -A INPUT -p tcp –dport 6901:6999 -j ACCEPT

iptables -A INPUT -p tcp –dport 22 -j ACCEPT

iptables -A INPUT -p tcp –dport 22 -s 192.168.128.0/255.255.255.0 -j ACCEPT

sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A OUTPUT -o lo -j ACCEPT

sudo iptables -A FORWARD -i virbr0 -o ens33 -j ACCEPT

sudo iptables -A INPUT -s 80.248.0.0/255.255.0.0 -j DROP

sudo iptables -A INPUT -i eth0 -s 80.248.11.55 -j DROP

sudo iptables -A INPUT -p tcp -s 192.168.111.0/24 –dport 873 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -p tcp –sport 873 -m conntrack –ctstate ESTABLISHED -j ACCEPT

The second command, which allows the outgoing traffic of established rsync connections, is only necessary if the OUTPUT policy is not set to ACCEPT.

To allow all incoming HTTP (port 80) connections run these commands:

sudo iptables -A INPUT -p tcp –dport 80 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -p tcp –sport 80 -m conn –ctstate ESTABLISHED -j ACCEPT

The second command, which allows the outgoing traffic of established HTTP connections, is only necessary if the OUTPUT policy is not set to ACCEPT.

sudo iptables -A INPUT -p tcp -m multiport –dports 80,443 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -p tcp -m multiport –dports 80,443 -m conntrack –ctstate ESTABLISHED -j ACCEPT

MySQL listens for client connections on port 3306. If your MySQL database server is being used by a client on a remote server, you need to be sure to allow that traffic.

Allow MySQL from Specific IP Address or Subnet To allow incoming MySQL connections from a specific IP address or subnet, specify the source. For example, if you want to allow the entire 192.168.111.0/24 subnet, run these commands:

sudo iptables -A INPUT -p tcp -s 192.168.111.0/24 –dport 3306 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -p tcp –sport 3306 -m conntrack –ctstate ESTABLISHED -j ACCEPT

The second command, which allows the outgoing traffic of established MySQL connections, is only necessary if the OUTPUT policy is not set to ACCEPT.

sudo iptables -A INPUT -i eth1 -p tcp –dport 3306 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -o eth1 -p tcp –sport 3306 -m conntrack –ctstate ESTABLISHED -j ACCEPT

The second command, which allows the outgoing traffic of established MySQL connections, is only necessary if the OUTPUT policy is not set to ACCEPT.

sudo iptables -A OUTPUT -p tcp –dport 25 -j REJECT

sudo iptables -A INPUT -p tcp –dport 25 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT sudo iptables -A OUTPUT -p tcp –sport 25 -m conntrack –ctstate ESTABLISHED -j ACCEPT

The second command, which allows the outgoing traffic of established SMTP connections, is only necessary if the OUTPUT policy is not set to ACCEPT.

-A OUTPUT -i eth0 -p tcp -m tcp –dport 25 -m state –state NEW -j ACCEPT

-A OUTPUT -o eth0 -p udp –dport 123 –sport 123 -j ACCEPT

-A OUTPUT -o eth0 -p icmp -j ACCEPT

-A OUTPUT -o eth0 -p udp -m udp –dport 54 -j ACCEPT

6 Targets (actions) ACCEPT, REJECT, DROP and LOG

The decissions result in actions, called targets. targets (actions) can be DROP or ACCEPT or REJECT

-j the "j" comes from "jump" as in jump to this action.

  1. Terminating targets

    -j DROP -j ACCEPT -j QUEUE -j REJECT -j RETURN -j USER-DEFINED

  2. Non-terminating targets

    -j LOG

    Conntrack supersedes state, but in modern kernels there is now no difference between the two. State is currently aliased and translated to conntrack in iptables if the kernel has it, so the syntax -m state –state is actually translated into -m conntrack –ctstate and handled by the same module.

7 Inserting rules in a CHAIN

The first obvious advanced technique is to give the rules numbers, so that you can insert rules in a certain order, and not have to rewrite them all. These numbers are called indices.

By default, the rules are read in the order they are listed on each chain.

You can list the rules with indices (and numeric) using the command. sudo iptables -L –line-numbers -n

To insert a rule ABOVE a given indexed rule, simply insert using that rule's index.

For example sudo iptables -L -n OUTPUT –line-numbers # if looking at OUTPUT chain only. sudo iptables -L -n –line-numbers 1 2 2nd rule 3 3rd rule 4

sudo iptables -I INPUT 2 newrule

1 2 newrule 3 2nd rule 4 3rd rule 5

To remove a specific rule, based on an index, use: sudo iptables -D INPUT 3 results in:

1 2 newrule 3 3rd rule 4

8 Display your changes

  • iptables -L -v -n # with statistics
  • iptables -L –line-numbers -n # with rule ordering
  • iptables -L INPUT -v -n # with statistics
  • iptables -L FORWARD –line-numbers -n # with rule ordering

9 iptables-save >

# Generated by xtables-save v1.8.2 on Mon Feb 10 01:10:03 2020

*filter
:INPUT DROP [105:15709]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1623:260525]
-A INPUT -s 192.168.128.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.111.0/24 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.111.0/24 -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT 
-A INPUT -s 192.168.111.1/32 -p udp -m udp --sport 53 -m comment --comment "Allow DNS sport from C8host" -j ACCEPT
-A INPUT -j LOG --log-prefix "zpzpzp debugging vm1 INPUT" --log-level 6
COMMIT
# Completed on Mon Feb 10 01:10:03 2020
# Generated by xtables-save v1.8.2 on Mon Feb 10 01:10:03 2020

*security
:INPUT ACCEPT [2513:207688]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1623:260525]
COMMIT
# Completed on Mon Feb 10 01:10:03 2020
# Generated by xtables-save v1.8.2 on Mon Feb 10 01:10:03 2020

*raw
:PREROUTING ACCEPT [2592:214348]
:OUTPUT ACCEPT [1623:260525]
COMMIT
# Completed on Mon Feb 10 01:10:03 2020
# Generated by xtables-save v1.8.2 on Mon Feb 10 01:10:03 2020

*mangle
:PREROUTING ACCEPT [2592:214348]
:INPUT ACCEPT [2585:214032]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1623:260525]
:POSTROUTING ACCEPT [1626:260672]
COMMIT
# Completed on Mon Feb 10 01:10:03 2020
# Generated by xtables-save v1.8.2 on Mon Feb 10 01:10:03 2020

*nat
:PREROUTING ACCEPT [16:847]
:INPUT ACCEPT [6:384]
:POSTROUTING ACCEPT [114:6862]
:OUTPUT ACCEPT [114:6862]
COMMIT

9.1 Home