Iptables tutorial and examples

Delete existing rules:

iptables -F or iptables --flush

Set Default Chain Policies:

iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP

Block an IP Address:

iptables -A INPUT -s a.b.c.d -j DROP iptables -A input -i eth0 -p tcp -s <ip_addr> -j DROP

Allow access to SSH:

iptables -A INPUT -i eth0 -p tcp --dport -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Allow inbound connections from a specific network :

iptables -A INPUT -i eth0 -p tcp -s <ip_address/24> --dport -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -0 eth0 -p tcp --sport -m state --state ESTABLISHED -j ACCEPT

Redirecting requests to a different Ip address :

vi /etc/sysctl.conf net.ipv4_forward=1 sysctl -p

iptables -t nat -A PREROUTING -p tcp --dport port -j DNAT --to-destination ip:port iptables -t nat -A POSTROUTING -j MASQUERADE

Access to multiple ports :

iptables -A INPUT -i eth0 -p tcp -m multiport --dports 20,21,22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -0 eth0 -p tcp -m multiport --dports 20,21,22 -m state --state ESTABLISHED -j ACCEPT

Load Balance incoming traffic :

iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.1:80 iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.2:80 iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.3:80

Allow Ping from Outside :

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

Forward Internal network To External :

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

Allow NIS Connections :

Do a grep on rpcinfo to find the port

rpcinfo -p | grep ypbind

And allow the ports.

Prevent DOS Attacks :

iptables -A INPUT -p tcp --dport 80 -m limit --limit 20/minute --limit-burst 150 -j ACCEPT

[ -m limit : use  iptables limit extension , –limit 20/minute : maximum 20 connections for minute, –limit-burst 150 :  The limit will be enforced only after the total number of connection has reached the burst level ]

Port Forwarding :

iptables -t nat -A PREROUTING -p tcp -d 192.168.100.5 --dport 80 -j DNAT --to 192.168.100.100:8080

Logging Dropped Packets:

a. Create a Chain:

iptables -N LOGGING

b. Force all inbound connections to jump to Logging Chain

iptables -A INPUT -j LOGGING

c. Log the packets with a prefix.

iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "Dropped Packet" --log-level 7

d. Drop the packets.

iptables -A LOGGING -j DROP