25 Common examples of iptables

This article will give you an example of 25 common rules for iptables that provide you with some basic templates that you can modify to meet your specific needs.

format

iptables [-t table name] option [link name] [condition] [-j control type]

Parameters

-P Set Default policy: Iptables

-P INPUT (drop| ACCEPT)

-F Empty Rule chain

-l View Rule chain

-a adds a new rule at the end of the rule chain

-I num adds a new rule to the head of the rule chain

-D num Deletes a rule

-S matches the source address Ip/mask, plus the exclamation mark "!" Represents the exception of this IP.

-D Match Destination Address

The-I network name matches the incoming data from this NIC

-O NIC name matches data flowing out of this NIC

-P matching protocol, such as TCP,UDP,ICMP

--dport num matches the target port number

--sport num matches the source port number

Example

1. Delete an existing rule

Before you start creating iptables rules, you may need to delete existing rules. The command is as follows:

Iptables-f (OR) Iptables–flush

2. Set the default policy for the chain

The default policy for the chain is set to accept, to set the Input,forward,output chain to "DROP" (Deny), the command is as follows:

Iptables-p INPUT dropiptables-p FORWARD dropiptables-p OUTPUT DROP

When both the input and output chains are set to drop, we should define two rules for each firewall rule. For example: one passed in to another outgoing. In all the examples below, since we have set the drop to the default policy for the input chain and the output chain, we will have two rules in each case. Of course, if you believe in your internal users, you can omit the last line above. For example, all outbound packets are not discarded by default. In this case, for each firewall rule requirement, you only need to make a rule--make rules for the incoming packets only.

3. Block the specified IP address

Example: Discarding a package from IP address x.x.x.x

block_this_ip= "x.x.x.x" iptables-a input-s "$BLOCK _this_ip"-j DROP

Note: When you find an exception record from an IP address in log, you can temporarily block access to the address for a more in-depth analysis by this command

Example: Block packets from IP address x.x.x.x eth0 TCP

Iptables-a input-i eth0-s "$BLOCK _this_ip"-j dropiptables-a input-i eth0-p tcp-s "$BLOCK _this_ip"-j DROP

4. Allow all SSH connection requests

Example: Allow all SSH connection requests from outside, that is, only allow access to the Eth0 interface, and the destination port is 22 packets

Iptables-a input-i eth0-p TCP--dport 22-m State--state new,established-j acceptiptables-a output-o eth0-p TCP-- Sport 22-m State--state established-j ACCEPT

5. Allow only SSH connection requests from the specified network

Example: Allow SSH connection requests from users from the 192.168.100.0/24 domain only

Iptables-a input-i eth0-p tcp-s 192.168.100.0/24--dport 22-m State--state new,established-j acceptiptables-a OUTP Ut-o eth0-p TCP--sport 22-m State--state established-j ACCEPT

6. Allow HTTP and HTTPS connection requests

Example: Allow all connection requests from web-http

Iptables-a input-i eth0-p TCP--dport 80-m State--state new,established-j acceptiptables-a output-o eth0-p TCP-- Sport 80-m State--state established-j ACCEPT

Example: Allow all connection requests from Web-https

Iptables-a input-i eth0-p TCP--dport 443-m State--state new,established-j acceptiptables-a output-o eth0-p TCP- -sport 443-m State--state established-j ACCEPT

7. Use Multiport to combine multiple rules

Allowing multiple ports to be connected from outside, we can use multiport to combine them into a single rule, in addition to writing a separate rule for each port. As shown below:

Example: Allow traffic access for all Ssh,http,https

Iptables-a input-i eth0-p tcp-m multiport--dports 22,80,443-m State--state new,established-j acceptiptables-a out Put-o eth0-p tcp-m multiport--sports 22,80,443-m State--state established-j ACCEPT

8. Allow locally initiated SSH requests

Iptables-a output-o eth0-p TCP--dport 22-m State--state new,established-j acceptiptables-a input-i eth0-p TCP-- Sport 22-m State--state established-j ACCEPT

Note that this is slightly different from the rule that allows SSH to be attached. In this example, on the output chain, we allow the new and established states. On the input chain, we only allow the established state. The rule that SSH connects to is the opposite.

9. Allow only SSH requests originating locally to a specified network domain

Example: Allow only internal connections to the domain 192.168.100.0/24

Iptables-a output-o eth0-p tcp-d 192.168.100.0/24--dport 22-m State--state new,established-j acceptiptables-a INP Ut-i eth0-p TCP--sport 22-m State--state established-j ACCEPT

10. Allow HTTPS connection requests originating from the local

The following rules allow the output of secure network traffic. This is very necessary if you want to allow users to access the Internet. On the server, these rules allow you to use wget to download some files from outside

Iptables-a output-o eth0-p TCP--dport 443-m State--state new,established-j acceptiptables-a input-i eth0-p TCP- -sport 443-m State--state established-j ACCEPT

Note: For external requests for HTTP Web traffic, you only need to change the port in the above command from 443 to 80.

11. Load Balancing incoming network traffic

With iptables you can achieve load balancing of incoming Web traffic, we can pass in web traffic load balancing using iptables firewall rules.

Example: Use the iptables nth to load balance HTTPS traffic to three different IP addresses.

Iptables-a prerouting-i eth0-p TCP--dport 443-m State--state new-m nth--counter 0--every 3--packet 0-j DNAT--t O-destination 192.168.1.101:443iptables-a prerouting-i eth0-p TCP--dport 443-m State--state new-m nth--counter 0- -every 3--packet 1-j DNAT--to-destination 192.168.1.102:443iptables-a prerouting-i eth0-p TCP--dport 443-m State- -state new-m nth--counter 0--every 3--packet 2-j DNAT--to-destination 192.168.1.103:443

12. Allow external hosts to ping internal hosts

Iptables-a input-p ICMP--icmp-type echo-request-j acceptiptables-a output-p ICMP--icmp-type echo-reply-j ACCEPT

13. Allow internal hosts to ping external hosts

Iptables-a output-p ICMP--icmp-type echo-request-j acceptiptables-a input-p ICMP--icmp-type echo-reply-j ACCEPT

14. Allow loopback Access example: Allow 127.0.0.1 loopback access on the server.

Iptables-a input-i lo-j acceptiptables-a output-o lo-j ACCEPT

15. Allow communication from the internal network outside of the network

One of the network cards on the firewall server is connected to the outside, the other network adapter is connected to the internal server, and the following rules are used to allow the internal network to communicate with the external network. In this example, eth1 is connected to an external network (Internet), and eth0 is connected to the internal network (for example: 192.168.1.x).

Iptables-a forward-i eth0-o eth1-j ACCEPT

16. Allow Outbound DNS connections

Iptables-a output-p udp-o eth0--dport 53-j acceptiptables-a input-p udp-i eth0--sport 53-j ACCEPT

17. Allow NIS connections

If you use NIS to manage user accounts, you need to allow NIS connections. If you do not allow NIS-related Ypbind connection requests, users will still be unable to log on even if the SSH connection request is allowed. The Port for NIS is dynamic, using the command rpcinfo–p to know the port number, in this case 853 and 850 ports.

Rpcinfo-p | grep ypbind

Example: Allow connection requests from Port 111 and Ypbind to use ports

Iptables-a input-p TCP--dport 111-j acceptiptables-a input-p UDP--dport 111-j acceptiptables-a input-p TCP--dpo RT 853-j acceptiptables-a input-p UDP--dport 853-j acceptiptables-a input-p TCP--dport 850-j acceptiptables-a in Put-p UDP--dport 850-j ACCEPT

Note: When you restart Ypbind, the port will be different and the above command will not be valid. There are two types of solutions:

1) Use your NIS static IP

2) Write a shell script to automatically obtain the dynamic port number through the "rpcinfo-p" command and use it in the iptables rule above.

18. Allow rsync connection requests from a specified network

Example: Allow rsync connection requests from a network 192.168.101.0/24

Iptables-a input-i eth0-p tcp-s 192.168.101.0/24--dport 873-m State--state new,established-j acceptiptables-a out Put-o eth0-p TCP--sport 873-m State--state established-j ACCEPT

19. Allow MySQL connection requests from a specified network

In many cases, the MySQL database runs on the same server as the Web service. Sometimes we just want DBAs and developers to log into the database directly from the internal network (192.168.100.0/24) and try the following commands:

Iptables-a input-i eth0-p tcp-s 192.168.100.0/24--dport 3306-m State--state new,established-j acceptiptables-a OU Tput-o eth0-p TCP--sport 3306-m State--state established-j ACCEPT

20. Allow SendMail, postfix mail Service

Both SendMail and postfix use 25 ports, so we only need to allow connection requests from 25 ports.

Iptables-a input-i eth0-p TCP--dport 25-m State--state new,established-j acceptiptables-a output-o eth0-p TCP-- Sport 25-m State--state established-j ACCEPT

21. Allow IMAP and Imaps example: Allow IMAP/IMAP2 traffic, port is 143

Iptables-a input-i eth0-p TCP--dport 143-m State--state new,established-j acceptiptables-a output-o eth0-p TCP- -sport 143-m State--state established-j ACCEPT

Example: Allow Imaps traffic, port 993

Iptables-a input-i eth0-p TCP--dport 993-m State--state new,established-j acceptiptables-a output-o eth0-p TCP- -sport 993-m State--state established-j ACCEPT

22. Allow POP3 and pop3s example: Allow POP3 access

Iptables-a input-i eth0-p TCP--dport 110-m State--state new,established-j acceptiptables-a output-o eth0-p TCP- -sport 110-m State--state established-j ACCEPT

Example: Allow pop3s access

Iptables-a input-i eth0-p TCP--dport 995-m State--state new,established-j acceptiptables-a output-o eth0-p TCP- -sport 995-m State--state established-j ACCEPT

23. Preventing Dos attacks

Iptables-a input-p tcp--dport 80-m limit--limit 25/minute--limit-burst 100-j ACCEPT

In the example above:-M limit: Enable limit extension –limit 25/minute: Allow up to 25 connections per minute (change as required). –limit-burst 100: The above Limit/minute limit is enabled only if the connection reaches the Limit-burst level (this example is 100).

24. Port forwarding Example: Transfer all traffic from Port 422 to Port 22.

This means that we can ssh through Port 422 and Port 22. Enable Dnat forwarding.

Iptables-t nat-a prerouting-p tcp-d 192.168.102.37--dport 422-j DNAT--to 192.168.102.37:22

In addition, you need to allow requests to connect to port 422

Iptables-a input-i eth0-p TCP--dport 422-m State--state new,established-j acceptiptables-a output-o eth0-p TCP- -sport 422-m State--state established-j ACCEPT

25. Record dropped data table First step: Create a new chain named logging

Iptables-n LOGGING

Step two: Jump all packets from the input chain into the logging chain

Iptables-a input-j LOGGING

Step three: Customize the prefixes for these packages, named "IPTables Packet Dropped"

Iptables-a logging-m limit--limit 2/min-j LOG--log-prefix "iptables Packet Dropped:"--log-level 7

Fourth step: Discard these packets

Iptables-a logging-j DROP

Free to provide the latest Linux technology tutorials Books, for open-source technology enthusiasts to do more and better: http://www.linuxprobe.com/

25 Common examples of iptables