This article describes 25 common iptables usages. If you do not know iptables, you can refer to the previous iptables detailed tutorial: Basics, architecture, purge rules, append rules, application examples, after reading this article, you can understand the use of iptables and the basic terminology mentioned herein.
First, iptables: From here
Delete an existing rule
Iptables-f (OR) iptables--flush
Set the default chain policy
There are three kinds of chains in the Iptables filter table: INPUT, Forward, and output. The default chain policy is accept, which you can set to drop.
Iptables-p INPUT DROP
Iptables-p FORWARD DROP
Iptables-p OUTPUT DROP
You need to understand that doing this will block all input and output NIC packets unless you explicitly specify which packets can pass through the network card.
mask The specified IP address
The following rules will block the IP address specified by BLOCK_THIS_IP from accessing the local host:
block_this_ip= "x.x.x.x"
Iptables-a input-i eth0-s "$BLOCK _this_ip"-j DROP
(or block only TCP packets from that IP)
Iptables-a input-i eth0-p tcp-s "$BLOCK _this_ip"-j DROP
allow ping tests from outside
Iptables-a input-p ICMP--icmp-type echo-request-j ACCEPT
Iptables-a output-p ICMP--icmp-type echo-reply-j ACCEPT
allow external hosts to ping from native
Iptables-a output-p ICMP--icmp-type echo-request-j ACCEPT
Iptables-a input-p ICMP--icmp-type echo-reply-j ACCEPT
allow loopback (loopback) Access
Iptables-a input-i lo-j ACCEPT
Iptables-a Output-o lo-j ACCEPT
Second, Iptables: protocol and port settings
Allow all SSH connection requests
This rule allows all SSH connection requests from outside, that is, only allow access to the Eth0 interface, and the destination port is 22 packets
Iptables-a input-i eth0-p TCP--dport 22-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 22-m State--state established-j ACCEPT
Allow SSH connections originating from the local
This rule is different from the above rules, this rule is intended to allow the computer to initiate SSH connection, the above rules are the opposite.
Iptables-a output-o eth0-p TCP--dport 22-m State--state new,established-j ACCEPT
Iptables-a input-i eth0-p TCP--sport 22-m State--state established-j ACCEPT
allow only SSH connection requests from a specified network
The following rules allow only networks from 192.168.100.0/24:
Iptables-a input-i eth0-p tcp-s 192.168.100.0/24--dport 22-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 22-m State--state established-j ACCEPT
In the example above, you can also use the-s 192.168.100.0/255.255.255.0 as the network address. Of course, using the above CIDR address is easier to understand.
allow only SSH connection requests originating locally to a specified network
The following rules only allow connections from the local host to the 192.168.100.0/24 network:
Iptables-a output-o eth0-p tcp-d 192.168.100.0/24--dport 22-m State--state new,established-j ACCEPT
Iptables-a input-i eth0-p TCP--sport 22-m State--state established-j ACCEPT
Allow Http/https connection request
# 1. Allow HTTP connection: 80 port
Iptables-a input-i eth0-p TCP--dport 80-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 80-m State--state established-j ACCEPT
# 2. Allow HTTPS connections: 443 ports
Iptables-a input-i eth0-p TCP--dport 443-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 443-m State--state established-j ACCEPT
allow HTTPS connections to be initiated locally
This rule allows the user to initiate an HTTPS connection from the local host to access the Internet.
Iptables-a output-o eth0-p TCP--dport 443-m State--state new,established-j ACCEPT
Iptables-a input-i eth0-p TCP--sport 443-m State--state established-j ACCEPT
Similarly, you can set the Allow HTTP protocol (port 80).
-M Multiport: Specify multiple ports
By specifying the-M multiport option, you can allow SSH, HTTP, and HTTPS connections in one rule:
Iptables-a input-i eth0-p tcp-m multiport--dports 22,80,443-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p tcp-m multiport--sports 22,80,443-m State--state established-j ACCEPT
Allow Outbound DNS connections
Iptables-a output-p udp-o eth0--dport 53-j ACCEPT
Iptables-a input-p udp-i eth0--sport 53-j ACCEPT
Allow NIS connections
If you are using NIS to manage your user account, you need to allow NIS connections. Even if you have allowed SSH connections, you still need to allow NIS-related ypbind connections, otherwise users will not be able to log in. The NIS port is dynamic, and it automatically assigns ports when Ypbind is started. So, first we need to get the port number, in this case the ports are 853 and 850:
Rpcinfo-p | grep ypbind
Then, allow the request packet to connect to port 111, and the port to which the ypbind is used:
Iptables-a input-p TCP--dport 111-j ACCEPT
Iptables-a input-p UDP--dport 111-j ACCEPT
Iptables-a input-p TCP--dport 853-j ACCEPT
Iptables-a input-p UDP--dport 853-j ACCEPT
Iptables-a input-p TCP--dport 850-j ACCEPT
Iptables-a input-p UDP--dport 850-j ACCEPT
The above practice will fail after you reboot the system because the Ypbind will reassign the port. We have two workarounds:
1. Use a static IP address for NIS
2. Each time the system starts, the calling script obtains the NIS-related port and is added to the filter table according to the above iptables rules.
Allow rsync connection requests from a specified network
You may have enabled the Rsync service, but you do not want rsync to be exposed and you only want to be able to access it from your internal network (192.168.101.0/24):
Iptables-a input-i eth0-p tcp-s 192.168.101.0/24--dport 873-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 873-m State--state established-j ACCEPT
Allow MySQL connection requests from a specified network
You may have enabled the MySQL service, but you only want DBAs and related developers to be able to log in directly to the database from the Internal network (192.168.100.0/24):
Iptables-a input-i eth0-p tcp-s 192.168.100.0/24--dport 3306-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 3306-m State--state established-j ACCEPT
Allow SendMail, postfix mail Service
The Mail service uses 25 ports, and we only need to allow connection requests from 25 ports.
Iptables-a input-i eth0-p TCP--dport 25-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 25-m State--state established-j ACCEPT
Allow IMAP and IMAPS
# imap:143
Iptables-a input-i eth0-p TCP--dport 143-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 143-m State--state established-j ACCEPT
# imaps:993
Iptables-a input-i eth0-p TCP--dport 993-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 993-m State--state established-j ACCEPT
Allow POP3 and pop3s
# pop3:110
Iptables-a input-i eth0-p TCP--dport 110-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 110-m State--state established-j ACCEPT
# pop3s:995
Iptables-a input-i eth0-p TCP--dport 995-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 995-m State--state established-j ACCEPT
Prevent Dos attacks
Iptables-a input-p tcp--dport 80-m limit--limit 25/minute--limit-burst 100-j ACCEPT
-M limit: Enable limit extension
–limit 25/minute: Allow up to 25 connections per minute
–limit-burst 100: When 100 connections are reached, the above 25/minute restrictions are enabled
Third, forwarding and NAT
Allow routing
If the local host has two network cards, a connection to the intranet (eth0), a connection to the external network (ETH1), then you can use the following rules to route eth0 data to Eht1:
Iptables-a forward-i eth0-o eth1-j ACCEPT
Dnat and Port forwarding
The following rules will forward traffic from Port 422 to Port 22. This means that the SSH connection request from Port 422 is equivalent to a request from Port 22.
# 1. Enable Dnat forwarding
Iptables-t nat-a prerouting-p tcp-d 192.168.102.37--dport 422-j DNAT--to-destination 192.168.102.37:22
# 2. Allow connections to 422 port requests
Iptables-a input-i eth0-p TCP--dport 422-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 422-m State--state established-j ACCEPT
Assuming that the extranet gateway is xxx.xxx.xxx.xxx, what should we do if we want to forward the HTTP request to one of the internal computers?
Iptables-t nat-a prerouting-p tcp-i eth0-d xxx.xxx.xxx.xxx--dport 8888-j DNAT--to 192.168.0.2:80
Iptables-a forward-p tcp-i eth0-d 192.168.0.2--dport 80-j ACCEPT
When the packet arrives at xxx.xxx.xxx.xxx, the packet needs to be forwarded to port 80 of 192.168.0.2, which in fact is what NAT is doing is modifying the destination address and destination port number of the packet. The packet is then routed to the corresponding host.
But will iptables accept such a packet that needs to be routed? This is determined by the forward chain. We tell iptables through the second command that the packet with the destination address of 192.168.0.2:80 can be forwarded. Look again at the 422 port to 22 port in the previous example, this is the same IP, so you do not need to set the forward chain.
Snat and Masquerade
The following command indicates that all packets of 10.8.0.0 network segments are snat to 192.168.5.3 IP and sent out:
Iptables-t nat-a postrouting-s 10.8.0.0/24-o eth0-j snat--to-source 192.168.5.3
For Snat, regardless of the number of addresses, you must explicitly specify the IP to Snat. If our computer uses ADSL dial-up method to surf the internet, then the external IP is dynamic, we can consider using Masquerade
Iptables-t nat-a postrouting-s 10.8.0.0/255.255.255.0-o eth0-j Masquerade
Load Balancing
The
can take advantage of the iptables-m nth extension and its parameters (–counter 0–every 3–packet x) for DNAT routing settings (-a prerouting-j dnat–to-destination), This distributes the load evenly to 3 servers:
iptables-a prerouting-i eth0-p TCP--dport 443-m State--state new-m nth--counter 0--every 3--packet 0-j DNAT--to-destination 192.168.1.101:443
iptables-a prerouting-i eth0-p TCP--dport 443-m State--st Ate new-m nth--counter 0--every 3--packet 1-j DNAT--to-destination 192.168.1.102:443
iptables-a prerouting-i et H0-p TCP--dport 443-m State--state new-m nth--counter 0--every 3--packet 2-j DNAT--to-destination 192.168.1.103: 443
custom chain
Record dropped packets
# 1. Create a new chain named LOGGING
Iptables-n LOGGING
# 2. Jumps all packets from the INPUT chain into the LOGGING chain
iptables-a input-j LOGGING
# 3. Specify a custom log prefix "Iptables Packet Dropped:"
Iptables-a logging-m limit--limit 2/min-j LOG--log-prefix "iptables Packet Dropped:"--log-level 7
# 4. Discard the data Package
Iptables-a logging-j DROP
25 iptables Very classic usage