25 iptables a very classic usage

This article describes 25 common iptables usages. If you do not know iptables, you can refer to the previous iptables detailed tutorial: Basics, architecture, purge rules, append rules, application examples, after reading this article, you can understand the use of iptables and the basic terminology mentioned herein.

First, iptables: From here

Delete an existing rule

Iptables-f (OR) iptables--flush

Set the default chain policy

There are three kinds of chains in the Iptables filter table: INPUT, Forward, and output. The default chain policy is accept, which you can set to drop.

Iptables-p INPUT DROP
Iptables-p FORWARD DROP
Iptables-p OUTPUT DROP

You need to understand that doing this will block all input and output NIC packets unless you explicitly specify which packets can pass through the network card.

mask The specified IP address

The following rules will block the IP address specified by BLOCK_THIS_IP from accessing the local host:

block_this_ip= "x.x.x.x"

Iptables-a input-i eth0-s "$BLOCK _this_ip"-j DROP

(or block only TCP packets from that IP)

Iptables-a input-i eth0-p tcp-s "$BLOCK _this_ip"-j DROP

allow ping tests from outside

Iptables-a input-p ICMP--icmp-type echo-request-j ACCEPT
Iptables-a output-p ICMP--icmp-type echo-reply-j ACCEPT

allow external hosts to ping from native

Iptables-a output-p ICMP--icmp-type echo-request-j ACCEPT
Iptables-a input-p ICMP--icmp-type echo-reply-j ACCEPT

allow loopback (loopback) Access

Iptables-a input-i lo-j ACCEPT
Iptables-a Output-o lo-j ACCEPT

Second, Iptables: protocol and port settings

Allow all SSH connection requests

This rule allows all SSH connection requests from outside, that is, only allow access to the Eth0 interface, and the destination port is 22 packets

Iptables-a input-i eth0-p TCP--dport 22-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 22-m State--state established-j ACCEPT

Allow SSH connections originating from the local

This rule is different from the above rules, this rule is intended to allow the computer to initiate SSH connection, the above rules are the opposite.

Iptables-a output-o eth0-p TCP--dport 22-m State--state new,established-j ACCEPT

Iptables-a input-i eth0-p TCP--sport 22-m State--state established-j ACCEPT

allow only SSH connection requests from a specified network

The following rules allow only networks from 192.168.100.0/24:

Iptables-a input-i eth0-p tcp-s 192.168.100.0/24--dport 22-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 22-m State--state established-j ACCEPT

In the example above, you can also use the-s 192.168.100.0/255.255.255.0 as the network address. Of course, using the above CIDR address is easier to understand.

allow only SSH connection requests originating locally to a specified network

The following rules only allow connections from the local host to the 192.168.100.0/24 network:

Iptables-a output-o eth0-p tcp-d 192.168.100.0/24--dport 22-m State--state new,established-j ACCEPT
Iptables-a input-i eth0-p TCP--sport 22-m State--state established-j ACCEPT

Allow Http/https connection request

# 1. Allow HTTP connection: 80 port

Iptables-a input-i eth0-p TCP--dport 80-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 80-m State--state established-j ACCEPT

# 2. Allow HTTPS connections: 443 ports

Iptables-a input-i eth0-p TCP--dport 443-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 443-m State--state established-j ACCEPT

allow HTTPS connections to be initiated locally

This rule allows the user to initiate an HTTPS connection from the local host to access the Internet.

Iptables-a output-o eth0-p TCP--dport 443-m State--state new,established-j ACCEPT
Iptables-a input-i eth0-p TCP--sport 443-m State--state established-j ACCEPT

Similarly, you can set the Allow HTTP protocol (port 80).

-M Multiport: Specify multiple ports

By specifying the-M multiport option, you can allow SSH, HTTP, and HTTPS connections in one rule:

Iptables-a input-i eth0-p tcp-m multiport--dports 22,80,443-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p tcp-m multiport--sports 22,80,443-m State--state established-j ACCEPT

Allow Outbound DNS connections

Iptables-a output-p udp-o eth0--dport 53-j ACCEPT

Iptables-a input-p udp-i eth0--sport 53-j ACCEPT

Allow NIS connections

If you are using NIS to manage your user account, you need to allow NIS connections. Even if you have allowed SSH connections, you still need to allow NIS-related ypbind connections, otherwise users will not be able to log in. The NIS port is dynamic, and it automatically assigns ports when Ypbind is started. So, first we need to get the port number, in this case the ports are 853 and 850:

Rpcinfo-p | grep ypbind

Then, allow the request packet to connect to port 111, and the port to which the ypbind is used:

Iptables-a input-p TCP--dport 111-j ACCEPT
Iptables-a input-p UDP--dport 111-j ACCEPT
Iptables-a input-p TCP--dport 853-j ACCEPT
Iptables-a input-p UDP--dport 853-j ACCEPT
Iptables-a input-p TCP--dport 850-j ACCEPT
Iptables-a input-p UDP--dport 850-j ACCEPT

The above practice will fail after you reboot the system because the Ypbind will reassign the port. We have two workarounds:

1. Use a static IP address for NIS

2. Each time the system starts, the calling script obtains the NIS-related port and is added to the filter table according to the above iptables rules.

Allow rsync connection requests from a specified network

You may have enabled the Rsync service, but you do not want rsync to be exposed and you only want to be able to access it from your internal network (192.168.101.0/24):

Iptables-a input-i eth0-p tcp-s 192.168.101.0/24--dport 873-m State--state new,established-j ACCEPT

Iptables-a output-o eth0-p TCP--sport 873-m State--state established-j ACCEPT

Allow MySQL connection requests from a specified network

You may have enabled the MySQL service, but you only want DBAs and related developers to be able to log in directly to the database from the Internal network (192.168.100.0/24):

Iptables-a input-i eth0-p tcp-s 192.168.100.0/24--dport 3306-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 3306-m State--state established-j ACCEPT

Allow SendMail, postfix mail Service

The Mail service uses 25 ports, and we only need to allow connection requests from 25 ports.

Iptables-a input-i eth0-p TCP--dport 25-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 25-m State--state established-j ACCEPT

Allow IMAP and IMAPS

# imap:143

Iptables-a input-i eth0-p TCP--dport 143-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 143-m State--state established-j ACCEPT

# imaps:993

Iptables-a input-i eth0-p TCP--dport 993-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 993-m State--state established-j ACCEPT

Allow POP3 and pop3s

# pop3:110

Iptables-a input-i eth0-p TCP--dport 110-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 110-m State--state established-j ACCEPT

# pop3s:995

Iptables-a input-i eth0-p TCP--dport 995-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 995-m State--state established-j ACCEPT

Prevent Dos attacks

Iptables-a input-p tcp--dport 80-m limit--limit 25/minute--limit-burst 100-j ACCEPT

-M limit: Enable limit extension
–limit 25/minute: Allow up to 25 connections per minute
–limit-burst 100: When 100 connections are reached, the above 25/minute restrictions are enabled

Third, forwarding and NAT

Allow routing

If the local host has two network cards, a connection to the intranet (eth0), a connection to the external network (ETH1), then you can use the following rules to route eth0 data to Eht1:

Iptables-a forward-i eth0-o eth1-j ACCEPT

Dnat and Port forwarding

The following rules will forward traffic from Port 422 to Port 22. This means that the SSH connection request from Port 422 is equivalent to a request from Port 22.

# 1. Enable Dnat forwarding

Iptables-t nat-a prerouting-p tcp-d 192.168.102.37--dport 422-j DNAT--to-destination 192.168.102.37:22

# 2. Allow connections to 422 port requests

Iptables-a input-i eth0-p TCP--dport 422-m State--state new,established-j ACCEPT

Iptables-a output-o eth0-p TCP--sport 422-m State--state established-j ACCEPT

Assuming that the extranet gateway is xxx.xxx.xxx.xxx, what should we do if we want to forward the HTTP request to one of the internal computers?

Iptables-t nat-a prerouting-p tcp-i eth0-d xxx.xxx.xxx.xxx--dport 8888-j DNAT--to 192.168.0.2:80

Iptables-a forward-p tcp-i eth0-d 192.168.0.2--dport 80-j ACCEPT

When the packet arrives at xxx.xxx.xxx.xxx, the packet needs to be forwarded to port 80 of 192.168.0.2, which in fact is what NAT is doing is modifying the destination address and destination port number of the packet. The packet is then routed to the corresponding host.

But will iptables accept such a packet that needs to be routed? This is determined by the forward chain. We tell iptables through the second command that the packet with the destination address of 192.168.0.2:80 can be forwarded. Look again at the 422 port to 22 port in the previous example, this is the same IP, so you do not need to set the forward chain.

Snat and Masquerade

The following command indicates that all packets of 10.8.0.0 network segments are snat to 192.168.5.3 IP and sent out:

Iptables-t nat-a postrouting-s 10.8.0.0/24-o eth0-j snat--to-source 192.168.5.3

For Snat, regardless of the number of addresses, you must explicitly specify the IP to Snat. If our computer uses ADSL dial-up method to surf the internet, then the external IP is dynamic, we can consider using Masquerade

Iptables-t nat-a postrouting-s 10.8.0.0/255.255.255.0-o eth0-j Masquerade

Load Balancing

The

can take advantage of the iptables-m nth extension and its parameters (–counter 0–every 3–packet x) for DNAT routing settings (-a prerouting-j dnat–to-destination), This distributes the load evenly to 3 servers:

iptables-a prerouting-i eth0-p TCP--dport 443-m State--state new-m nth--counter 0--every 3--packet 0-j DNAT--to-destination 192.168.1.101:443
iptables-a prerouting-i eth0-p TCP--dport 443-m State--st Ate new-m nth--counter 0--every 3--packet 1-j DNAT--to-destination 192.168.1.102:443
iptables-a prerouting-i et H0-p TCP--dport 443-m State--state new-m nth--counter 0--every 3--packet 2-j DNAT--to-destination 192.168.1.103: 443

custom chain

Record dropped packets

# 1. Create a new chain named LOGGING

Iptables-n LOGGING

# 2. Jumps all packets from the INPUT chain into the LOGGING chain

iptables-a input-j LOGGING

# 3. Specify a custom log prefix "Iptables Packet Dropped:"

Iptables-a logging-m limit--limit 2/min-j LOG--log-prefix "iptables Packet Dropped:"--log-level 7

# 4. Discard the data Package

Iptables-a logging-j DROP

25 iptables Very classic usage