iptable examples

Display status

1
2
iptables -L -n -v
iptables -n -L -v --line-numbers #inspect firewall with line number

Display specific INPUT or OUTPUT chain rules

1
2
iptables -L INPUT -n -v
iptables -L OUTPUT -n -v

Stop/Start/Restart iptables

1
2
3
service iptables stop
service iptables start
service iptables restart

Delete specific rule

1
2
3
4
5
6
7
8
9
# find line-number of rule
iptables -L INPUT -n --line-numbers
iptables -L OUTPUT -n --line-numbers
iptables -L OUTPUT -n --line-numbers | less
iptables -L OUTPUT -n --line-numbers | grep 202.54.1.1
# delete specific rule with line-number
iptables -D INPUT 4
# delete all related rule
iptables -D INPUT -s 202.54.1.1 -j DROP

Save current friewall rules

1
service iptables save

Delete ALL Existing Rules

1
iptables --flush

Setup Default Policies

The defaul policy after flush is ACCEPT. Should block all with DROP at first.

1
2
3
4
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
iptables -L -v -n

ONLY block incoming traffic

1
2
3
4
5
6
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -L -v -n
### *** now ping and wget should work *** ###

Block Remote IP/sub-network

1
2
3
4
iptables -A INPUT -s "192.168.1.100" -j DROP
iptables -A INPUT -i eth0 -s "192.168.1.100" -j DROP
iptables -A INPUT -i eth0 -p tcp -s "192.168.1.100" -j DROP
iptables -A INPUT -s 192.168.0.0/24 -j DROP

Block Incoming Port

1
2
3
4
5
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP
# block port on specific IP
iptables -A INPUT -p tcp -s 1.2.3.4 --dport 80 -j DROP
iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROP

Block Outgoing IP/sub-network

1
2
3
4
iptables -A OUTPUT -d 75.126.153.206 -j DROP
# on sub-network
iptables -A OUTPUT -d 192.168.1.0/24 -j DROP
iptables -A OUTPUT -o eth1 -d 192.168.1.0/24 -j DROP

Block Facebook.com

1
2
3
4
5
6
7
8
9
host -t a www.facebook.com
#www.facebook.com has address 69.171.228.40
#find CIDR
whois 69.171.228.40 | grep CIDR
#CIDR:           69.171.224.0/19
iptables -A OUTPUT -p tcp -d 69.171.224.0/19 -j DROP
# can also use domain name
iptables -A OUTPUT -p tcp -d www.facebook.com -j DROP
iptables -A OUTPUT -p tcp -d facebook.com -j DROP

DROP/ACCEPT traffic on MAC address

1
2
3
iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
# ONLY accept traffic for TCP port 22 from mac 00:50:56:3b:af:3d 
iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:50:56:3b:af:3d -j ACCEPT

Allow All Incoming/Outgoing SSH

1
2
3
4
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

ONLY Allow Incoming/Outgoing SSH from a Specific Network

1
2
3
4
iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -d 192.168.1.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Allow Incoming/Outgoing HTTP/HTTPS

1
2
3
4
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

Allow All Incoming SSH/HTTP/HTTPS

1
2
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED

Block Incoming Ping

1
2
3
4
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -s 192.168.1.123 -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT

Allow Incoming Ping

1
2
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

Allow Outgoing Ping

1
2
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Allow Loopback Access

1
2
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Allow Intranet to Internet

eth0: intranet
eth1: internet

1
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

Allow outgoing DNS access

1
2
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

Allow rsync from a Specific Network

1
2
iptables -A INPUT -i eth0 -p tcp -s 192.168.2.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT

Allow MySQL connection from a Specific Network

1
2
iptables -A INPUT -i eth0 -p tcp -s 192.168.3.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

Allow SMTP traffic

1
2
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

Allow POP3 traffic

1
2
iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
1
2
3
#pop3 security
iptables -A INPUT -i eth0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT

Open range of Port

1
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT

Open range of IP

1
iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT

Prevent DoS attack

1
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
  • m limit: This uses the limit iptables extension
  • limit 25/minute: This limits only maximum of 25 connection per minute. Change this value based on your specific requirement
  • limit-burst 100: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level.

Port Forwarding

ex: incoming ssh connection can come from both port 22 and 422.

1
2
3
4
5
#allow incoming tcp on port 422
iptables -A INPUT -i eth0 -p tcp --dport 422 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 422 -m state --state ESTABLISHED -j ACCEPT
#forward port 422 to port 22
iptables -t nat -A PREROUTING -p tcp -d 192.168.1.10 --dport 422 -j DNAT --to 192.168.1.10:22

Drop private network addresses on public interface

1
2
3
4
5
6
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth1 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP
iptables -A INPUT -i eth1 -s 224.0.0.0/4 -j DROP
iptables -A INPUT -i eth1 -s 240.0.0.0/5 -j DROP
iptables -A INPUT -i eth1 -s 127.0.0.0/8 -j DROP

Common allowed ports

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
## open port ssh tcp port 22 ##
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT

## open cups (printing service) udp/tcp port 631 for LAN users ##
iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT

## allow time sync via NTP for lan users (open udp port 123) ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT

## open tcp port 25 (smtp) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT

# open dns server ports for all ##
iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

## open http/https (Apache) server port to all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

## open tcp port 110 (pop3) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT

## open tcp port 143 (imap) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT

## open access to Samba file server for lan users only ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT

## open access to proxy server for lan users only ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 3128 -j ACCEPT

## open access to mysql server for lan users only ##
iptables -I INPUT -p tcp --dport 3306 -j ACCEPT

Restrict the Number of Parallel Connections To a Server Per Client IP

1
2
3
4
# allow 3 ssh connections per IP
iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
# allow 20 connections per IP on port 80
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP
  • connlimit-above 3 : Match if the number of existing connections is above 3.
  • connlimit-mask 24 : Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32.