Notes
| iptables-save -c > <file> | Dump iptables rules to stdout |
| iptables-restore <file> | Restore iptables rules |
| iptables -L -v --line-numbers | List all iptables rules with affected and line numbers |
| iptables -F | Flush all iptables rules |
| iptables -P <INPUT/FORWARD/OUTPUT> <ACCEPT/REJECT/DROP> | Change default policy for rules that don't match rules |
| iptables -A INPUT -i <interface> -m state --state RELATED,ESTABLISHED -j ACCEPT | Allow established connections on INPUT |
| iptables -D INPUT 7 | Delete 7th inbound rule |
| iptables -t raw -L -n | Increase throughput by turning off statefullness |
| iptables -P INPUT DROP | Drop all packets |
Allow SSH on port 22 Outbound
> iptables -A OUTPUT -o <iface> -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i <iface> -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
Allow ICMP Outbound
> iptables -A OUTPUT -i <iface> -p icmp --icmp-type echo-request -j ACCEPT
> iptables -A INPUT -o <iface> -p icmp --icmp-type echo-reply -j ACCEPT
Port Foward
> echo "1" > /proc/sys/net/ipv4/ip_forward
# OR -> sysctl1 net.ipv4.ip_forward=1
> iptables -t nat -A PREROUTING -p tcp -i eth0 -j DNAT -d <pivotip> --dport 443 -to-destination <attk_ip>:443
> iptables -t nat -A POSTROUTING -p tcp -i etho0 -j SNAT -s <target subnet cidr> -d <attackip> --dport 443 -to-source <pivotip>
> iptables -t filter -I FORWARD l -j ACCEPT
Allow only 1.1.1.0/24, ports 80, 443 and log drops to /var/log/messages
> iptables -A INPUT -s 1.1.1.0/24 -m state --state RELATED,ESTABLISHED,NEW -p tcp -m multiport --dports 80,443 -j ACCEPT
> iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
> iptables -P INPUT DROP
> iptabels -A OUTPUT -o eth0 -j ACCEPT
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A OUTPUT -o lo -j ACCEPT
> iptables -N LOGGING
> iptables -A INPUT -j LOGGING
> iptables -A LOGGING -m lmiit --limit 4/min -j LOG --log-prefix "DROPPED "
> iptables -A LOGGING -j DROP
Top -
Home