|
|
DISPLAYING RULES
## List out all active iptables rules verbosely
|
iptables -n -L -v |
| |
## List out all active iptables rrules verbosely and with line numbers
|
iptables -n -L -v --line-numbers |
| |
## List out rules for a specific chain e.g. INPUT chain
|
|
[root@rh6 ~]# iptables -L INPUT
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
|
| |
## List out rules for a specific chain e.g. INPUT chain but with numeric output (numeric source/destination addresses & port numbers)
|
[root@rh6 ~]# iptables -L INPUT -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:67
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:67
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited |
| |
## Print out rules for a specific chain showing the rule specification (the same as used with iptables command)
|
[root@rh6 ~]# iptables -S INPUT
-P INPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited |
| |
SAVING RULES
## Saving iptables rules
|
## For Red Hat based systems :-
[root@rh6 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
|
| |
BACKUP/RESTORE TO/FROM A FILE
## Backup to a file
|
[root@rh6 ~]# iptables-save > /var/tmp/iptables-backup.txt |
| |
## Restore from backup file
|
[root@rh6 ~]# iptables-restore < /var/tmp/iptables-backup.txt |
DELETE/INSERT RULES
## Delete a rule for a chain by it's line number
|
## First note the line number of the rule to be deleted by listing with line numbers
[root@rh6 ~]# iptables -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:domain
2 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
3 ACCEPT udp -- anywhere anywhere udp dpt:bootps
4 ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
5 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
6 ACCEPT icmp -- anywhere anywhere
7 ACCEPT all -- anywhere anywhere
8 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
9 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
## Delete by line enumber
[root@rh6 ~]# iptables -D INPUT 6
## Verify
[root@rh6 ~]# iptables -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:domain
2 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
3 ACCEPT udp -- anywhere anywhere udp dpt:bootps
4 ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
5 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
6 ACCEPT all -- anywhere anywhere
7 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
8 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
|
| |
## Insert a rule at a specific line number
|
## Insert at line 6
[root@rh6 ~]# iptables -I INPUT 6 -p icmp -j ACCEPT
## Verify by listing with line numbers
[root@rh6 ~]# iptables -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:domain
2 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
3 ACCEPT udp -- anywhere anywhere udp dpt:bootps
4 ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
5 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
6 ACCEPT icmp -- anywhere anywhere
7 ACCEPT all -- anywhere anywhere
8 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
9 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
## Verify by listing with rule specifications
[root@rh6 ~]# iptables -S INPUT
-P INPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
|
| |
## Delete a rule by the specification
|
## Print the rule specifications for the chain, note the rule specification to be deleted e.g. as highlighted
[root@rh6 ~]# iptables -S INPUT
-P INPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
## Delete by replacing -A with -D
[root@rh6 ~]# iptables -D INPUT -p icmp -j ACCEPT
## Verify
[root@rh6 ~]# iptables -S INPUT
-P INPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited |
REPLACING (MODIFYING) existing rule
## For example to replace rule and change the source IP range
|
## Identify the line number of the rule to be replaces, in this case it is at line 6
[root@rh6 ~]# iptables -S INPUT
-P INPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
## Replace it
[root@rh6 ~]# iptables -R INPUT 6 -s 192.168.0.0/24 -p icmp -j ACCEPT
## Verify
[root@rh6 ~]# iptables -S INPUT
-P INPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.0.0/24 -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
|
ALLOW (ACCEPT) rules
## e.g. Allow loopback connections in INPUT and OUTPUT chain
|
[root@rh6 ~]# iptables -A INPUT -i lo -j ACCEPT
[root@rh6 ~]# iptables -A OUTPUT -o lo -j ACCEPT |
| |
## e.g. Allow Established and Related Incoming Connections
|
[root@rh6 ~]# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
|
| |
## e.g. Allow Established Outgoing Connections
|
[root@rh6 ~]# iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT |
| |
## Allow Incoming packets to a specific port
|
## assuming there is a default ACCEPT policy for OUTPUT chain:-
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
## if default policy is DROP for OUTPUT chain, then :-
[root@rh6 ~]# iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
[root@rh6 ~]# iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT |
| |
## Allow incoming packets to multiple ports in one rule
|
## assuming there is a default ACCEPT policy for OUTPUT chain:-
[root@rh6 ~]# iptables -A INPUT -p tcp -m multiport --dport 80,443 -j ACCEPT
## if default policy is DROP for OUTPUT chain, then :-
[root@rh6 ~]# iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
[root@rh6 ~]# iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
| |
| |
DENY (DROP/REJECT) RULES
## Block a specific IP address
|
[root@rh6 ~]# iptables -A INPUT -s 192.168.1.10 -j DROP
## DROP - drops the packet and does NOT send any response back to the source
|
| |
## Block a specific IP address at a specific network interface
|
[root@rh6 ~]# iptables -A INPUT -i eth0 -s 192.168.1.10 -j DROP |
| |
## Block and Reject a specific IP address
|
[root@rh6 ~]# iptables -A INPUT -s 192.168.1.10 -j REJECT
## REJECT - drops the packet and sends an ICMP destination-unreachable back to the source
|
## Flush all rules
# flush all chains
iptables -F
iptables -t nat -F
iptables -t mangle -F
# delete all chains
iptables -X
|
| |
| |
| |
| |
References:
- https://www.andreafortuna.org/2019/05/08/iptables-a-simple-cheatsheet/
- https://www.crybit.com/how-to-save-current-iptables-rules/
- http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject
- https://www.thegeekstuff.com/2011/06/iptables-rules-examples/
|
|