Iptables by example

Insert rule at a specific position (prepend)

To start, figure out which line should be used for the new rule.

#insert at position 9

Add comments to iptables

Example:

Block Access

To Outgoing IP Address

The following rule will block ip address 192.160.123.88 from making any outgoing connection:

To Outgoing IP TCP / UDP Port Number.

Block all DNS access:

To block tcp port 22 for an IP address 192.160.123.88  only, enter:

To block tcp port # 5050 for an IP address 192.168.1.2 only, enter:

List Rules as Tables

To output all of the active iptables rules in a table, run the iptables command with the -L option:

If you want to limit the output to a specific chain (INPUT, OUTPUT, TCP, etc.), you can specify the chain name directly after the -L option.

Let’s take a look at an example INPUT chain:

Show Packet Counts and Aggregate Size

Use the -L and -v option together.

Reset Packet Counts and Aggregate Size

To clear the counters for all

To clear the counters for all rules in a specific chain, use the -Z option and specify the chain.

If you want to clear the counters for a specific rule, specify the chain name and the rule number

Delete

Rule by Specification

Delete Rule by Chain and Number

a) List

b)  Delete

NAT

Source NAT

You want to do Source NAT; change the source address of connections to something different. This is done in the POSTROUTING chain, just before it is finally sent out; this is an important detail, since it means that anything else on the Linux box itself (routing, packet filtering) will see the packet unchanged. It also means that the -o' (outgoing interface) option can be used.

Source NAT is specified using -j SNAT’, and the --to-source' option specifies an IP address, a range of IP addresses, and an optional port or range of ports (for UDP and TCP protocols only).

## Change source addresses to 1.2.3.4.

## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6

## Change source addresses to 1.2.3.4, ports 1-1023

Masquerading

There is a specialized case of Source NAT called masquerading: it should only be used for dynamically-assigned IP addresses, such as standard dialups (for static IP addresses, use SNAT above).

You don't need to put in the source address explicitly with masquerading: it will use the source address of the interface the packet is going out from. But more importantly, if the link goes down, the connections (which are now lost anyway) are forgotten, meaning fewer glitches when connection comes back up with a new IP address.

## Masquerade everything out ppp0.

Destination NAT

This is done in the PREROUTING chain, just as the packet comes in; this means that anything else on the Linux box itself (routing, packet filtering) will see the packet going to its real’ destination. It also means that the -i' (incoming interface) option can be used.

Destination NAT is specified using -j DNAT’, and the `–to-destination’ option specifies an IP address, a range of IP addresses, and an optional port or range of ports (for UDP and TCP protocols only).

## Change destination addresses to 5.6.7.8

 

## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.

## Change destination addresses of web traffic to 5.6.7.8, port 8080.

Redirection

There is a specialized case of Destination NAT called redirection: it is a simple convenience which is exactly equivalent to doing DNAT to the address of the incoming interface.

## Send incoming port-80 web traffic to our squid (transparent) proxy

Note that squid needs to be configured to know it’s a transparent proxy!