Iptables by example – Aurlen Technologies

Insert rule at a specific position (prepend)

To start, figure out which line should be used for the new rule.

iptables -L -n --line-numbers

#insert at position 9

iptables -I INPUT 9 -p tcp --dport 5222 -j ACCEPT

Add comments to iptables

iptables -m comment --comment "comment here"

Example:

iptables -A OUTPUT -d 192.160.123.88 -m comment "Block the acess to CRM server"-j DROP

Block Access

To Outgoing IP Address

The following rule will block ip address 192.160.123.88 from making any outgoing connection:

iptables -A OUTPUT -d 192.160.123.88 -j DROP

To Outgoing IP TCP / UDP Port Number.

Block all DNS access:

iptables -A OUTPUT -p udp --dport 53 -j DROP

To block tcp port 22 for an IP address 192.160.123.88 only, enter:

iptables -A OUTPUT -p tcp -d  192.160.123.88  --dport 22-j DR

To block tcp port # 5050 for an IP address 192.168.1.2 only, enter:

iptables -A OUTPUT -p tcp -d 192.168.1.2 --dport 5050 -j DROP

List Rules as Tables

To output all of the active iptables rules in a table, run the iptables command with the -L option:

iptables -L

If you want to limit the output to a specific chain (INPUT, OUTPUT, TCP, etc.), you can specify the chain name directly after the -L option.

Let’s take a look at an example INPUT chain:

iptables -L INPUT

Show Packet Counts and Aggregate Size

Use the -L and -v option together.

iptables -L INPUT -v

Reset Packet Counts and Aggregate Size

To clear the counters for all

iptables -Z

To clear the counters for all rules in a specific chain, use the -Z option and specify the chain.

iptables -Z INPUT

If you want to clear the counters for a specific rule, specify the chain name and the rule number

iptables -Z INPUT 1

Delete

Rule by Specification

iptables -D INPUT -m conntrack --ctstate INVALID -j DROP

Delete Rule by Chain and Number

a) List

iptables -L --line-numbers

b) Delete

iptables -D INPUT 3

NAT

Source NAT

You want to do Source NAT; change the source address of connections to something different. This is done in the POSTROUTING chain, just before it is finally sent out; this is an important detail, since it means that anything else on the Linux box itself (routing, packet filtering) will see the packet unchanged. It also means that the `-o’ (outgoing interface) option can be used.

Source NAT is specified using `-j SNAT’, and the `–to-source’ option specifies an IP address, a range of IP addresses, and an optional port or range of ports (for UDP and TCP protocols only).

## Change source addresses to 1.2.3.4.

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

## Change source addresses to 1.2.3.4, 1.2.3.5 or 1.2.3.6

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4-1.2.3.6

## Change source addresses to 1.2.3.4, ports 1-1023

iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to 1.2.3.4:1-1023

Masquerading

There is a specialized case of Source NAT called masquerading: it should only be used for dynamically-assigned IP addresses, such as standard dialups (for static IP addresses, use SNAT above).

You don’t need to put in the source address explicitly with masquerading: it will use the source address of the interface the packet is going out from. But more importantly, if the link goes down, the connections (which are now lost anyway) are forgotten, meaning fewer glitches when connection comes back up with a new IP address.

## Masquerade everything out ppp0.

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

Destination NAT

This is done in the PREROUTING chain, just as the packet comes in; this means that anything else on the Linux box itself (routing, packet filtering) will see the packet going to its `real’ destination. It also means that the `-i’ (incoming interface) option can be used.

Destination NAT is specified using `-j DNAT’, and the `–to-destination’ option specifies an IP address, a range of IP addresses, and an optional port or range of ports (for UDP and TCP protocols only).

## Change destination addresses to 5.6.7.8

iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8

## Change destination addresses to 5.6.7.8, 5.6.7.9 or 5.6.7.10.

iptables -t nat -A PREROUTING -i eth0 -j DNAT --to 5.6.7.8-5.6.7.1

## Change destination addresses of web traffic to 5.6.7.8, port 8080.

iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth0 -j DNAT --to 5.6.7.8:8080

Redirection

There is a specialized case of Destination NAT called redirection: it is a simple convenience which is exactly equivalent to doing DNAT to the address of the incoming interface.

## Send incoming port-80 web traffic to our squid (transparent) proxy

iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128

Note that squid needs to be configured to know it’s a transparent proxy!