top of page

Linux Iptables with Examples


Iptables is a command line interface used to set up and maintain tables for the Netfilter firewall for IPv4, included in the Linux kernel. The firewall matches packets with rules defined in these tables and then takes the specified action on a possible match.


  • Tables is the name for a set of chains.

  • Chain is a collection of rules.

  • Rule is condition used to match packet.

  • Target is action taken when a possible rule matches. Examples of the target are ACCEPT, DROP, QUEUE.

  • Policy is the default action taken in case of no match with the inbuilt chains and can be ACCEPT or DROP.


TABLE

Here the Table Options

  • filter: Default used table for packet filtering. It includes chains like INPUT, OUTPUT and FORWARD.

  • nat : Related to Network Address Translation. It includes PREROUTING and POSTROUTING chains.

  • mangle : For specialised packet alteration. Inbuilt chains include PREROUTING and OUTPUT.

  • raw : Configures exemptions from connection tracking. Built-in chains are PREROUTING and OUTPUT.

  • security : Used for Mandatory Access Control


CHAINS

Here the few built-in chains that are included in tables.

  • INPUT :set of rules for packets destined to localhost sockets.

  • FORWARD :for packets routed through the device.

  • OUTPUT :for locally generated packets, meant to be transmitted outside.

  • PREROUTING :for modifying packets as they arrive.

  • POSTROUTING :for modifying packets as they are leaving.


Restore Firewall Rules


To restore firewall rules form a file called /root/my.active.firewall.rules, enter:

#iptables-restore < /root/my.active.firewall.rules

To restore firewall rules under CentOS / RHEL / Fedora Linux, enter:

#service iptables restart


Iptable Examples:


Only Block Incoming Traffic

To drop all incoming / forwarded packets, but allow outgoing traffic, enter:

#iptables -P INPUT DROP
#iptables -P FORWARD DROP
#iptables -P OUTPUT ACCEPT
#iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -L -v -n

### *** now ping and wget should work *** ###

ping kingoncloud.com

wget http://www.linux.com/pub/linux/kernel/v3.0/testing/linux-3.2-rc5.tar.bz2


Drop Private Network Address On Public Interface


IP spoofing is nothing but to stop the following IPv4 address ranges for private networks on your public interfaces. Packets with non-routable source addresses should be rejected using the following syntax:

#iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP
#iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP


Block Incoming Port Requests (BLOCK PORT)


To block all service requests on port 80, enter:

#iptables -A INPUT -p tcp --dport 80 -j DROP
#iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP

To block port 80 only for an ip address 1.2.3.4, enter:

#iptables -A INPUT -p tcp -s 1.2.3.4 --dport 80 -j DROP
#iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROP

Block Outgoing IP Address


To block outgoing traffic to a particular host or domain such as kingoncloud.com, use the host command or dig command:


host -t a kingoncloud.com


Sample outputs:


kingoncloud.com has address 75.100.110.200

Note down its ip address and type the following to block all outgoing traffic to 75.100.110.200:

#iptables -A OUTPUT -d 75.100.110.200 -j DROP

You can use a subnet as follows:

#iptables -A OUTPUT -d 192.168.1.0/24 -j DROP
#iptables -A OUTPUT -o eth1 -d 192.168.1.0/24 -j DROP


Redirect port 80 to 8080

#iptables -t nat -A PREROUTING -i $interfaceName -p tcp --dport $srcPortNumber -j REDIRECT --to-port $dstPortNumber

To redirect all incoming traffic on port 80 redirect to port 8080

#iptables -t nat -I PREROUTING --src 0/0 --dst 192.168.1.5 -p tcp --dport 80 -j REDIRECT --to-ports 8080


Port Forwarding


Either you can use sysctl to check if forwarding is enabled or not. Use below command to check –



[root@kingoncloud ~]#  sysctl -a |grep -i eth0.forwarding
net.ipv4.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.forwarding = 0

Since both values are zero, port forwarding is disabled for ipv4 and ipv6 on interface eth0.


Or you can use the process filesystem to check if port forwarding is enabled or not.



[root@kingoncloud ~]# cat /proc/sys/net/ipv4/conf/eth0/forwarding
0
[root@kingoncloud ~]# cat /proc/sys/net/ipv6/conf/eth0/forwarding
0

Again here process FS with zero values confirms port forwarding is disabled on our system. Now we need to first enable port forwarding on our system then we will configure port forwarding rules in iptables.


How to enable port forwarding in Linux

As we checked above, using the same methods you can enable port forwarding in Linux. But its recommended using sysctl command rather than replacing 0 by 1 in proc files.


Enable port forwarding in Linux using sysctl command –



[root@kingoncloud ~]# sysctl net.ipv4.conf.eth0.forwarding=1
net.ipv4.conf.eth0.forwarding = 1
[root@kingoncloud ~]# sysctl net.ipv6.conf.eth0.forwarding=1
net.ipv6.conf.eth0.forwarding = 1

To make it persistent over reboots, add parameters in /etc/sysctl.conf



[root@kingoncloud ~]# echo "net.ipv4.conf.eth0.forwarding = 1">>/etc/sysctl.conf
[root@kingoncloud ~]# echo "net.ipv6.conf.eth0.forwarding = 1">>/etc/sysctl.conf
[root@kingoncloud ~]# sysctl -p
net.ipv4.conf.eth0.forwarding = 1
net.ipv6.conf.eth0.forwarding = 1

Now, we have port forwarding enabled on our server, we can go ahead with configuring port forwarding rules using iptables.


Here we will forward port 80 to port 8080 on 172.31.40.29. Do not get confused port forwarding with port redirection.


We need to insert an entry in PREROUTING chain of iptables with DNAT target. Command will be as follows –



# iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to 172.31.40.29:8080
# iptables -A FORWARD -p tcp -d 172.31.40.29 --dport 8080 -j ACCEPT

Change interface, IP and ports as per your requirement. The first command tells us to redirect packets coming to port 80 to IP 172.31.40.29 on port 8080. Now packet also needs to go through FORWARD chain so we are allowing in in the second command.


Kubernetes Cluster - RBAC Examples

Creating Service Account Run the following command to add a new service account called king: $ kubectl create serviceaccount king serviceaccount/king created Find the name of the secret that stores t

Kubernetes - Role-based access control (RBAC)

Kubernetes RBAC The Kubernetes API provides access to sensitive data, including deployment details, persistent storage settings, and secrets. Over the years, the Kubernetes community has provided seve

Kubernetes Cheat Sheet

This page contains a list of commonly used kubectl commands and flags. Kubectl apply - Creating objects # create resource(s) kubectl apply -f ./my-manifest.yaml # create from multiple files kubectl a

Comments


bottom of page