Linux Iptables with Examples
Iptables is a command line interface used to set up and maintain tables for the Netfilter firewall for IPv4, included in the Linux kernel. The firewall matches packets with rules defined in these tables and then takes the specified action on a possible match.
Tables is the name for a set of chains.
Chain is a collection of rules.
Rule is condition used to match packet.
Target is action taken when a possible rule matches. Examples of the target are ACCEPT, DROP, QUEUE.
Policy is the default action taken in case of no match with the inbuilt chains and can be ACCEPT or DROP.
Here the Table Options
filter: Default used table for packet filtering. It includes chains like INPUT, OUTPUT and FORWARD.
nat : Related to Network Address Translation. It includes PREROUTING and POSTROUTING chains.
mangle : For specialised packet alteration. Inbuilt chains include PREROUTING and OUTPUT.
raw : Configures exemptions from connection tracking. Built-in chains are PREROUTING and OUTPUT.
security : Used for Mandatory Access Control
Here the few built-in chains that are included in tables.
INPUT :set of rules for packets destined to localhost sockets.
FORWARD :for packets routed through the device.
OUTPUT :for locally generated packets, meant to be transmitted outside.
PREROUTING :for modifying packets as they arrive.
POSTROUTING :for modifying packets as they are leaving.
Restore Firewall Rules
To restore firewall rules form a file called /root/my.active.firewall.rules, enter:
#iptables-restore < /root/my.active.firewall.rules
To restore firewall rules under CentOS / RHEL / Fedora Linux, enter:
#service iptables restart
Only Block Incoming Traffic
To drop all incoming / forwarded packets, but allow outgoing traffic, enter:
#iptables -P INPUT DROP #iptables -P FORWARD DROP #iptables -P OUTPUT ACCEPT #iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT #iptables -L -v -n
### *** now ping and wget should work *** ###
Drop Private Network Address On Public Interface
IP spoofing is nothing but to stop the following IPv4 address ranges for private networks on your public interfaces. Packets with non-routable source addresses should be rejected using the following syntax:
#iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP #iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
Block Incoming Port Requests (BLOCK PORT)
To block all service requests on port 80, enter:
#iptables -A INPUT -p tcp --dport 80 -j DROP #iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP
To block port 80 only for an ip address 184.108.40.206, enter:
#iptables -A INPUT -p tcp -s 220.127.116.11 --dport 80 -j DROP #iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROP
Block Outgoing IP Address
To block outgoing traffic to a particular host or domain such as kingoncloud.com, use the host command or dig command:
host -t a kingoncloud.com
kingoncloud.com has address 18.104.22.168
Note down its ip address and type the following to block all outgoing traffic to 22.214.171.124:
#iptables -A OUTPUT -d 126.96.36.199 -j DROP
You can use a subnet as follows:
#iptables -A OUTPUT -d 192.168.1.0/24 -j DROP #iptables -A OUTPUT -o eth1 -d 192.168.1.0/24 -j DROP
Redirect port 80 to 8080
#iptables -t nat -A PREROUTING -i $interfaceName -p tcp --dport $srcPortNumber -j REDIRECT --to-port $dstPortNumber
To redirect all incoming traffic on port 80 redirect to port 8080
#iptables -t nat -I PREROUTING --src 0/0 --dst 192.168.1.5 -p tcp --dport 80 -j REDIRECT --to-ports 8080
Either you can use sysctl to check if forwarding is enabled or not. Use below command to check –
[root@kingoncloud ~]# sysctl -a |grep -i eth0.forwarding net.ipv4.conf.eth0.forwarding = 0 net.ipv6.conf.eth0.forwarding = 0
Since both values are zero, port forwarding is disabled for ipv4 and ipv6 on interface eth0.
Or you can use the process filesystem to check if port forwarding is enabled or not.
[root@kingoncloud ~]# cat /proc/sys/net/ipv4/conf/eth0/forwarding 0 [root@kingoncloud ~]# cat /proc/sys/net/ipv6/conf/eth0/forwarding 0
Again here process FS with zero values confirms port forwarding is disabled on our system. Now we need to first enable port forwarding on our system then we will configure port forwarding rules in iptables.
How to enable port forwarding in Linux
As we checked above, using the same methods you can enable port forwarding in Linux. But its recommended using sysctl command rather than replacing 0 by 1 in proc files.
Enable port forwarding in Linux using sysctl command –
[root@kingoncloud ~]# sysctl net.ipv4.conf.eth0.forwarding=1 net.ipv4.conf.eth0.forwarding = 1 [root@kingoncloud ~]# sysctl net.ipv6.conf.eth0.forwarding=1 net.ipv6.conf.eth0.forwarding = 1
To make it persistent over reboots, add parameters in /etc/sysctl.conf
[root@kingoncloud ~]# echo "net.ipv4.conf.eth0.forwarding = 1">>/etc/sysctl.conf [root@kingoncloud ~]# echo "net.ipv6.conf.eth0.forwarding = 1">>/etc/sysctl.conf [root@kingoncloud ~]# sysctl -p net.ipv4.conf.eth0.forwarding = 1 net.ipv6.conf.eth0.forwarding = 1
Now, we have port forwarding enabled on our server, we can go ahead with configuring port forwarding rules using iptables.
Here we will forward port 80 to port 8080 on 172.31.40.29. Do not get confused port forwarding with port redirection.
We need to insert an entry in PREROUTING chain of iptables with DNAT target. Command will be as follows –
# iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to 172.31.40.29:8080 # iptables -A FORWARD -p tcp -d 172.31.40.29 --dport 8080 -j ACCEPT
Change interface, IP and ports as per your requirement. The first command tells us to redirect packets coming to port 80 to IP 172.31.40.29 on port 8080. Now packet also needs to go through FORWARD chain so we are allowing in in the second command.