Difference between revisions of "Iptables quick guide"
From thelinuxwiki
				
								
				
				
																
				
				
								
				|  (→allow muliple ports example) |  (→allowing muliple ports) | ||
| (One intermediate revision by one user not shown) | |||
| Line 1: | Line 1: | ||
| http://www.linode.com/wiki/index.php/Netfilter_IPTables_Mini_Howto | http://www.linode.com/wiki/index.php/Netfilter_IPTables_Mini_Howto | ||
| − | == Changing the default policy in iptables == | + | ==rule basics== | 
| + | |||
| + | === Changing the default policy in iptables === | ||
|   iptables -P INPUT DROP |   iptables -P INPUT DROP | ||
| Line 9: | Line 11: | ||
| − | == allowing muliple ports == | + | === allowing muliple ports === | 
| list of ports | list of ports | ||
|   iptables -A tableName -p tcp  --match multiport --dports port1,port2,port3 -j ACCEPT |   iptables -A tableName -p tcp  --match multiport --dports port1,port2,port3 -j ACCEPT | ||
| Line 16: | Line 18: | ||
| port range | port range | ||
| − |   iptables -A tableName -p tcp --dports start_port:end_port -j ACCEPT | + |   iptables -A tableName -p tcp --match multiport --dports start_port:end_port -j ACCEPT | 
| example | example | ||
|   iptables -I OUTPUT -p tcp -d 1.1.1.1 --dport '''1024:65535''' -j ACCEPT |   iptables -I OUTPUT -p tcp -d 1.1.1.1 --dport '''1024:65535''' -j ACCEPT | ||
| − | == IP range example == | + | === IP range example === | 
|    iptables -A INPUT -p tcp --dport 22 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT    |    iptables -A INPUT -p tcp --dport 22 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT    | ||
| + | |||
| + | ===allow icmp echo-reply=== | ||
| + |  iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT | ||
| == NAT == | == NAT == | ||
Latest revision as of 21:47, 3 November 2014
http://www.linode.com/wiki/index.php/Netfilter_IPTables_Mini_Howto
| Contents | 
rule basics
Changing the default policy in iptables
iptables -P INPUT DROP
allow outbound rsync and insert rule at the top of the chain
iptables -I OUTPUT -p tcp -d 1.1.1.1 --dport 873 -j ACCEPT
allowing muliple ports
list of ports
iptables -A tableName -p tcp --match multiport --dports port1,port2,port3 -j ACCEPT
example
iptables -A INPUT -p tcp --match multiport --dports 22,80,443 -j ACCEPT
port range
iptables -A tableName -p tcp --match multiport --dports start_port:end_port -j ACCEPT
example
iptables -I OUTPUT -p tcp -d 1.1.1.1 --dport 1024:65535 -j ACCEPT
IP range example
iptables -A INPUT -p tcp --dport 22 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT
allow icmp echo-reply
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
NAT
show nat rules
iptables -L -t nat
hide nat behind and interface
iptables -t nat -A POSTROUTING -o tun0 -s 192.168.1.0/24 -j MASQUERADE
destination NAT
iptables -t nat -A PREROUTING -d 1.1.1.10 -j DNAT --to-destination 192.168.1.228
saving rules for reload on reboot
on fedora 17
iptables-save > /etc/sysconfig/iptables
 
					