Difference between revisions of "Iptables quick guide"

From thelinuxwiki
Jump to: navigation, search
(allow muliple ports example)
(allowing muliple ports)
 
(One intermediate revision by one user not shown)
Line 1: Line 1:
 
http://www.linode.com/wiki/index.php/Netfilter_IPTables_Mini_Howto
 
http://www.linode.com/wiki/index.php/Netfilter_IPTables_Mini_Howto
  
== Changing the default policy in iptables ==
+
==rule basics==
 +
 
 +
=== Changing the default policy in iptables ===
  
 
  iptables -P INPUT DROP
 
  iptables -P INPUT DROP
Line 9: Line 11:
  
  
== allowing muliple ports ==
+
=== allowing muliple ports ===
 
list of ports
 
list of ports
 
  iptables -A tableName -p tcp  --match multiport --dports port1,port2,port3 -j ACCEPT
 
  iptables -A tableName -p tcp  --match multiport --dports port1,port2,port3 -j ACCEPT
Line 16: Line 18:
  
 
port range
 
port range
  iptables -A tableName -p tcp --dports start_port:end_port -j ACCEPT
+
  iptables -A tableName -p tcp --match multiport --dports start_port:end_port -j ACCEPT
 
example
 
example
 
  iptables -I OUTPUT -p tcp -d 1.1.1.1 --dport '''1024:65535''' -j ACCEPT
 
  iptables -I OUTPUT -p tcp -d 1.1.1.1 --dport '''1024:65535''' -j ACCEPT
  
== IP range example ==
+
=== IP range example ===
 
   iptables -A INPUT -p tcp --dport 22 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT   
 
   iptables -A INPUT -p tcp --dport 22 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT   
 +
 +
===allow icmp echo-reply===
 +
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
  
 
== NAT ==
 
== NAT ==

Latest revision as of 21:47, 3 November 2014

http://www.linode.com/wiki/index.php/Netfilter_IPTables_Mini_Howto

Contents

rule basics

Changing the default policy in iptables

iptables -P INPUT DROP

allow outbound rsync and insert rule at the top of the chain

iptables -I OUTPUT -p tcp -d 1.1.1.1 --dport 873 -j ACCEPT


allowing muliple ports

list of ports

iptables -A tableName -p tcp  --match multiport --dports port1,port2,port3 -j ACCEPT

example

iptables -A INPUT -p tcp --match multiport --dports 22,80,443 -j ACCEPT

port range

iptables -A tableName -p tcp --match multiport --dports start_port:end_port -j ACCEPT

example

iptables -I OUTPUT -p tcp -d 1.1.1.1 --dport 1024:65535 -j ACCEPT

IP range example

 iptables -A INPUT -p tcp --dport 22 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT  

allow icmp echo-reply

iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

NAT

show nat rules

iptables -L -t nat

hide nat behind and interface

iptables -t nat -A POSTROUTING -o tun0 -s 192.168.1.0/24 -j MASQUERADE

destination NAT

iptables -t nat -A PREROUTING -d 1.1.1.10 -j DNAT --to-destination 192.168.1.228

saving rules for reload on reboot

on fedora 17

iptables-save > /etc/sysconfig/iptables