This is a disclaimer: Using the notes below is dangerous for both your sanity and peace of mind. If you still want to read them beware of the fact that they may be "even not wrong". Everything I write in there is just a mnemonic device to give me a chance to fix things I badly broke because I'm bloody stupid and think I can tinker with stuff that is way above my head and go away with it. It reminds me of Gandalf's warning: "Perilous to all of us are the devices of an art deeper than we ourselves possess." Moreover, a lot of it I blatantly stole on the net from other obviously cleverer persons than me -- not very hard. Forgive me. My bad. Please consider it and go away. You have been warned!
(:#toc:)
IPTABLES TIPS
You can specify a source IP addresses as:
[!] -s, —source address[/mask][,…]- The flag
—srcis an alias for this option.
You can specify a destination IP addresses as:
[!] -d, —destination address[/mask][,…]- The flag
—dstis an alias for this option.
Block Incoming Ports
- The command to insert a rule has the syntax:
-I, —insert chain [rulenum] rule-specification
Insert one or more rules in the selected chain as the given rule number. So, if the rule number is 1, the rule or rules are
inserted at the head of the chain. This is also the default if no rule number is specified.
- The following command will drop any packet coming from the IP address 1.2.3.4:
/sbin/iptables -I INPUT -s {IP-HERE} -j DROP
/sbin/iptables -I INPUT -s 1.2.3.4 -j DROP
/sbin/iptables -A INPUT -p tcp --destination-port {PORT-NUMBER-HERE} -j DROP
### interface section use eth1 ###
/sbin/iptables -A INPUT -i eth1 -p tcp --destination-port {PORT-NUMBER-HERE} -j DROP
### only drop port for given IP or Subnet ##
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP-ADDRESS-HERE} -j DROP
/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP/SUBNET-HERE} -j DROP
Example: block port 80 (HTTP server) by appending this rule to chain INPUT:
# /sbin/iptables -A INPUT -p tcp --destination-port 80 -j DROP
Example: block incoming port 80 on interface eth1 except for IP address 1.2.3.4
# /sbin/iptables -A INPUT -p tcp -i eth1 -s ! 1.2.3.4 --dport 80 -j DROP
Block Outgoing Port
/sbin/iptables -A OUTPUT -p tcp --dport {PORT-NUMBER-HERE} -j DROP
### interface section use eth1 ###
/sbin/iptables -A OUTPUT -i eth1 -p tcp --dport {PORT-NUMBER-HERE} -j DROP
### only drop port for given IP or Subnet ##
/sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP-ADDRESS-HERE} -j DROP
/sbin/iptables -A OUTPUT -i eth0 -p tcp --destination-port {PORT-NUMBER-HERE} -s {IP/SUBNET-HERE} -j DROP
Rather than inserting a rule -I INPUT (insert) use -A INPUT to append a rule to a chain as follows:
/sbin/iptables -A INPUT -s 1.2.3.4 -j DROP /sbin/iptables -i eth1 -A INPUT -s 1.2.3.4 -j DROP
Turn on kernel logging of matching packets with LOG target as follows:
~# /sbin/iptables -i eth1 -A INPUT -s 10.0.0.0/8 -j LOG —log-prefix “IP DROP SPOOF A:”
Display the IPTABLES chains and matching rules
~# /sbin/iptables -L -v OR ~# /sbin/iptables -L INPUT -v
Sample outputs:
~# /sbin/iptables -L INPUT -v -n --line-numbers Chain INPUT (policy ACCEPT 94460 packets, 26M bytes) num pkts bytes target prot opt in out source destination 1 19 1114 DROP all -- * * 93.178.192.105 0.0.0.0/0 2 11985 835K fail2ban-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
How to delete a rule
First display chain and their associated rules with the line numbers
~# /sbin/iptables -L INPUT -v -n --line-numbers Chain INPUT (policy ACCEPT 94460 packets, 26M bytes) num pkts bytes target prot opt in out source destination 1 19 1114 DROP all -- * * 93.178.192.105 0.0.0.0/0 2 11985 835K fail2ban-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
The delete a rule by specifying the chain and rule number:
~# iptables -D INPUT 1
How to save the IPTABLES configuration
Use the iptables-save command to dump the contents of an IP Table to a file:
~# iptables-save > /root/myfirewall.conf