### Conntrack module and Stateful Firewall Source: https://github.com/thekubeworld/iptables/blob/main/README.md Examples demonstrating stateful firewalling using the conntrack module. ```bash # Allow INCOMING traffic state ESTABLISHED,RELATED iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Allow OUTGOING traffic in initialized connections state NEW,ESTABLISHED,RELATED iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT # Drop INVALID packets iptables -A INPUT -m conntrack --ctstate INVALID -j DROP ``` -------------------------------- ### TCP and UDP Ports states Source: https://github.com/thekubeworld/iptables/blob/main/README.md Examples for opening and closing TCP and UDP ports. ```bash # Open Port (Allow incoming TCP traffic on port 80) iptables -A INPUT -p tcp --dport 80 -j ACCEPT # Close Port (Drop incoming TCP traffic on port 23) iptables -A INPUT -p tcp --dport 23 -j DROP ``` -------------------------------- ### Basic iptables Output Rule Source: https://github.com/thekubeworld/iptables/blob/main/README.md An example of an iptables rule to accept new, established, and related outgoing connections. ```iptables # iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ``` -------------------------------- ### Allow incoming traffic Source: https://github.com/thekubeworld/iptables/blob/main/README.md Examples for allowing incoming network traffic with specific conditions. ```bash # Allow INCOMING traffic by interface iptables -A INPUT -i eth0 -j ACCEPT # Allow INCOMING traffic using TCP syn flag iptables -A INPUT -p tcp --syn -j ACCEPT # Allow INCOMING traffic using TCP flags iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT # Allow INCOMING traffic in a specific time iptables -A INPUT -m time --timestart 08:00 --timestop 17:00 --weekdays Mon,Tue,Wed,Thu,Fri -j ACCEPT # Allow INCOMING traffic with number of connections per IP address iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-ip 10 --connlimit-mask 32 -j ACCEPT # Allow INCOMING ICMP traffic using LIMIT MATCH iptables -A INPUT -p icmp -m limit --limit 10/minute -j ACCEPT ``` -------------------------------- ### DNAT (Destination NAT) Configuration Source: https://github.com/thekubeworld/iptables/blob/main/README.md This example shows how to configure DNAT to redirect incoming traffic to a private server. It uses the 'nat' table and 'PREROUTING' chain to forward specific ports to a destination IP address, optionally with a different destination port. ```bash # iptables -t nat -F PREROUTING # iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 10.0.0.2 # iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 10.0.0.2:80 ``` -------------------------------- ### Allow outgoing traffic Source: https://github.com/thekubeworld/iptables/blob/main/README.md Examples for allowing outgoing network traffic based on various criteria. ```bash # Allow any website OUTGOING traffic on port 443 iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT # Allow OUTGOING traffic by multi PORT iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -j ACCEPT # Allow OUTGOING and INCOMING traffic via loopback interface iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow OUTGOING traffic by interface iptables -A OUTPUT -o eth0 -j ACCEPT # Allow OUTGOING ssh connection from the machine iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT # Allow OUTGOING traffic by QUOTA iptables -A OUTPUT -m quota --quota 10000 -j ACCEPT ``` -------------------------------- ### User-Defined Chain for MAC Address Filtering Source: https://github.com/thekubeworld/iptables/blob/main/README.md This example shows how to create a new iptables chain named 'ACCEPTED_MAC' and add rules to allow traffic from specific MAC addresses. It then jumps from the INPUT chain to this user-defined chain. ```bash #create a new chain named ACCEPTED_MAC iptables -N ACCEPTED_MAC #add rules to the user defined-chain iptables -A ACCEPTED_MAC -m mac --mac-source B8:81:98:22:C7:6B -j ACCEPT iptables -A ACCEPTED_MAC -m mac --mac-source B8:81:98:22:C6:7C -j ACCEPT iptables -A ACCEPTED_MAC -m mac --mac-source B8:81:98:22:23:AB -j ACCEPT iptables -A ACCEPTED_MAC -m mac --mac-source B8:81:98:22:67:AA -j ACCEPT # jump from the INPUT chain to the user-defined chain # now packets traverse the iptables rules in the user-defined chain iptables -A INPUT -j ACCEPTED_MAC ``` -------------------------------- ### nmap TCP SYN Scan Example Source: https://github.com/thekubeworld/iptables/blob/main/README.md Demonstrates an nmap SYN scan, also known as a 'half-open' scan, which is stealthy as it doesn't complete the TCP connection. A SYN response indicates an OPEN port, a RESET indicates a CLOSED port, and no response means FILTERED. ```bash # nmap -sS -p 22,100 -sV 192.168.0.1 ``` -------------------------------- ### Allow Incoming Traffic with TCP SYN Flag Source: https://github.com/thekubeworld/iptables/blob/main/README.md Allow incoming TCP traffic from a specific source IP address (192.168.10.1) that has the SYN flag set, typically the start of a connection. ```bash # iptables -A INPUT -i eth0 -p tcp --syn -s 192.168.10.1 -j ACCEPT ``` -------------------------------- ### Drop Outgoing Traffic to a Website Source: https://github.com/thekubeworld/iptables/blob/main/README.md Drop outgoing traffic to a specific website by its domain name or IP address. The example shows dropping traffic to an IP address resolved from 'www.terra.com.br'. ```bash # iptables -I OUTPUT -d www.terra.com.br -j DROP # iptables -I OUTPUT -d 104.98.115.161 -j DROP ``` -------------------------------- ### List iptables rules Source: https://github.com/thekubeworld/iptables/blob/main/README.md Commands to list iptables rules across different tables. ```bash # List rules from filter table iptables -t filter -L # List rules from nat table iptables -t nat -L # List rules from raw table iptables -t raw -L # List rules from mangle table iptables -t mangle -L ``` -------------------------------- ### ipset: Create and Manage IP Sets Source: https://github.com/thekubeworld/iptables/blob/main/README.md Commands for creating, adding to, listing, and deleting entries in ipset lists. ```bash # Create a new set for IPs ipset -N MYNEWSET hash:ip # Add IPs to the set ipset -A MYNEWSET 1.1.1.1 ipset -A MYNEWSET 2.2.2.2 ipset -A MYNEWSET 8.8.8.8 # List all sets ipset -L # List a specific set ipset -L MYNEWSET # Delete an entry from a set ipset del MYNEWSET 1.1.1.1 # Flush all sets ipset -F # Flush a specific set ipset -F MYNEWSET # Delete a set ipset destroy MYNEWSET ``` -------------------------------- ### List iptables Rules Source: https://github.com/thekubeworld/iptables/blob/main/README.md View iptables rules for the 'raw' and 'nat' tables with verbose and numeric output. ```bash iptables -t raw -Lvn ``` ```bash iptables -t nat -Lvn ``` -------------------------------- ### ipset: Blocking Networks with hash:net Source: https://github.com/thekubeworld/iptables/blob/main/README.md Demonstrates creating and populating an ipset with network ranges (CIDR notation) for efficient blocking. ```bash # Create sets for networks ipset -N brazil hash:net ipset -N china hash:net # Add networks to the 'china' set ipset -A china 1.0.0.0/8 ipset -A china 2.0.0.0/8 ipset -A china 3.0.0.0/8 ``` -------------------------------- ### iptables Targets Source: https://github.com/thekubeworld/iptables/blob/main/README.md Explanation of common iptables targets used for packet disposition. ```APIDOC iptables Targets: Terminating Targets vs Non Terminating: - Terminating targets (e.g., ACCEPT, DROP, REJECT) stop the traversal of the packet through the ruleset. - Non-terminating targets (e.g., LOG, MASQUERADE, DNAT) allow the packet to continue traversal. REJECT: - Action: Rejects the packet and sends an ICMP error message back to the sender. - Use Case: Useful for providing feedback to the sender about why a packet was dropped. - Example: iptables -A INPUT -p icmp -j REJECT --reject-with icmp-host-prohibited LOG: - Action: Logs the packet details to the system log. - Use Case: Useful for debugging and monitoring network traffic. - Example: iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "SSH Access: " TEE: - Action: Duplicates the packet and sends one copy to the specified target and the other copy continues traversal. - Use Case: Useful for network monitoring or traffic analysis. - Example: iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TEE --gateway 192.168.1.100 REDIRECT: - Action: Redirects the packet to a different port on the same machine. - Use Case: Commonly used for transparent proxying. - Example: iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 ``` -------------------------------- ### iptables: Terminating vs Non-Terminating Targets Source: https://github.com/thekubeworld/iptables/blob/main/README.md Illustrates the difference between terminating targets (ACCEPT, DROP) and non-terminating targets (LOG, TEE) in iptables. ```iptables # Terminating Action Example: # Accepts traffic on port 22 and stops processing further rules in the chain. iptables -F iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp -j DROP # Non-Terminating Action Example: # Logs incoming traffic on port 22 and continues processing subsequent rules (in this case, drops the packet). iptables -F iptables -A INPUT -p tcp --dport 22 -j LOG iptables -A INPUT -p tcp -j DROP ``` -------------------------------- ### List iptables Rules Verbose Source: https://github.com/thekubeworld/iptables/blob/main/README.md This command lists all iptables rules in a verbose format, showing packet and byte counts for each rule. It's useful for inspecting the current firewall state. ```bash # iptables -Lvn ``` -------------------------------- ### List iptables Rules (Mangle Table) Source: https://github.com/thekubeworld/iptables/blob/main/README.md Lists all rules in the mangle table with verbose and numeric output. ```bash iptables -t mangle -Lvn ``` -------------------------------- ### List iptables Rules (Filter Table) Source: https://github.com/thekubeworld/iptables/blob/main/README.md Lists all rules in the INPUT chain of the filter table with verbose and numeric output. ```bash # iptables -Lnv INPUT ``` -------------------------------- ### Create a Custom iptables Chain Source: https://github.com/thekubeworld/iptables/blob/main/README.md This command creates a new custom chain named 'MYCHAIN'. Custom chains allow for better organization and modularity of firewall rules. ```bash # iptables -N MYCHAIN ``` -------------------------------- ### ipset management Source: https://github.com/thekubeworld/iptables/blob/main/README.md Commands for managing ipsets, which are used for efficient handling of large lists of IP addresses or networks. ```bash # Blocking via hash ip ipset create blocklist hash:ip iptables -A INPUT -p tcp --dport 22 -m set --match-set blocklist src -j DROP # Using hash net to block large nets ipset create block_nets hash:net iptables -A INPUT -m set --match-set block_nets src -j DROP # List sets ipset list # Delete entry in set ipset del blocklist 1.2.3.4 # Flush all sets ipset flush # Flush a specific set ipset flush blocklist # Delete a set ipset destroy blocklist # Setting the maximal number of elements which can be stored in a set ipset create my_set hash:ip maxelem 10000 # Auto BLOCK attempts to a specific port iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --set --name SSH_ATTEMPTS iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 --name SSH_ATTEMPTS -j DROP # Blocking an entire country (requires GeoIP database and ipset) # Example: ipset create country_block hash:net # Example: ipset restore < country_block.txt ``` -------------------------------- ### iptables Chain Traversal Overview Source: https://github.com/thekubeworld/iptables/blob/main/README.md This section provides an overview of how iptables chains process packets. It details the flow for incoming packets destined for the host, packets that need routing, and packets generated by the host itself. It also briefly mentions the purpose of raw, mangle, and nat tables. ```APIDOC Chain Traversal: Incoming Packets: 1. Destined for the host: PREROUTING -> INPUT 2. Needs routing: PREROUTING -> FORWARD -> POSTROUTING 3. Generated by the host: PREROUTING -> OUTPUT -> POSTROUTING Tables: - raw: Skip connection tracking. - mangle: Modify packet headers (e.g., TOS, TTL). - nat: Network address translation and port forwarding. ``` -------------------------------- ### Manage iptables chains Source: https://github.com/thekubeworld/iptables/blob/main/README.md Operations for creating, deleting, and modifying iptables chains and rules. ```bash # Create a chain iptables -N MY_CHAIN # Change default policy for a chain iptables -P INPUT DROP # Delete a created chain iptables -X MY_CHAIN # Delete a rule in a chain (by rule number) iptables -D INPUT 1 # Insert a rule on TOP of the chain iptables -I INPUT -p tcp --dport 80 -j ACCEPT ``` -------------------------------- ### ipset: Using Sets with iptables Source: https://github.com/thekubeworld/iptables/blob/main/README.md Applies an ipset to an iptables rule to efficiently block traffic from a list of source IPs. ```iptables # iptables -A INPUT -m set --match-set MYNEWSET src -j DROP ``` -------------------------------- ### iptables Blocking Single IPs (Pre-ipset) Source: https://github.com/thekubeworld/iptables/blob/main/README.md Demonstrates how to block individual IP addresses using separate iptables rules. This is inefficient for many IPs. ```iptables # iptables -A INPUT -s 1.1.1.1 -j DROP # iptables -A INPUT -s 2.2.2.2 -j DROP # iptables -A INPUT -s 8.8.8.8 -j DROP ``` -------------------------------- ### Firewall Reset Commands Source: https://github.com/thekubeworld/iptables/blob/main/README.md Resets iptables and ipset configurations to default or clean states. ```bash # Set default policies to ACCEPT iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT # Flush all rules from all tables iptables -t filter -F iptables -t raw -F iptables -t nat -F iptables -t mangle -F # Delete all user-defined chains iptables -X # Flush and delete all ipsets ipset -F ipset -X ``` -------------------------------- ### Basic iptables Rules Source: https://github.com/thekubeworld/iptables/blob/main/README.md This snippet demonstrates fundamental iptables rules for allowing outgoing traffic, accepting incoming SSH connections, and allowing ICMP traffic. It also sets default policies to DROP all other incoming and outgoing traffic. ```bash # allow all outgoing traffic (except invalid packets) iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # allow incoming ssh packets iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT #if not dropped or accepted (terminating target) packets continue traversing the INPUT chain iptables -A INPUT -p icmp -j ACCEPT iptables -A OUTPUT -p icmp -j ACCEPT iptables -P OUTPUT DROP iptables -P INPUT DROP ``` -------------------------------- ### iptables User-Defined Chains Management Source: https://github.com/thekubeworld/iptables/blob/main/README.md Provides commands for creating, listing, deleting, and flushing user-defined chains in iptables. User-defined chains help organize rulesets and can be jumped to from built-in chains. The RETURN target resumes processing in the calling chain. ```bash # creating a user-defined chain iptables -N TCP_TRAFFIC # add rules to the chain iptables -A TCP_TRAFFIC -p tcp -j ACCEPT # jump to the chain from the input chain iptables -A INPUT -p tcp -j TCP_TRAFFIC # flush all rules in the chain iptables -F TCP_TRAFFIC # delete the chain iptables -X TCP_TRAFFIC ``` ```bash !/bin/bash # flushing all chains iptables -F # deleting all user-defined chains iptables -X ``` -------------------------------- ### SNAT and MASQUERADE Configuration Source: https://github.com/thekubeworld/iptables/blob/main/README.md Demonstrates how to configure SNAT or MASQUERADE using the 'nat' table and 'POSTROUTING' chain. MASQUERADE is used for dynamic IP addresses, automatically using the outgoing interface's IP. SNAT is used when a specific public IP is known. ```bash # echo "1" > /proc/sys/net/ipv4/ip_forward # iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE ``` -------------------------------- ### Insert Rule at Top of Chain Source: https://github.com/thekubeworld/iptables/blob/main/README.md These commands demonstrate inserting rules at the top of the INPUT chain. The first rule accepts TCP traffic from a specific IP, and the second drops all TCP traffic. The `-I` option inserts at the beginning. ```bash # iptables -I INPUT -p tcp --dport -s 192.168.1.10 -j ACCEPT # iptables -I INPUT -p tcp --dport -j DROP ``` -------------------------------- ### Save iptables Rules (RedHat) Source: https://github.com/thekubeworld/iptables/blob/main/README.md Saves the current iptables rules in memory to persistent storage on Red Hat-based systems. ```bash # service iptables save ``` -------------------------------- ### Allow Incoming Traffic (Established/Related) Source: https://github.com/thekubeworld/iptables/blob/main/README.md This command allows incoming traffic that is part of an established or related connection. This is a fundamental rule for stateful firewalls to permit return traffic. ```bash # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ``` -------------------------------- ### Allow Incoming Traffic by Interface Source: https://github.com/thekubeworld/iptables/blob/main/README.md Allow incoming traffic on a specific interface (e.g., 'wlan1') or any interface matching a pattern (e.g., 'wlan+'). Applicable to INPUT, FORWARD, and PREROUTING chains. ```bash # iptables -A INPUT -i wlan1 -j ACCEPT ``` ```bash # iptables -A INPUT -i wlan+ -j ACCEPT ``` -------------------------------- ### ipset: Set Maximum Elements Source: https://github.com/thekubeworld/iptables/blob/main/README.md Creates an ipset with a specified maximum number of elements allowed. ```bash # Create a set with a max element limit of 2048 ipset create myset1 hash:ip maxelem 2048 ``` -------------------------------- ### Bash Script: Block China IPs using ipset and iptables Source: https://github.com/thekubeworld/iptables/blob/main/README.md A bash script to download a list of Chinese IP ranges and block them using ipset and iptables. ```bash #!/bin/bash echo "### BLOCKING CHINA ###" # Check if the file exists (in the current directory) and if yes, remove it if [ -f "cn-aggregated.zone" ] then rm cn-aggregated.zone fi # Download the aggregate zone file for China wget http://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone # Check if there was an error if [ $? -eq 0 ] then echo "Download Finished!" else echo "Download Failed! Exiting ..." exit 1 fi # Creating a new set called china of type hash:net (nethash) ipset -N china hash:net -exist # Flushing the set ipset -F china # Iterate over the Networks from the file and add them to the set echo "Adding Networks to set..." for i in `cat cn-aggregated.zone` do ipset -A china $i done # Adding a rule that references the set and drops based on source IP address echo -n "Blocking CN with iptables ... " iptables -I INPUT -m set --match-set china src -j DROP echo "Done" ``` -------------------------------- ### Enabling IP Forwarding Source: https://github.com/thekubeworld/iptables/blob/main/README.md This snippet shows how to enable IP forwarding on a Linux system, which is necessary for NAT functionality. It can be done temporarily by writing to sysctl or permanently by editing sysctl.conf. ```bash # echo "1" > /proc/sys/net/ipv4/ip_forward # vi /etc/sysctl.conf # net.ipv4.ip_forward=1 ``` -------------------------------- ### Accept Outgoing Traffic with Quota and Drop Others Source: https://github.com/thekubeworld/iptables/blob/main/README.md These commands first accept outgoing TCP traffic to 80.0.0.1 on port 80 with a quota of 100,000,000 bytes, and then drop all other outgoing traffic to the same destination and port. Quota is defined in bytes. ```bash # iptables -A OUTPUT -d 80.0.0.1 -p tcp --sport 80 -m quota quota 100000000 -j ACCEPT # iptables -A OUTPUT -d 80.0.0.1 -p tcp --sport 80 -j DROP ``` -------------------------------- ### iptables TEE Target Source: https://github.com/thekubeworld/iptables/blob/main/README.md The TEE target clones packets and redirects the clone to another machine on the local subnet, facilitating traffic mirroring. The --gateway option specifies the IP address of the machine receiving the mirrored traffic. ```bash # iptables -A INPUT -p icmp --icmp-type echo-request -j TEE --gateway 10.0.0.10 ``` ```bash # iptables -A FORWARD -i eth0 -o eth1 -p tcp -d 80.0.0.1 -j TEE --gateway 10.0.0.10 ``` -------------------------------- ### Allow Loopback Traffic Source: https://github.com/thekubeworld/iptables/blob/main/README.md Allow both incoming and outgoing traffic on the loopback interface ('lo') for local communication. ```bash # iptables -A INPUT -i lo -j ACCEPT ``` ```bash # iptables -A OUTPUT -o lo -j ACCEPT ``` -------------------------------- ### Flush iptables rules Source: https://github.com/thekubeworld/iptables/blob/main/README.md Commands to clear existing iptables rules from tables and chains. ```bash # Clean rules in all chains in filter table iptables -t filter -F # Clean rules in the INPUT chain in filter table iptables -t filter -F INPUT # Clean rules in all chains in nat table iptables -t nat -F ``` -------------------------------- ### Load Balancing NAT Traffic Source: https://github.com/thekubeworld/iptables/blob/main/README.md This bash script demonstrates load balancing NAT traffic over two internet connections with dynamic IP addresses. It flushes the POSTROUTING chain, enables IP forwarding, and uses MASQUERADE to direct traffic for specific ports over one interface (eth1) and all other traffic over another (eth2). ```bash #!/bin/bash ##** LOAD BALANCE NAT TRAFFIC OVER 2 INTERNET CONNECTIONS WITH DYNAMIC IP ADDRESSES **## # Traffic that goes over the first connection # web: 80 443 # email: 25 465 143 993 110 995 # ssh: 22 ISP1="22 25 80 110 143 443 465 993 995" # flushing nat table and POSTROUTING chain iptables -t nat -F POSTROUTING # enable routing echo "1" > /proc/sys/net/ipv4/ip_forward for port in $ISP1 do iptables -t nat -A POSTROUTING -p tcp --dport $port -o eth1 -j MASQUERADE done # Traffic not NATed goes over the 2nd connection iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE ``` -------------------------------- ### iptables: Auto Block Port Access with ipset Source: https://github.com/thekubeworld/iptables/blob/main/README.md Configures iptables and ipset to automatically block IP addresses attempting to access a specific port. ```bash # Create a set to store IPs attempting to access port 80 ipset -N auto_blocked iphash # Add a rule to add source IPs to 'auto_blocked' when they try to access port 80 iptables -I INPUT -p tcp --dport 80 -j SET --add-set auto_blocked src # Add a rule to drop traffic from IPs in the 'auto_blocked' set iptables -I INPUT -m set --match-set auto_blocked src -j DROP ``` -------------------------------- ### Allow Forwarded Traffic by Time Source: https://github.com/thekubeworld/iptables/blob/main/README.md This rule allows forwarded TCP traffic to www.uol.com.br on port 80, but only on weekdays between 18:00 and 08:00. The `time` module is used for time-based filtering. ```bash # iptables -A FORWARD -p tcp --dport 80 -d www.uol.com.br -m time \ --weekdays Mon,Tue,Wed,Thu,Fri --timestart 18:00 --timestop 8:00 -j ACCEPT ``` -------------------------------- ### iptables REJECT Target Source: https://github.com/thekubeworld/iptables/blob/main/README.md The REJECT target denies packets and sends a reply packet to the source, typically an ICMP Port Unreachable message. The response can be customized using the --reject-with option. It's often more efficient than dropping packets. ```bash # iptables -I INPUT -p tcp --dport 22 -s 192.168.0.20 -j REJECT # tcpdump host 192.168.0.20 # nmap -p 22 192.168.0.10 ``` ```bash # iptables -I FORWARD -p udp --dport 69 -j REJECT --reject-with icmp-port-unreachable ``` -------------------------------- ### Allow Outgoing Traffic by Port Source: https://github.com/thekubeworld/iptables/blob/main/README.md Allow outgoing TCP traffic to any destination on port 443. Also demonstrates allowing traffic to multiple ports (80, 443) using the 'multiport' module. ```bash # iptables -I OUTPUT -p tcp --dport 443 -d 0/0 -j ACCEPT ``` ```bash # iptables -A OUTGOING -p tcp -m multiport --dports 80,443 -j ACCEPT ``` -------------------------------- ### Limit Incoming Connections per IP Source: https://github.com/thekubeworld/iptables/blob/main/README.md Reject incoming TCP connections on port 25 if the number of existing connections from a single IP address exceeds 5, helping to mitigate DoS attacks. ```bash # iptables -A INPUT -p tcp --dport 25 --syn -m conlimit \ --connlimit-above 5 -j REJECT --reject-with tcp-rst ``` -------------------------------- ### Add Source IP to Recent List and Drop Source: https://github.com/thekubeworld/iptables/blob/main/README.md This rule adds the source IP address of TCP packets arriving on interface eth0 with destination port 8080 to the 'badguys' list and then drops these packets. This is the first part of creating a blacklist using the `recent` module. ```bash # iptables -A FORWARD -p tcp -i eth0 --dport 8080 -m recent --name badguys --set -j DROP ``` -------------------------------- ### Allow Incoming Traffic within Specific Time Source: https://github.com/thekubeworld/iptables/blob/main/README.md Allow incoming TCP traffic on port 22 only between 10:00 and 15:00. Traffic outside this time range is dropped. ```bash # iptables -A INPUT -p tcp --dport 22 -m time --timestart 10:00 --timestop 15:00 -j ACCEPT # iptables -A INPUT -p tcp --dport 22 -j DROP ``` -------------------------------- ### Allow Outgoing Traffic by Interface Source: https://github.com/thekubeworld/iptables/blob/main/README.md Allow outgoing traffic through a specific network interface, such as 'eth0'. ```bash # iptables -A OUTPUT -o eth0 ACCEPT ``` -------------------------------- ### Log Outgoing Traffic with Specific TCP Flags Source: https://github.com/thekubeworld/iptables/blob/main/README.md Log outgoing TCP traffic that has both SYN and ACK flags set, indicating an established connection or a response. ```bash # logging outgoing traffic that has syn and ack set iptables -A OUTPUT -p tcp --tcp-flags syn,ack,rst,fin syn,ack -j LOG ``` -------------------------------- ### iptables REDIRECT Target Source: https://github.com/thekubeworld/iptables/blob/main/README.md The REDIRECT target redirects packets to a different port on the same machine, commonly used for transparent proxying. It is exclusively valid within the PREROUTING and OUTPUT chains of the nat table. ```bash # iptables -t nat -A PREROUTING -p tcp --dport 123 -j REDIRECT --to-ports 22 ``` ```bash # iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080 ``` -------------------------------- ### Allow Outgoing Traffic (New/Established/Related) Source: https://github.com/thekubeworld/iptables/blob/main/README.md This command allows outgoing traffic for new, established, or related connections. It's a common rule for enabling outbound network access. ```bash # iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ``` -------------------------------- ### Drop incoming traffic Source: https://github.com/thekubeworld/iptables/blob/main/README.md Commands to drop incoming network traffic based on various criteria. ```bash # Drop INCOMING traffic to IP Addr iptables -A INPUT -d 192.168.1.100 -j DROP # Drop INCOMING traffic to a range of IP using iprange iptables -A INPUT -m iprange --src-range 192.168.1.10-192.168.1.20 -j DROP # Drop INCOMING traffic on port 443 EXCEPT on specific IP iptables -A INPUT -p tcp --dport 443 -s 192.168.1.50 -j ACCEPT iptables -A INPUT -p tcp --dport 443 -j DROP # Drop INCOMING ssh traffic by PORT iptables -A INPUT -p tcp --dport 22 -j DROP # Drop INCOMING traffic by MAC Address iptables -A INPUT -m mac --mac-source 00:11:22:33:44:55 -j DROP # Drop OUTGOING traffic to a subnet iptables -A OUTPUT -d 10.0.0.0/8 -j DROP # Drop OUTGOING traffic to a site (using IP) iptables -A OUTPUT -d 1.2.3.4 -j DROP # Drop OUTGOING traffic by address type iptables -A OUTPUT -m addrtype --dst-type LOCAL -j DROP ``` -------------------------------- ### iptables LOG Target Source: https://github.com/thekubeworld/iptables/blob/main/README.md The LOG target is a non-terminating target that logs detailed packet header information. Logs can be accessed via dmesg or syslogd. It's useful for debugging and can be combined with options like --log-prefix and --log-level. ```bash # iptables -A INPUT -p tcp --dport 22 --syn -j LOG --log-prefix="incoming ssh:" --log-level info # dmesg | grep "incoming ssh" ``` -------------------------------- ### Drop Forwarded Traffic by Time Source: https://github.com/thekubeworld/iptables/blob/main/README.md This rule drops all forwarded TCP traffic to www.uol.com.br on port 80 during working hours (08:00 - 18:00). This complements the previous rule for time-based access control. ```bash # iptables -A FORWARD -p tcp --dport 80 -d www.uol.com.br -j DROP ``` -------------------------------- ### Flush All iptables Rules Source: https://github.com/thekubeworld/iptables/blob/main/README.md This command flushes (deletes) all rules from all chains in the filter table. It's a common way to reset the firewall to a default state. ```bash # iptables -F ``` -------------------------------- ### Change Default Policy for a Chain Source: https://github.com/thekubeworld/iptables/blob/main/README.md This command sets the default policy for the FORWARD chain to DROP. Any packet not explicitly matched by a rule in this chain will be dropped. ```bash # iptables -P FORWARD DROP ``` -------------------------------- ### Drop Incoming Traffic by MAC Address Source: https://github.com/thekubeworld/iptables/blob/main/README.md Drop incoming traffic arriving on the 'wlan0' interface from a specific MAC address (08:00:11:22:44:11:22). ```bash # iptables -A INPUT -i wlan0 -m mac --mac-source 08:00:11:22:44:11:22 -j DROP ``` -------------------------------- ### iptables Drop Invalid Packets Source: https://github.com/thekubeworld/iptables/blob/main/README.md Rules to drop incoming and outgoing packets that are in an invalid state. ```iptables # iptables -A INPUT -m state --state INVALID -j DROP # iptables -A OUTPUT -m state --state INVALID -j DROP ``` -------------------------------- ### Limit Incoming ICMP Traffic Source: https://github.com/thekubeworld/iptables/blob/main/README.md Allow incoming ICMP echo-request packets, but limit them to 1 per second after an initial burst of 7 packets. Subsequent packets are dropped. ```bash # iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/sec \ --limit-burst 7 -j ACCEPT # iptables -A INPUT -p icmp --icmp-type echo-request -j DROP ``` -------------------------------- ### Delete a Custom iptables Chain Source: https://github.com/thekubeworld/iptables/blob/main/README.md This command deletes a previously created custom chain named 'MYCHAIN'. This is useful for cleaning up unused chains. ```bash # iptables -X MYCHAIN ``` -------------------------------- ### Drop Incoming Traffic on Port 443 Except Specific IP Source: https://github.com/thekubeworld/iptables/blob/main/README.md Drop incoming TCP traffic on port 443 from all source IP addresses EXCEPT for 192.168.1.50. ```bash # iptables -A INPUT ! -s 192.168.1.50 -p tcp --dport 443 -j DROP ``` -------------------------------- ### Drop Incoming Traffic by IP Address Source: https://github.com/thekubeworld/iptables/blob/main/README.md Drop all incoming traffic originating from a specific IP address (192.168.1.20). ```bash # iptables -I INPUT -s 192.168.1.20 -j DROP ``` -------------------------------- ### Drop Incoming Traffic by IP Range Source: https://github.com/thekubeworld/iptables/blob/main/README.md Drop incoming TCP traffic destined for a range of IP addresses, from 192.168.1.20 to 192.168.1.25. ```bash # iptables -I INPUT -p tcp --dport 25 -m iprange --src range 192.168.1.20-192.168.1.25 -j DROP ``` -------------------------------- ### Allow Outgoing SSH Connection Source: https://github.com/thekubeworld/iptables/blob/main/README.md Allow outgoing TCP traffic on port 22 (SSH) from the local machine to any destination. ```bash # iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT ``` -------------------------------- ### Flush INPUT Chain Rules Source: https://github.com/thekubeworld/iptables/blob/main/README.md This command flushes (deletes) all rules specifically from the INPUT chain in the filter table. This allows for targeted rule removal. ```bash # iptables -F INPUT ``` -------------------------------- ### Flush NAT Table Rules Source: https://github.com/thekubeworld/iptables/blob/main/README.md This command flushes all rules from all chains within the NAT table. This is used for resetting Network Address Translation configurations. ```bash # iptables -t nat -F ``` -------------------------------- ### Drop Outgoing Traffic by Address Type Source: https://github.com/thekubeworld/iptables/blob/main/README.md This command drops outgoing traffic classified as MULTICAST. The addrtype module allows filtering based on IP address types like UNSPEC, UNICAST, LOCAL, BROADCAST, ANYCAST, MULTICAST, BLACKHOLE, UNREACHABLE, PROHIBIT, THROW, NAT, and XRESOLVE. ```bash # iptables -A OUTPUT -m addrtype --dst-type MULTICAST -j DROP ``` -------------------------------- ### Drop Forwarded Traffic Based on Recent List Source: https://github.com/thekubeworld/iptables/blob/main/README.md This rule drops forwarded traffic from source IP addresses that have been recently seen (within the last 60 seconds) and added to the 'badguys' list. This helps mitigate brute-force attacks. ```bash # iptables -A FORWARD -m recent --name badguys --update --seconds 60 -j DROP ``` -------------------------------- ### Drop Incoming SSH Traffic by Port Source: https://github.com/thekubeworld/iptables/blob/main/README.md Drop all incoming TCP traffic destined for port 22 (SSH). ```bash # iptables -A INPUT -p tcp --dport 22 -j DROP ``` -------------------------------- ### Drop Outgoing Traffic by IP Address Source: https://github.com/thekubeworld/iptables/blob/main/README.md This command drops all outgoing traffic destined for a specific IP address (104.98.115.145). This is a basic rule for blocking connections to a particular destination. ```bash # iptables -I OUTPUT -d 104.98.115.145 -j DROP ``` -------------------------------- ### Drop Outgoing Traffic to a Subnet Source: https://github.com/thekubeworld/iptables/blob/main/README.md Drop all outgoing traffic destined for the 192.168.0.0/24 subnet. ```bash # iptables -I OUTPUT -s 192.168.0.0/24 -j DROP ``` -------------------------------- ### Delete a Specific Rule in a Chain Source: https://github.com/thekubeworld/iptables/blob/main/README.md This command deletes the rule numbered '3' from the INPUT chain. Rules are typically numbered based on their order in the chain. ```bash # iptables -D 3 INPUT ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.