From ae273d1149742d617351b9ddbf131226650cc636 Mon Sep 17 00:00:00 2001
From: root <pirouz.radin@yahoo.com>
Date: Tue, 12 Aug 2025 20:10:34 +0330
Subject: [PATCH] iptable doc

---
 Security & Networking/Iptables/iptables.md | 284 ++++++++++++++++++---
 Security & Networking/Iptables/temp.md     | 114 +++++++++
 2 files changed, 359 insertions(+), 39 deletions(-)
 create mode 100644 Security & Networking/Iptables/temp.md

diff --git a/Security & Networking/Iptables/iptables.md b/Security & Networking/Iptables/iptables.md
index ef38fae..6f5185a 100755
--- a/Security & Networking/Iptables/iptables.md	
+++ b/Security & Networking/Iptables/iptables.md	
@@ -1,52 +1,258 @@
-## First Whitelist Port and Block Ports at the End
+# 🛡️ Iptables & Netfilter Guide
 
 
+## 🌐 Overview
 
-```bash
-iptables -A/-I/-D INPUT/OUTPUT/FORWARD -i/-o interface -s/-d address -p tcp/udp/icmp --sport/--dport 80 -j ACCEPT/REJECT/DROP/LOG/MASQUARATE 
+**iptables** works with **Netfilter** to manage and control network traffic on Linux systems.
+
+---
+
+## 🔗 Connection Types
+
+1. **NEW** – A new connection being initiated
+2. **ESTABLISHED** – An existing, ongoing connection
+3. **RELATED** – A new connection related to an existing one
+
+---
+
+## 🧰 iptables-persistent
+
+Install iptables and save the rules to a file for persistence across reboots.
+
+---
+
+## 📂 Default Path
+
+```plaintext
+/etc/iptables
 ```
 
-- `-A`: Append
-- `-I`: Insert
-- `-D`: Delete
-- `-i`: Input interface
-- `-o`: Output interface
-- `-s`: Source
-- `-d`: Destination
-- `-p`: Protocol
-- `--sport`: Source port
-- `--dport`: Destination port
-- `-j`: Action
-  - `ACCEPT`: Accept the packet
-  - `REJECT`: Reject the packet with an appropriate ICMP message
-  - `DROP`: Silently discard the packet
-  - `LOG`: Log the packet
-  - `MASQUERADE`: Source NAT
+---
 
-### Examples:
-
-- `iptables -nvL`: Print Iptables Rules
-- `iptables -P INPUT DROP`: Drop All Incoming Packets
-- `iptables -P OUTPUT DROP`: Drop All Outgoing Packets
-- `iptables -A INPUT -p tcp --dport 22 -j ACCEPT`: Accept Incoming Traffic to Port 22 with TCP Protocol
-- `iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT`: Accept Outgoing Traffic from Port 22 with TCP Protocol
-- `iptables -A INPUT -p tcp -s 192.168.1.100 -j DROP`: Drop All Packets Incoming With TCP Protocol From 192.168.1.100
-- `iptables -A INPUT -p tcp --dport 443 -j ACCEPT`: Accept Incoming Traffic to Port 443 (HTTPS) with TCP Protocol
-- `iptables -A INPUT -p tcp -m multiport --dport 22,443,80,3306 -j ACCEPT`: Accept Incoming Traffic to Multiple Ports: 22 (SSH), 80 (HTTP), 3306 (Database), 443 (HTTPS) with TCP Protocol
-- `iptables -A INPUT -p tcp -m multiport --dport 22,443,80,3306 -d 192.168.10.0/24 -j ACCEPT`: Accept Incoming Traffic to Multiple Ports: 22 (SSH), 80 (HTTP), 3306 (Database), 443 (HTTPS) with TCP Protocol to Destination 192.168.10.0
-- `iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT`: Allow incoming TCP traffic on port 80 with rate limiting
-- `iptables -t NAT -A PREROUTING -i ens33 -p tcp --dport 80 -j REDIRECT --to-port 443`: Redirect traffic from port 80 to port 443 using NAT
-
-### Saving rules for permanent:
-
-To save the rules for permanent usage, you can install the `iptables-persistent` package:
+## ⚙️ Command Format
 
 ```bash
-apt install iptables-persistent
+iptables -t <table-name> <option> <chain-name> <match> -j <action>
 ```
 
-Then, save the rules to the appropriate file:
+---
+
+## 🏷️ Table Names
+
+| Table Name | Purpose                          |
+| ---------- | -------------------------------- |
+| filter     | Default – Filtering Packets      |
+| nat        | Network Address Translation      |
+| mangle     | Packet alteration/editing        |
+| raw        | Pre-processing packets before OS |
+
+---
+
+## 🔄 Chains
+
+| Table  | Chains                                          |
+| ------ | ----------------------------------------------- |
+| filter | INPUT, OUTPUT, FORWARD                          |
+| nat    | PREROUTING, OUTPUT, POSTROUTING                 |
+| mangle | PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING |
+| raw    | PREROUTING, OUTPUT                              |
+
+---
+
+## 🚦 Chain Functions
+
+| Chain       | Description                                              |
+| ----------- | -------------------------------------------------------- |
+| INPUT       | Incoming connections to the server                       |
+| OUTPUT      | Outgoing packets from the server                         |
+| FORWARD     | Packets routed through the server to other destinations  |
+| PREROUTING  | Edit packets before routing                              |
+| POSTROUTING | Edit packets after routing and before exiting the server |
+
+---
+
+## 🔧 Options
+
+| Option | Meaning     |
+| ------ | ----------- |
+| `-A`   | Append rule |
+| `-I`   | Insert rule |
+| `-D`   | Delete rule |
+
+---
+
+## 🎯 Actions
+
+| Action     | Description                                  |
+| ---------- | -------------------------------------------- |
+| ACCEPT     | Accept the packet                            |
+| DROP       | Drop the packet silently (no response)       |
+| REJECT     | Drop the packet and send a rejection message |
+| LOG        | Log the packet details                       |
+| MASQUERADE | Perform NAT masquerading                     |
+
+---
+
+## 🧩 iptables Command Examples & Explanations
+
+---
+
+### 1️⃣ Save Current Rules to a File
 
 ```bash
-iptables-save > /etc/iptables/rule.v4
+iptables-save >> <file_path>
 ```
+
+💾 **Explanation:**
+This command saves the current iptables rules to a file (`<file_path>`). Useful for backing up or persisting your firewall rules.
+
+---
+
+### 2️⃣ List Rules in Default Filter Table
+
+```bash
+iptables -nL
+```
+
+📜 **Explanation:**
+Lists all rules in the default `filter` table, showing rules without resolving IPs to names (`-n` speeds it up).
+
+---
+
+### 3️⃣ List Rules in NAT Table
+
+```bash
+iptables -t nat -nL
+```
+
+🔄 **Explanation:**
+Lists all NAT table rules. NAT is used for modifying packets, like translating IP addresses.
+
+---
+
+### 4️⃣ Allow Traffic from a Specific IP (Insert Rule)
+
+```bash
+iptables -t filter -I INPUT -s 192.168.1.100 -j ACCEPT
+```
+
+✅ **Explanation:**
+Inserts (`-I`) a rule at the top of the `INPUT` chain to ACCEPT all packets coming from IP `192.168.1.100`.
+
+---
+
+### 5️⃣ Drop All Incoming Packets (Insert Rule)
+
+```bash
+iptables -t filter -I INPUT -j DROP
+```
+
+⛔ **Explanation:**
+Inserts a rule to DROP all incoming packets on the `INPUT` chain, effectively blocking all new inbound traffic.
+
+---
+
+### 6️⃣ Append Drop Rule at End of INPUT Chain
+
+```bash
+iptables -t filter -A INPUT -j DROP
+```
+
+⏳ **Explanation:**
+Appends (`-A`) a rule at the end of the `INPUT` chain to drop packets that don’t match previous ACCEPT rules.
+
+---
+
+### 7️⃣ Allow Incoming TCP Traffic on Port 22 (SSH)
+
+```bash
+iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+```
+
+🔓 **Explanation:**
+Allows incoming TCP traffic on port 22, which is commonly used for SSH connections.
+
+---
+
+### 8️⃣ Drop Incoming TCP Traffic on Port 22 (SSH)
+
+```bash
+iptables -I INPUT -p tcp --dport 22 -j DROP
+```
+
+🚫 **Explanation:**
+Inserts a rule to DROP all incoming TCP traffic destined for port 22, blocking SSH access.
+
+---
+
+### 9️⃣ Drop TCP Traffic From a Specific IP
+
+```bash
+iptables -A INPUT -p tcp -s 192.168.1.100 -j DROP
+```
+
+📵 **Explanation:**
+Drops all incoming TCP packets coming from IP `192.168.1.100`.
+
+---
+
+### 🔟 Allow Incoming TCP Traffic on Port 443 (HTTPS)
+
+```bash
+iptables -A INPUT -p tcp --dport 443 -j ACCEPT
+```
+
+🔐 **Explanation:**
+Allows incoming TCP traffic on port 443, used for secure HTTPS connections.
+
+---
+
+### 1️⃣1️⃣ Allow Multiple Ports Using Multiport Module
+
+```bash
+iptables -A INPUT -p tcp -m multiport --dports 22,443,80,3306 -j ACCEPT
+```
+
+🎯 **Explanation:**
+Accepts incoming TCP traffic on multiple ports at once: SSH (22), HTTPS (443), HTTP (80), and MySQL (3306).
+
+---
+
+### 1️⃣2️⃣ Allow Multiple Ports From a Specific Subnet
+
+```bash
+iptables -A INPUT -p tcp -m multiport --dports 22,443,80,3306 -s 192.168.10.0/24 -j ACCEPT
+```
+
+🏠 **Explanation:**
+Allows TCP traffic on ports 22, 443, 80, and 3306 but only if it originates from the subnet `192.168.10.0/24`.
+
+---
+
+### 1️⃣3️⃣ Limit Incoming Connections on Port 80
+
+```bash
+iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT
+```
+
+🚦 **Explanation:**
+Limits HTTP (port 80) incoming connections to 100 per minute with a burst of 200, helping prevent DoS attacks.
+
+---
+
+### 1️⃣4️⃣ Redirect HTTP Traffic to HTTPS on Interface `ens33`
+
+```bash
+iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 80 -j REDIRECT --to-port 443
+```
+
+🔄 **Explanation:**
+In the `nat` table's PREROUTING chain, this redirects all HTTP traffic (port 80) arriving on interface `ens33` to HTTPS port 443.
+
+## 🎉 Summary
+
+* **iptables** is a powerful Linux firewall tool
+* Works by managing **tables**, **chains**, and **rules**
+* Supports filtering, NAT, packet mangling, and raw processing
+* Persistence through `iptables-persistent` package
+* Flexible commands for network security and traffic control
diff --git a/Security & Networking/Iptables/temp.md b/Security & Networking/Iptables/temp.md
new file mode 100644
index 0000000..f8ab30c
--- /dev/null
+++ b/Security & Networking/Iptables/temp.md	
@@ -0,0 +1,114 @@
+iptable work with net filter
+
+connection type:
+1. new
+2. stablished
+3. Related 
+
+iptable-persitant --> install iptables and save in iptables file 
+
+
+defualt path --> /etc/iptables
+
+command format
+
+```bash
+iptables -t <table-names> <option> <chain-name> <match> -j <action>
+```
+table name: 
+1. filter (default) --> Filtering Packets
+2. nat --> Nating Service
+3. mangel --> Edit Packets
+4. raw --> edit packets before prossecc by os
+
+chains: 
+
+1. filter:
+    1. INPUT
+    2. OUTPUT
+    3. Forward
+2. nat
+    1. OUTPUT
+    2. PREROUTING
+    3. PASTROUTING
+3. mangle
+    1. INPUT
+    2. OUTPUT
+    3. Forward
+    4. PREROUTING
+    5. PASTROUTING
+4. raw
+    1. OUTPUT
+    2. PREROUTIUNG
+
+INPUT : Connection Incomming into Server
+OUTPUT : Packets Outgoiing From server
+FORWARD : Packer incomming to server but the target is not server (routing)
+PREROUTING : EDIT Packets Before Routing 
+PASTROUTING : Edit Packet After Routing And Before Exit From Server
+
+option:
+1. `-A`: Append
+2. `-I`: Insert
+3. `-D`: Delete
+
+actions:
+ACCEPT: accept the packet
+DROP: drop the packer without any msg
+REJECT: drop the packet with send message to packet sender
+LOG: Log The Packet 
+MASQUERADE: Nating
+
+```bash
+iptables-save >> <file_dir>
+```
+
+```bash
+iptables -nL
+```
+```bash
+iptables -t nat -nL
+```
+
+```bash
+iptables -t filter -I INPUT -s 192.168.1.100 -j ACCEPT 
+```
+
+```bash
+iptables -t filter -I INPUT -j DROP 
+```
+
+```bash
+iptables -t filter -A INPUT -j DROP 
+```
+
+```bash
+iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+```
+
+```bash
+iptables -I INPUT -p tcp --dport 22 -j DROP 
+```
+
+```bash
+iptables -A INPUT -p tcp -s 192.168.1.100 -j DROP
+```
+```bash
+iptables -A INPUT -p tcp --dport 443 -j ACCEPT
+```
+
+```bash
+les -A INPUT -p tcp -m multiport --dport 22,443,80,3306 -j ACCEPT
+```
+
+```bash
+iptables -A INPUT -p tcp -m multiport --dport 22,443,80,3306 -d 192.168.10.0/24 -j ACCEPT
+```
+
+```bash
+iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT
+```
+
+```bash
+iptables -t NAT -A PREROUTING -i ens33 -p tcp --dport 80 -j REDIRECT --to-port 443
+```