radin/my-docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

iptable doc

Browse Source
This commit is contained in:
root
2025-08-12 20:10:34 +03:30
parent dbfef14ac4
commit ae273d1149
2 changed files with 359 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

284
Security & Networking/Iptables/iptables.md
View File

@@ -1,52 +1,258 @@
## First Whitelist Port and Block Ports at the End
# 🛡️ Iptables & Netfilter Guide
## 🌐 Overview
```bash
iptables -A/-I/-D INPUT/OUTPUT/FORWARD -i/-o interface -s/-d address -p tcp/udp/icmp --sport/--dport 80 -j ACCEPT/REJECT/DROP/LOG/MASQUARATE
**iptables** works with **Netfilter** to manage and control network traffic on Linux systems.
---
## 🔗 Connection Types
1. **NEW** A new connection being initiated
2. **ESTABLISHED** An existing, ongoing connection
3. **RELATED** A new connection related to an existing one
---
## 🧰 iptables-persistent
Install iptables and save the rules to a file for persistence across reboots.
---
## 📂 Default Path
```plaintext
/etc/iptables
```
- `-A`: Append
- `-I`: Insert
- `-D`: Delete
- `-i`: Input interface
- `-o`: Output interface
- `-s`: Source
- `-d`: Destination
- `-p`: Protocol
- `--sport`: Source port
- `--dport`: Destination port
- `-j`: Action
- `ACCEPT`: Accept the packet
- `REJECT`: Reject the packet with an appropriate ICMP message
- `DROP`: Silently discard the packet
- `LOG`: Log the packet
- `MASQUERADE`: Source NAT
---
### Examples:
- `iptables -nvL`: Print Iptables Rules
- `iptables -P INPUT DROP`: Drop All Incoming Packets
- `iptables -P OUTPUT DROP`: Drop All Outgoing Packets
- `iptables -A INPUT -p tcp --dport 22 -j ACCEPT`: Accept Incoming Traffic to Port 22 with TCP Protocol
- `iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT`: Accept Outgoing Traffic from Port 22 with TCP Protocol
- `iptables -A INPUT -p tcp -s 192.168.1.100 -j DROP`: Drop All Packets Incoming With TCP Protocol From 192.168.1.100
- `iptables -A INPUT -p tcp --dport 443 -j ACCEPT`: Accept Incoming Traffic to Port 443 (HTTPS) with TCP Protocol
- `iptables -A INPUT -p tcp -m multiport --dport 22,443,80,3306 -j ACCEPT`: Accept Incoming Traffic to Multiple Ports: 22 (SSH), 80 (HTTP), 3306 (Database), 443 (HTTPS) with TCP Protocol
- `iptables -A INPUT -p tcp -m multiport --dport 22,443,80,3306 -d 192.168.10.0/24 -j ACCEPT`: Accept Incoming Traffic to Multiple Ports: 22 (SSH), 80 (HTTP), 3306 (Database), 443 (HTTPS) with TCP Protocol to Destination 192.168.10.0
- `iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT`: Allow incoming TCP traffic on port 80 with rate limiting
- `iptables -t NAT -A PREROUTING -i ens33 -p tcp --dport 80 -j REDIRECT --to-port 443`: Redirect traffic from port 80 to port 443 using NAT
### Saving rules for permanent:
To save the rules for permanent usage, you can install the `iptables-persistent` package:
## ⚙️ Command Format
```bash
apt install iptables-persistent
iptables -t <table-name> <option> <chain-name> <match> -j <action>
```
Then, save the rules to the appropriate file:
---
## 🏷️ Table Names
| Table Name | Purpose |
| ---------- | -------------------------------- |
| filter | Default Filtering Packets |
| nat | Network Address Translation |
| mangle | Packet alteration/editing |
| raw | Pre-processing packets before OS |
---
## 🔄 Chains
| Table | Chains |
| ------ | ----------------------------------------------- |
| filter | INPUT, OUTPUT, FORWARD |
| nat | PREROUTING, OUTPUT, POSTROUTING |
| mangle | PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING |
| raw | PREROUTING, OUTPUT |
---
## 🚦 Chain Functions
| Chain | Description |
| ----------- | -------------------------------------------------------- |
| INPUT | Incoming connections to the server |
| OUTPUT | Outgoing packets from the server |
| FORWARD | Packets routed through the server to other destinations |
| PREROUTING | Edit packets before routing |
| POSTROUTING | Edit packets after routing and before exiting the server |
---
## 🔧 Options
| Option | Meaning |
| ------ | ----------- |
| `-A` | Append rule |
| `-I` | Insert rule |
| `-D` | Delete rule |
---
## 🎯 Actions
| Action | Description |
| ---------- | -------------------------------------------- |
| ACCEPT | Accept the packet |
| DROP | Drop the packet silently (no response) |
| REJECT | Drop the packet and send a rejection message |
| LOG | Log the packet details |
| MASQUERADE | Perform NAT masquerading |
---
## 🧩 iptables Command Examples & Explanations
---
### 1⃣ Save Current Rules to a File
```bash
iptables-save > /etc/iptables/rule.v4
iptables-save >> <file_path>
```
💾 **Explanation:**
This command saves the current iptables rules to a file (`<file_path>`). Useful for backing up or persisting your firewall rules.
---
### 2⃣ List Rules in Default Filter Table
```bash
iptables -nL
```
📜 **Explanation:**
Lists all rules in the default `filter` table, showing rules without resolving IPs to names (`-n` speeds it up).
---
### 3⃣ List Rules in NAT Table
```bash
iptables -t nat -nL
```
🔄 **Explanation:**
Lists all NAT table rules. NAT is used for modifying packets, like translating IP addresses.
---
### 4⃣ Allow Traffic from a Specific IP (Insert Rule)
```bash
iptables -t filter -I INPUT -s 192.168.1.100 -j ACCEPT
```
**Explanation:**
Inserts (`-I`) a rule at the top of the `INPUT` chain to ACCEPT all packets coming from IP `192.168.1.100`.
---
### 5⃣ Drop All Incoming Packets (Insert Rule)
```bash
iptables -t filter -I INPUT -j DROP
```
**Explanation:**
Inserts a rule to DROP all incoming packets on the `INPUT` chain, effectively blocking all new inbound traffic.
---
### 6⃣ Append Drop Rule at End of INPUT Chain
```bash
iptables -t filter -A INPUT -j DROP
```
**Explanation:**
Appends (`-A`) a rule at the end of the `INPUT` chain to drop packets that dont match previous ACCEPT rules.
---
### 7⃣ Allow Incoming TCP Traffic on Port 22 (SSH)
```bash
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
```
🔓 **Explanation:**
Allows incoming TCP traffic on port 22, which is commonly used for SSH connections.
---
### 8⃣ Drop Incoming TCP Traffic on Port 22 (SSH)
```bash
iptables -I INPUT -p tcp --dport 22 -j DROP
```
🚫 **Explanation:**
Inserts a rule to DROP all incoming TCP traffic destined for port 22, blocking SSH access.
---
### 9⃣ Drop TCP Traffic From a Specific IP
```bash
iptables -A INPUT -p tcp -s 192.168.1.100 -j DROP
```
📵 **Explanation:**
Drops all incoming TCP packets coming from IP `192.168.1.100`.
---
### 🔟 Allow Incoming TCP Traffic on Port 443 (HTTPS)
```bash
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
```
🔐 **Explanation:**
Allows incoming TCP traffic on port 443, used for secure HTTPS connections.
---
### 1⃣1⃣ Allow Multiple Ports Using Multiport Module
```bash
iptables -A INPUT -p tcp -m multiport --dports 22,443,80,3306 -j ACCEPT
```
🎯 **Explanation:**
Accepts incoming TCP traffic on multiple ports at once: SSH (22), HTTPS (443), HTTP (80), and MySQL (3306).
---
### 1⃣2⃣ Allow Multiple Ports From a Specific Subnet
```bash
iptables -A INPUT -p tcp -m multiport --dports 22,443,80,3306 -s 192.168.10.0/24 -j ACCEPT
```
🏠 **Explanation:**
Allows TCP traffic on ports 22, 443, 80, and 3306 but only if it originates from the subnet `192.168.10.0/24`.
---
### 1⃣3⃣ Limit Incoming Connections on Port 80
```bash
iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT
```
🚦 **Explanation:**
Limits HTTP (port 80) incoming connections to 100 per minute with a burst of 200, helping prevent DoS attacks.
---
### 1⃣4⃣ Redirect HTTP Traffic to HTTPS on Interface `ens33`
```bash
iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 80 -j REDIRECT --to-port 443
```
🔄 **Explanation:**
In the `nat` table's PREROUTING chain, this redirects all HTTP traffic (port 80) arriving on interface `ens33` to HTTPS port 443.
## 🎉 Summary
* **iptables** is a powerful Linux firewall tool
* Works by managing **tables**, **chains**, and **rules**
* Supports filtering, NAT, packet mangling, and raw processing
* Persistence through `iptables-persistent` package
* Flexible commands for network security and traffic control

114
Security & Networking/Iptables/temp.md Normal file
View File

@@ -0,0 +1,114 @@
iptable work with net filter
connection type:
1. new
2. stablished
3. Related
iptable-persitant --> install iptables and save in iptables file
defualt path --> /etc/iptables
command format
```bash
iptables -t <table-names> <option> <chain-name> <match> -j <action>
```
table name:
1. filter (default) --> Filtering Packets
2. nat --> Nating Service
3. mangel --> Edit Packets
4. raw --> edit packets before prossecc by os
chains:
1. filter:
1. INPUT
2. OUTPUT
3. Forward
2. nat
1. OUTPUT
2. PREROUTING
3. PASTROUTING
3. mangle
1. INPUT
2. OUTPUT
3. Forward
4. PREROUTING
5. PASTROUTING
4. raw
1. OUTPUT
2. PREROUTIUNG
INPUT : Connection Incomming into Server
OUTPUT : Packets Outgoiing From server
FORWARD : Packer incomming to server but the target is not server (routing)
PREROUTING : EDIT Packets Before Routing
PASTROUTING : Edit Packet After Routing And Before Exit From Server
option:
1. `-A`: Append
2. `-I`: Insert
3. `-D`: Delete
actions:
ACCEPT: accept the packet
DROP: drop the packer without any msg
REJECT: drop the packet with send message to packet sender
LOG: Log The Packet
MASQUERADE: Nating
```bash
iptables-save >> <file_dir>
```
```bash
iptables -nL
```
```bash
iptables -t nat -nL
```
```bash
iptables -t filter -I INPUT -s 192.168.1.100 -j ACCEPT
```
```bash
iptables -t filter -I INPUT -j DROP
```
```bash
iptables -t filter -A INPUT -j DROP
```
```bash
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
```
```bash
iptables -I INPUT -p tcp --dport 22 -j DROP
```
```bash
iptables -A INPUT -p tcp -s 192.168.1.100 -j DROP
```
```bash
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
```
```bash
les -A INPUT -p tcp -m multiport --dport 22,443,80,3306 -j ACCEPT
```
```bash
iptables -A INPUT -p tcp -m multiport --dport 22,443,80,3306 -d 192.168.10.0/24 -j ACCEPT
```
```bash
iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT
```
```bash
iptables -t NAT -A PREROUTING -i ens33 -p tcp --dport 80 -j REDIRECT --to-port 443
```