radin/my-docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
398fa38b1a07c4ce649881dd7fe6077f7b4c4d2c
my-docs/Security & Networking/Iptables/iptables.md
root ae273d1149 iptable doc
2025-08-12 20:10:34 +03:30

259 lines
6.2 KiB
Markdown
Executable File
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# 🛡️ Iptables & Netfilter Guide
## 🌐 Overview
**iptables** works with **Netfilter** to manage and control network traffic on Linux systems.
---
## 🔗 Connection Types
1. **NEW** A new connection being initiated
2. **ESTABLISHED** An existing, ongoing connection
3. **RELATED** A new connection related to an existing one
---
## 🧰 iptables-persistent
Install iptables and save the rules to a file for persistence across reboots.
---
## 📂 Default Path
```plaintext
/etc/iptables
```
---
## ⚙️ Command Format
```bash
iptables -t <table-name> <option> <chain-name> <match> -j <action>
```
---
## 🏷️ Table Names
| Table Name | Purpose |
| ---------- | -------------------------------- |
| filter | Default Filtering Packets |
| nat | Network Address Translation |
| mangle | Packet alteration/editing |
| raw | Pre-processing packets before OS |
---
## 🔄 Chains
| Table | Chains |
| ------ | ----------------------------------------------- |
| filter | INPUT, OUTPUT, FORWARD |
| nat | PREROUTING, OUTPUT, POSTROUTING |
| mangle | PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING |
| raw | PREROUTING, OUTPUT |
---
## 🚦 Chain Functions
| Chain | Description |
| ----------- | -------------------------------------------------------- |
| INPUT | Incoming connections to the server |
| OUTPUT | Outgoing packets from the server |
| FORWARD | Packets routed through the server to other destinations |
| PREROUTING | Edit packets before routing |
| POSTROUTING | Edit packets after routing and before exiting the server |
---
## 🔧 Options
| Option | Meaning |
| ------ | ----------- |
| `-A` | Append rule |
| `-I` | Insert rule |
| `-D` | Delete rule |
---
## 🎯 Actions
| Action | Description |
| ---------- | -------------------------------------------- |
| ACCEPT | Accept the packet |
| DROP | Drop the packet silently (no response) |
| REJECT | Drop the packet and send a rejection message |
| LOG | Log the packet details |
| MASQUERADE | Perform NAT masquerading |
---
## 🧩 iptables Command Examples & Explanations
---
### 1⃣ Save Current Rules to a File
```bash
iptables-save >> <file_path>
```
💾 **Explanation:**
This command saves the current iptables rules to a file (`<file_path>`). Useful for backing up or persisting your firewall rules.
---
### 2⃣ List Rules in Default Filter Table
```bash
iptables -nL
```
📜 **Explanation:**
Lists all rules in the default `filter` table, showing rules without resolving IPs to names (`-n` speeds it up).
---
### 3⃣ List Rules in NAT Table
```bash
iptables -t nat -nL
```
🔄 **Explanation:**
Lists all NAT table rules. NAT is used for modifying packets, like translating IP addresses.
---
### 4⃣ Allow Traffic from a Specific IP (Insert Rule)
```bash
iptables -t filter -I INPUT -s 192.168.1.100 -j ACCEPT
```
**Explanation:**
Inserts (`-I`) a rule at the top of the `INPUT` chain to ACCEPT all packets coming from IP `192.168.1.100`.
---
### 5⃣ Drop All Incoming Packets (Insert Rule)
```bash
iptables -t filter -I INPUT -j DROP
```
**Explanation:**
Inserts a rule to DROP all incoming packets on the `INPUT` chain, effectively blocking all new inbound traffic.
---
### 6⃣ Append Drop Rule at End of INPUT Chain
```bash
iptables -t filter -A INPUT -j DROP
```
**Explanation:**
Appends (`-A`) a rule at the end of the `INPUT` chain to drop packets that dont match previous ACCEPT rules.
---
### 7⃣ Allow Incoming TCP Traffic on Port 22 (SSH)
```bash
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
```
🔓 **Explanation:**
Allows incoming TCP traffic on port 22, which is commonly used for SSH connections.
---
### 8⃣ Drop Incoming TCP Traffic on Port 22 (SSH)
```bash
iptables -I INPUT -p tcp --dport 22 -j DROP
```
🚫 **Explanation:**
Inserts a rule to DROP all incoming TCP traffic destined for port 22, blocking SSH access.
---
### 9⃣ Drop TCP Traffic From a Specific IP
```bash
iptables -A INPUT -p tcp -s 192.168.1.100 -j DROP
```
📵 **Explanation:**
Drops all incoming TCP packets coming from IP `192.168.1.100`.
---
### 🔟 Allow Incoming TCP Traffic on Port 443 (HTTPS)
```bash
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
```
🔐 **Explanation:**
Allows incoming TCP traffic on port 443, used for secure HTTPS connections.
---
### 1⃣1⃣ Allow Multiple Ports Using Multiport Module
```bash
iptables -A INPUT -p tcp -m multiport --dports 22,443,80,3306 -j ACCEPT
```
🎯 **Explanation:**
Accepts incoming TCP traffic on multiple ports at once: SSH (22), HTTPS (443), HTTP (80), and MySQL (3306).
---
### 1⃣2⃣ Allow Multiple Ports From a Specific Subnet
```bash
iptables -A INPUT -p tcp -m multiport --dports 22,443,80,3306 -s 192.168.10.0/24 -j ACCEPT
```
🏠 **Explanation:**
Allows TCP traffic on ports 22, 443, 80, and 3306 but only if it originates from the subnet `192.168.10.0/24`.
---
### 1⃣3⃣ Limit Incoming Connections on Port 80
```bash
iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT
```
🚦 **Explanation:**
Limits HTTP (port 80) incoming connections to 100 per minute with a burst of 200, helping prevent DoS attacks.
---
### 1⃣4⃣ Redirect HTTP Traffic to HTTPS on Interface `ens33`
```bash
iptables -t nat -A PREROUTING -i ens33 -p tcp --dport 80 -j REDIRECT --to-port 443
```
🔄 **Explanation:**
In the `nat` table's PREROUTING chain, this redirects all HTTP traffic (port 80) arriving on interface `ens33` to HTTPS port 443.
## 🎉 Summary
* **iptables** is a powerful Linux firewall tool
* Works by managing **tables**, **chains**, and **rules**
* Supports filtering, NAT, packet mangling, and raw processing
* Persistence through `iptables-persistent` package
* Flexible commands for network security and traffic control
Reference in New Issue View Git Blame Copy Permalink