linux:iptables
This is an old revision of the document!
Table of Contents
IPTables
List iptables Rules
iptables -L INPUT
To get the actual port numbers rather than use of port
iptables -L -n INPUT
Delete iptables Rule
You can delete the rules based on their number and chain name. The following deletes the fourth rule on the list
iptables -D INPUT 4
Save Rules
service iptables save
Reload Rules
service iptables restart
Block IP
iptables -A INPUT -s 1.2.3.4 -j DROP service iptables save service iptables restart
Unblock IP
Where you have run
iptables -A INPUT -s 1.2.3.4 -j DROP
To undo this, run
iptables -D INPUT -s 1.2.3.4 -j DROP
Block Subnet
iptables -I INPUT -s 43.229.0.0/255.255.0.0 -j DROP
Open a Single TCP Port
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
Open a Single UDP Port
iptables -A INPUT -m state --state NEW -m udp -p udp--dport 80 -j ACCEPT
Limit Rule to Specific Ethernet Card
Add the following to the command being used to open the port. This example limits to rule to eth0.
-i eth0
Insert Rule at Specific Point in Chain
To insert a rule at a specific point in a chain, modify the command from
iptables -A INPUT
to
iptables -I INPUT 5
where 5 should be replaced with the desired index.
Open a Range of Ports
This example opens ports 2121 to 2142 inclusive for TCP connections.
iptables -A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 2121:2142 -j ACCEPT
Prevent SSH Brute Force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force " iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
linux/iptables.1590344828.txt.gz · Last modified: (external edit)