iptables cheat sheet
Hello world. I’ve been revising my iptables knowledge and in the process I made some notes and I thought i should share…. if you are a total newbie refer to the iptables linux home networking page
Allowing www and ssh:
Allow all outbound trafic from established connection (outbound new connections are note allowed):
iptables -A OUTPUT -p tcp -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow incoming to port 22 and 80:
iptables -A INPUT -p tcp -i eth0 --dport 80 --sport 1024:65535 -m state \
--state NEW -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 22 --sport 1024:65535 -m state \
--state NEW -j ACCEPT
Allowing the firewall to browse the internet:
Open outbound traffic for port 80 and 443:
iptables -A OUTPUT -p tcp -j ACCEPT -o eth0 -m state \
--state NEW,ESTABLISHED,RELATED -m multiport --dport 80,443 \
--sport 1024:65535
Allow previously established connections
iptables -A INPUT -p tcp -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
One could also allow all outbound tcp traffic
iptables -A OUTPUT -p tcp -o eth0 -j ACCEPT -m state \
--state NEW,ESTABLISHED,RELATED
Masquerading (also known as many to one NAT):
First you must make sure the iptables_nat module is loaded (use modprobe) or put it in the /etc/sysconfig/iptables (for redhaters)
Enable IP forwarding and routing: echo 1 > /proc/sys/net/ipv4/ip_forward
Now Masquerade:
iptables -A POSTROUTING -t nat -o eth0 -s 192.168.1.0/24 -s 0/0 -j MASQUERADE
Port forwarding with DNAT:
Assuming that you’ve loaded the iptables_nat module and have enabled the IP forwarding as in the Masquerading example above:
iptables -A PREROUTING -t nat -d (external IP) --dport 80 \
-j DNAT --to 192.168.1.200:8080
You should also forward trafic among the two interface:
iptables -A FORWARD -t filter -p tcp -i eth0 -o eth1 -d 192.168.1.200 \
--dport 8080 -m state --state NEW -j ACCEPT
iptables -A FORWARD -t filter -p tcp -m state \
--sate ESTABLISHED,RELATED -j ACCEPT
网站地图
