Cheatsheet: iptables

iptables is Linux firewall standard. You can easily open and close network connections through it. Actually it’s pretty easy, but sometimes we can’t remember any flags and commands to create firewall rules. Here is a cheatsheet table constituted by all necessary iptables rules for novices. I’ll try to update it once in a while.


 

iptables -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT
iptables -I INPUT -i eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT
Accept all outgoing traffic
iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT
Accept incoming/outgoing icmp traffic
iptables -A FORWARD -i eth0 -o lo -j DROP
iptables -A FORWARD -i lo -o eth0 -j DROP
Deny all forwarding connections between interfaces
iptables -I INPUT -d 0.0.0.0/0 -j ACCEPT Accept all incoming packages
iptables -A INPUT -p tcp –dport 22 -j ACCEPT Accept connection by 22 port
iptables -A INPUT -j DROP Drop all incoming packages
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE Enable NAT postrouting
iptables -N syn-flood

iptables -A syn-flood -m limit –limit 100/second –limit-burst 150 -j RETURN

iptables -A syn-flood -j LOG –log-prefix “SYN flood: “

iptables -A syn-flood -j DROP

Prevent DDoS attacks
iptables -A INPUT -m state –state INVALID -j DROP DROP all strange TCP connections with no ACK answer
iptables -L INPUT –line-numbers Chains list with numbered rules
iptables -D INPUT 2 Remove second rule from INPUT chain
iptables -t mangle -A PREROUTING -m conntrack –ctstate INVALID -j DROP Remove second rule from INPUT chain
iptables -t mangle -A PREROUTING -p tcp ! –syn -m conntrack –ctstate NEW -j DROP Remove second rule from INPUT chain
iptables -t mangle -A PREROUTING -p tcp -m conntrack –ctstate NEW -m tcpmss ! –mss 536:65535 -j DROP Remove second rule from INPUT chain

How to save iptables rules


iptables-save | tee /etc/iptables.rules

nano /etc/network/if-pre-up.d/iptables

#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0

nano /etc/network/if-post-down.d/iptables

#!/bin/sh
iptables-save -c > /etc/iptables.rules
if [ -f /etc/iptables.rules ]; then
iptables-restore < /etc/iptables.rules
fi
exit 0

chmod +x /etc/network/if-post-down.d/iptables

chmod +x /etc/network/if-pre-up.d/iptables

If you have Ubuntu/Debian, it will make things easier.

sudo apt-get install -y iptables persistent
sudo invoke-rc.d iptables-persistent save
sudo invoke-rc.d iptables-persistent reload #test this
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s