Download iptables Cheat Sheet: Creating Firewall Rules for Common Scenarios and more Cheat Sheet Computer Science in PDF only on Docsity!
Introduction
Iptables is a software firewall for Linux distributions. This cheat sheet-style guide provides a quick reference to iptables commands that will create firewall rules that are useful in common, everyday scenarios. This includes iptables examples of allowing and blocking various services by port, network interface, and source IP address.
How To Use This Guide
Most of the rules that are described here assume that your iptables is set to DROP incoming traffic, through the default input policy, and you want to selectively allow inbound traffic Use whichever subsequent sections are applicable to what you are trying to achieve. Most sections are not predicated on any other, so you can use the examples below independently Use the Contents menu on the right side of this page (at wide page widths) or your browser’s find function to locate the sections you need Copy and paste the command-line examples given, substituting the highlighted values with your own
Keep in mind that the order of your rules matter. All of these iptables commands use the -A option to append the new rule to the end of a chain. If you want to put it somewhere else in the chain, you can use the -I option which allows you to specify the position of the new rule (or place it at the beginning of the chain by not specifying a rule number).
Remember that you can check your current iptables ruleset with sudo iptables -S and sudo iptables -L.
Let’s take a look at the iptables commands!
Saving Rules
Iptables rules are ephemeral, which means they need to be manually saved for them to persist after a reboot.
On Ubuntu, one way to save iptables rules is to use the iptables-persistent package. Install it with apt like this:
During the installation, you will be asked if you want to save your current firewall rules.
If you update your firewall rules and want to save the changes, run this command:
Other Linux distributions may have alternate ways of making your iptables changes permanent. Please refer to the relevant documentation for more information.
Listing and Deleting Rules
If you want to learn how to list and delete iptables rules, check out this tutorial: How To List and Delete Iptables Firewall Rules.
Note: When working with firewalls, take care not to lock yourself out of your own server by blocking SSH traffic (port 22, by default). If you lose access due to your firewall settings, you may need to connect to it via a web-based console to fix your access. If you’re using DigitalOcean, you can read our Recovery Console product documentation for more information. Once you are connected via the console, you can change your firewall rules to allow SSH access (or allow all traffic). If your saved firewall rules allow SSH access, another method is to reboot your server.
$ sudo apt install iptables-persistent (^) Copy
$ sudo netfilter-persistent save (^) Copy
Assuming eth0 is your external network, and eth1 is your internal network, this will allow your internal to access the external:
Dropping Invalid Packets
Some network traffic packets get marked as invalid. Sometimes it can be useful to log this type of packet but often it is fine to drop them. Do so with this command:
Blocking an IP Address
To block network connections that originate from a specific IP address, 203.0.113.51 for example, run this command:
In this example, -s 203.0.113.51 specifies a source IP address of “203.0.113.51”. The source IP address can be specified in any firewall rule, including an allow rule.
If you want to reject the connection instead, which will respond to the connection request with a “connection refused” error, replace “DROP” with “REJECT” like this:
Blocking Connections to a Network Interface
To block connections from a specific IP address, e.g. 203.0.113.51 , to a specific network interface, e.g. eth0 , use this command:
$ sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT (^) Copy
$ sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP (^) Copy
$ sudo iptables -A INPUT -s 203.0.113.51 -j DROP (^) Copy
$ sudo iptables -A INPUT -s 203.0.113.51 -j REJECT (^) Copy
$ iptables -A INPUT -i eth0 -s 203.0.113.51 -j DROP (^) Copy
This is the same as the previous example, with the addition of -i eth0. The network interface can be specified in any firewall rule, and is a great way to limit the rule to a particular network.
Service: SSH
If you’re using a server without a local console, you will probably want to allow incoming SSH connections (port 22 � so you can connect to and manage your server. This section covers how to configure your firewall with various SSH-related rules.
Allowing All Incoming SSH
To allow all incoming SSH connections run these commands:
The second command, which allows the outgoing traffic of established SSH connections, is only necessary if the OUTPUT policy is not set to ACCEPT.
Allowing Incoming SSH from Speci�c IP address or subnet
To allow incoming SSH connections from a specific IP address or subnet, specify the source. For example, if you want to allow the entire 203.0.113.0/24 subnet, run these commands:
The second command, which allows the outgoing traffic of established SSH connections, is only necessary if the OUTPUT policy is not set to ACCEPT.
Allowing Outgoing SSH
If your firewall OUTPUT policy is not set to ACCEPT , and you want to allow outgoing SSH connections—your server initiating an SSH connection to another server—you can run these commands:
$ sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISH $ sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED
Copy
$ sudo iptables -A INPUT -p tcp -s 203.0.113.0/24 --dport 22 -m conntrack --ct $ sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED
Copy
The second command, which allows the outgoing traffic of established HTTP connections, is only necessary if the OUTPUT policy is not set to ACCEPT.
Allowing All Incoming HTTP and HTTPS
If you want to allow both HTTP and HTTPS traffic, you can use the multiport module to create a rule that allows both ports. To allow all incoming HTTP and HTTPS (port 443 � connections run these commands:
The second command, which allows the outgoing traffic of established HTTP and HTTPS connections, is only necessary if the OUTPUT policy is not set to ACCEPT.
Service: MySQL
MySQL listens for client connections on port 3306. If your MySQL database server is being used by a client on a remote server, you need to be sure to allow that traffic.
Allowing MySQL from Speci�c IP Address or Subnet
To allow incoming MySQL connections from a specific IP address or subnet, specify the source. For example, if you want to allow the entire 203.0.113.0/24 subnet, run these commands:
The second command, which allows the outgoing traffic of established MySQL connections, is only necessary if the OUTPUT policy is not set to ACCEPT.
Allowing MySQL to Speci�c Network Interface
$ sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLIS $ sudo iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED
Copy
$ sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --cts $ sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ct
Copy
$ sudo iptables -A INPUT -p tcp -s 203.0.113.0/24 --dport 3306 -m conntrack -- $ sudo iptables -A OUTPUT -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHE
Copy
To allow MySQL connections to a specific network interface—say you have a private network interface eth1 , for example—use these commands:
The second command, which allows the outgoing traffic of established MySQL connections, is only necessary if the OUTPUT policy is not set to ACCEPT.
Service: PostgreSQL
PostgreSQL listens for client connections on port 5432. If your PostgreSQL database server is being used by a client on a remote server, you need to be sure to allow that traffic.
PostgreSQL from Speci�c IP Address or Subnet
To allow incoming PostgreSQL connections from a specific IP address or subnet, specify the source. For example, if you want to allow the entire 203.0.113.0/24 subnet, run these commands:
The second command, which allows the outgoing traffic of established PostgreSQL connections, is only necessary if the OUTPUT policy is not set to ACCEPT.
Allowing PostgreSQL to Speci�c Network Interface
To allow PostgreSQL connections to a specific network interface—say you have a private network interface eth1 , for example—use these commands:
The second command, which allows the outgoing traffic of established PostgreSQL connections, is only necessary if the OUTPUT policy is not set to ACCEPT.
$ sudo iptables -A INPUT -i eth1 -p tcp --dport 3306 -m conntrack --ctstate NE $ sudo iptables -A OUTPUT -o eth1 -p tcp --sport 3306 -m conntrack --ctstate E
Copy
$ sudo iptables -A INPUT -p tcp -s 203.0.113.0/24 --dport 5432 -m conntrack -- $ sudo iptables -A OUTPUT -p tcp --sport 5432 -m conntrack --ctstate ESTABLISHE
Copy
$ sudo iptables -A INPUT -i eth1 -p tcp --dport 5432 -m conntrack --ctstate NE $ sudo iptables -A OUTPUT -o eth1 -p tcp --sport 5432 -m conntrack --ctstate E
Copy
Allowing All Incoming IMAPS
To allow your server to respond to IMAPS connections, port 993, run these commands:
The second command, which allows the outgoing traffic of established IMAPS connections, is only necessary if the OUTPUT policy is not set to ACCEPT.
Allowing All Incoming POP
To allow your server to respond to POP 3 connections, port 110, run these commands:
The second command, which allows the outgoing traffic of established POP 3 connections, is only necessary if the OUTPUT policy is not set to ACCEPT.
Allowing All Incoming POP3S
To allow your server to respond to POP 3 S connections, port 995, run these commands:
The second command, which allows the outgoing traffic of established POP 3 S connections, is only necessary if the OUTPUT policy is not set to ACCEPT.
Conclusion
That should cover many of the commands that are commonly used when configuring an iptables firewall. Of course, iptables is a very flexible tool so feel free to mix and match the commands with different options to match your specific needs if they aren’t covered here.
If you’re looking for help determining how your firewall should be set up, check out this tutorial: How To Choose an Effective Firewall Policy to Secure your Servers.
$ sudo iptables -A INPUT -p tcp --dport 993 -m conntrack --ctstate NEW,ESTABLIS $ sudo iptables -A OUTPUT -p tcp --sport 993 -m conntrack --ctstate ESTABLISHED
Copy
$ sudo iptables -A INPUT -p tcp --dport 110 -m conntrack --ctstate NEW,ESTABLIS $ sudo iptables -A OUTPUT -p tcp --sport 110 -m conntrack --ctstate ESTABLISHED
Copy
$ sudo iptables -A INPUT -p tcp --dport 995 -m conntrack --ctstate NEW,ESTABLIS $ sudo iptables -A OUTPUT -p tcp --sport 995 -m conntrack --ctstate ESTABLISHED
Copy
NAT
iptables -F && iptables -t nat -F iptables -t nat -A PREROUTING -d 10.1.31.116/24 -p UDP --dport 53 -j DNA iptables -t nat -A PREROUTING -d 10.1.31.116/24 -p TCP --dport 80 -j DNA iptables -t nat -A POSTROUTING -s 10.101.10.128/25 -o enp0s9 -j SNAT --t
INPUT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -j REJECT
OUTPUT
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A OUTPUT -j REJECT
FORWARD
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#DMZ peut faire des requetes DNS iptables -A FORWARD -s 10.101.10.0/25 -p udp --dport 53 -d 10.101.10.
#Local vers DMZ et internet iptables -A FORWARD -s 10.101.10.128/25 -d 10.101.10.0/25 -j ACCEPT iptables -A FORWARD -s 10.101.10.128/25 -o enp0s9 -j ACCEPT
connexion internet vers DMZ
iptables -A FORWARD -i enp0s9 -d 10.101.10.130 -p udp --dport 53 -j ACCE iptables -A FORWARD -i enp0s9 -d 10.101.10.20 -p tcp --dport 80 -j ACCEP iptables -A FORWARD -j REJECT
iptables -A FORWARD -p icmp --icmp-type 0 -j ACCEPT #request iptables -A FORWARD -p icmp --icmp-type 8 -j ACCEPT #reply
