https://beardedmaker.com/wiki/index.php?action=history&feed=atom&title=Iptables Iptables - Revision history 2026-04-26T14:25:26Z Revision history for this page on the wiki MediaWiki 1.27.4 https://beardedmaker.com/wiki/index.php?title=Iptables&diff=120&oldid=prev Beard: Created page with "<pre> packages: iptables system-config-firewall system-config-securitylevel daemons: iptables ip6tables configs: /etc/sysconfig/iptables-config - config file /etc/sy..." 2016-02-29T20:54:59Z <p>Created page with &quot;&lt;pre&gt; packages: iptables system-config-firewall system-config-securitylevel daemons: iptables ip6tables configs: /etc/sysconfig/iptables-config - config file /etc/sy...&quot;</p> <p><b>New page</b></p><div>&lt;pre&gt;<br /> packages:<br /> iptables<br /> system-config-firewall<br /> system-config-securitylevel<br /> <br /> daemons:<br /> iptables<br /> ip6tables<br /> <br /> configs:<br /> /etc/sysconfig/iptables-config - config file<br /> /etc/sysconfig/iptables - list of rules. rules are listed the same as CLI arguments<br /> /etc/sysconfig/iptables.save - save/backup file<br /> /etc/sysconfig/iptables.old - manual backup file<br /> <br /> tutorials:<br /> http://www.routermods.com/2010/02/09/iptables-for-dummies-a-beginners-guide-to-iptables-firewall/<br /> <br /> commands:<br /> <br /> *the order of arguments is unimportant<br /> *rules are applied using<br /> <br /> service iptables save - saves rules currently in memory to /etc/sysconfig/iptables<br /> <br /> iptables -L - list rules<br /> --line-numbers<br /> iptables -P &lt;chain&gt; &lt;rule&gt; - set default/implicit policy for the whole chain (ie iptables -P INPUT ACCEPT)<br /> iptables -D &lt;chain&gt; &lt;rule&gt; - delete rule. can be either a number startin at 1 or the rule itself. (ie iptables -D INPUT 2)<br /> iptables-save - saves rules to iptables.save and allows rules to be applied on restart<br /> iptables -t &lt;table&gt; -A &lt;chain&gt; -i &lt;int&gt; -o &lt;int&gt; -p &lt;protocol&gt; --sport &lt;port&gt; --dport &lt;port&gt; -s &lt;source&gt; -d &lt;destination&gt; -j &lt;action&gt;<br /> precede options with &quot;!&quot; to apply NOT logic (ie ! -s 0.0.0.0/0)<br /> -t &lt;table&gt; - table can be either:<br /> filter - default if no table specified<br /> nat - nat table<br /> mangle - mangle table<br /> -A &lt;chain&gt; - append to chain<br /> INPUT - packets destined to local machine<br /> OUTPUT - packets generated by local machine<br /> FORWARD - packets passing through box<br /> PREROUTING - packets as they enter local machine (nat and mangle only)<br /> POSTROUTING - packets as they leave local machine (nat and mangle only)<br /> -I &lt;chain&gt; &lt;#&gt; - same as -A but inserts rule as rule #<br /> -i &lt;int&gt; - input interface (optional)<br /> -o &lt;int&gt; - output interface (optional)<br /> -p &lt;protocol&gt;<br /> tcp<br /> udp<br /> udplite<br /> icmp<br /> esp<br /> ah<br /> sctp<br /> all<br /> -m &lt;extension&gt; &lt;options&gt; - match. adds extension with more options. (ie iptables -A INPUT -p tcp --dport 80 -m comment --comment &quot;www request&quot;)<br /> comment<br /> --comment &lt;text&gt;<br /> state - the state of the packet<br /> --state &lt;state&gt;<br /> NEW - packet has started new connection. most commonly used for incoming traffic<br /> RELATED - packet started new connection but is associated with an existing connection<br /> ESTABLISHED - packet is part of another connection<br /> limit - helps prevent dictionary attacks<br /> --limit &lt;#&gt;/&lt;second/minute/hour/day&gt; - (ie -m limit --limit 2/minute)<br /> --limit-burst &lt;#&gt; - limit number of packets to match.<br /> mac<br /> --mac-source &lt;address&gt;<br /> iprange - match a range of addresses<br /> --src-range &lt;addr&gt;-&lt;addr&gt;<br /> --dst-range &lt;addr&gt;-&lt;addr&gt;<br /> --sport &lt;port&gt; - source port<br /> --dport &lt;port&gt; - destination port<br /> --tcp-flags &lt;flag&gt; - comma separated list of flags<br /> SYN<br /> RST<br /> ACK<br /> FIN<br /> -s &lt;source&gt; - source address. can be host name or address/mask (ie 192.168.0.1/24)<br /> -d &lt;destination&gt; - destination address. can be host name or address/mask (ie 192.168.0.1/24)<br /> -j &lt;action&gt; - the action to take<br /> ACCEPT<br /> REJECT - rejects packet and sends error.<br /> DROP - same as REJECT except is sends no error<br /> LOG - logs when a packet matches rule. for rejected packets, place a log rule before the rejecting rule.<br /> --log-prefix &lt;text&gt;<br /> --log-level &lt;#&gt; - 7 is appropriate<br /> <br /> examples:<br /> allow priviously established connections: <br /> iptables -A INPUT -j ACCEPT -p tcp ! –syn -s 0/0 -d (outer ip/net) - pro firewall rule<br /> allow port 80: <br /> iptables -A INPUT -p tcp --dport 80 -j ACCEPT<br /> limitations on ssh: <br /> iptables -A INPUT -p tcp --dport ssh -m limit --limit 3/minute --limit-burst 2 -j ACCEPT<br /> allow ssh and all session-related packets:<br /> iptables –A FORWARD –i eth1 –o eth0 –m state -state NEW -dport 22 –j ACCEPT<br /> iptables –A FORWARD –i eth1 –o eth0 –m state -state ESTABLISHED,RELATED –j ACCEPT<br /> <br /> <br /> &lt;/pre&gt;</div> Beard