Oct 10, 2009

Linux IP Tables Tips and Tricks

Note: After using every iptables commands you need to save it using
# iptables-save command else using # service iptables save command. You
must know some basics of networking and linux, so use the below commands
at your own risk and i am not responsible for any damages caused by using this commands.


1. To block a ping request
# iptables -A OUTPUT -p icmp - j REJECT
# iptables -A INPUT -p icmp - j REJECT
Note: Inorder to remove or enable ping use # iptables -D OUTPUT -p icmp -j REJECT
2. Enabling IP Forwarding
# echo “1″ > /proc/sys/net/ipv4/ip_forward

3. To drop request for IP and ports
a) To drop port 23 for all IP’s
# iptables -t nat -A POSTROUTING -o eth1 -p tcp -m tcp –dport 23 -j DROP
b) To drop port 22 and 23 for all IP’s
# iptables -t nat -A POSTROUTING -o eth1 -p tcp -m tcp –dport 22:23 -j DROP
c) To drop port 22 and 23 for one source IP
# iptables -t nat -A POSTROUTING -s 192.168.0.88 -o eth1 -p tcp -m tcp –dport 22:23 -j DROP
d) To drop all packets from an IP
# iptables -A INPUT -s 209.61.158.248 -j DROP
e) To drop only SSH packets from an IP
# iptables -A INPUT -s 209.61.158.248 -p tcp –dport 22 -j DROP

4. How to log the firewall activity
a) To log the ping (icmp) activity
# iptables -A OUTPUT -p icmp -j LOG –log-prefix “PING:> “
# iptables -A INPUT -p icmp -j LOG –log-prefix “PING:> “
Note: To see the log, open /var/log/messages file and find the lines which has prefix PING:> . You can use grep filter to see only firewall logs.
b) To log the FTP Port activity
# iptables -A OUTPUT -p tcp -s 0/0 –dport 21 -j LOG –log-prefix “FTP:> “
# iptables -A INPUT -p tcp -s 0/0 –dport 21 -j LOG –log-prefix “FTP:> “
c) To log the activity for one source IP
# iptables -t  nat POSTROUTING -s 192.168.0.88 -o eth1 -j LOG –log-prefix “ “

5. To redirect the ports request
a) Using Squid as Transparent Proxy
# iptables -t nat -A PREROUTING -p tcp –dport 80  -j REDIRECT –to-ports 3128
b) To redirect the port 80 request to another computers port number 80
# iptables -t nat -A PREROUTING -p tcp -d 203.145.184.246 –dport 80 -j DNAT –to 192.168.0.88:80
# iptables -A FORWARD -p tcp -d 192.168.0.88 –dport 80 -j ACCEPT
c) To redirect group of ports request
# iptables -t nat -A PREROUTING -p tcp -d 203.145.184.246 –dport 20:23 -j DNAT –to 192.168.0.88:20-23
# iptables -A FORWARD -p tcp -d 192.168.0.88 –dport 20:23 -j ACCEPT
# iptables -t nat -A PREROUTING -p udp -d 203.145.184.246 –dport 20:23 -j DNAT –to 192.168.0.88:20-23
# iptables -A FORWARD -p udp -d 192.168.0.88 –dport 20:23 -j ACCEPT
d) To redirect all incoming SMTP request coming via interface eth0 to another computer inside local network
# iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 25 -j DNAT –to 192.168.0.88:25
# iptables -A FORWARD -p tcp -d 192.168.0.88 –dport 25 -j ACCEPT

6. To MASQUERADE ( Share the internet using the ip address as gateway )
a) When two NIC cards are used one connected to internet and other
connected to local network.
# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Note: Where eth1 is the card connected to internet.
b) When dial up is used.
# iptables -t  nat  -A POSTROUTING -o ppp0 -j MASQUERADE
Note: You need to enable IP forwarding for enabling MASQUERADING.. It can
be achieved by using the tip number 2.

7. Do Masquerading only for one IP address
# iptables -t nat -A POSTROUTING -s 192.168.0.88 -o eth1 -j MASQUERADE

8. Do Masquerading for all IP except for one address
# iptables -t nat -A POSTROUTING -s ! 192.168.0.88 -o eth1 -j MASQUERADE

9. Do Masquerading only for one destination and for one source address
# iptables -t  nat -A POSTROUTING -s 192.168.0.88 -d 209.61.158.248 -o eth1 -j MASQUERADE
Note: 192.168.0.88 is local address and 209.61.158.248 is public address on internet

10. Do Masquerading for all destination except for one and for only one source address
# iptables -t nat -A POSTROUTING -s 192.168.0.88 -d ! 209.61.158.248 -o eth1 -j MASQUERADE

11. Do Masquerading only for one destination port and for one source address
# iptables -t nat -A POSTROUTING -s 192.168.0.88 -o eth1 -p tcp -m tcp –dport 10000 -j MASQUERADE

12. Do Masquerading only for tcp ports and for one source address
# iptables -t nat -A POSTROUTING -s 192.168.0.88 -o eth1 -p tcp -m tcp -j MASQUERADE

13. Do Masquerading only for specified tcp ports and for one source address
# iptables -t nat -A POSTROUTING -s 192.168.0.88 -o eth1 -p tcp -m tcp -m multiport –dports 21,22,23,25,80,110,143,443 -j MASQUERADE
Note : Above command can also be written as below
# iptables -t nat -A POSTROUTING -s 192.168.0.88 -o eth1 -p tcp -m tcp -m multiport –dports ftp,ssh,telnet,smtp,http,imap,pop3,https -j MASQUERADE

14. To clear all IP Tables rules
# iptables -F
# iptables -X
# iptables -Z

15. To view list of rules all applied
# iptables -L
# iptables -nL

16. To see the iptables version
# iptables -V

0 comments:

Text Widget

Copyright © Vinay's Blog | Powered by Blogger

Design by | Blogger Theme by