Linux IP Tables Tips and Tricks

Note: After using every iptables commands you need to save it using
# iptables-save command else using # service iptables save command. You
must know some basics of networking and linux, so use the below commands
at your own risk and i am not responsible for any damages caused by using this commands.

1. To block a ping request
# iptables -A OUTPUT -p icmp - j REJECT
# iptables -A INPUT -p icmp - j REJECT
Note: Inorder to remove or enable ping use # iptables -D OUTPUT -p icmp -j REJECT
2. Enabling IP Forwarding
# echo “1″ > /proc/sys/net/ipv4/ip_forward

3. To drop request for IP and ports
a) To drop port 23 for all IP’s
# iptables -t nat -A POSTROUTING -o eth1 -p tcp -m tcp –dport 23 -j DROP
b) To drop port 22 and 23 for all IP’s
# iptables -t nat -A POSTROUTING -o eth1 -p tcp -m tcp –dport 22:23 -j DROP
c) To drop port 22 and 23 for one source IP
# iptables -t nat -A POSTROUTING -s 192.168.0.88 -o eth1 -p tcp -m tcp –dport 22:23 -j DROP
d) To drop all packets from an IP
# iptables -A INPUT -s 209.61.158.248 -j DROP
e) To drop only SSH packets from an IP
# iptables -A INPUT -s 209.61.158.248 -p tcp –dport 22 -j DROP

4. How to log the firewall activity
a) To log the ping (icmp) activity
# iptables -A OUTPUT -p icmp -j LOG –log-prefix “PING:> “
# iptables -A INPUT -p icmp -j LOG –log-prefix “PING:> “
Note: To see the log, open /var/log/messages file and find the lines which has prefix PING:> . You can use grep filter to see only firewall logs.
b) To log the FTP Port activity
# iptables -A OUTPUT -p tcp -s 0/0 –dport 21 -j LOG –log-prefix “FTP:> “
# iptables -A INPUT -p tcp -s 0/0 –dport 21 -j LOG –log-prefix “FTP:> “
c) To log the activity for one source IP
# iptables -t  nat POSTROUTING -s 192.168.0.88 -o eth1 -j LOG –log-prefix “ “

5. To redirect the ports request
a) Using Squid as Transparent Proxy
# iptables -t nat -A PREROUTING -p tcp –dport 80  -j REDIRECT –to-ports 3128
b) To redirect the port 80 request to another computers port number 80
# iptables -t nat -A PREROUTING -p tcp -d 203.145.184.246 –dport 80 -j DNAT –to 192.168.0.88:80
# iptables -A FORWARD -p tcp -d 192.168.0.88 –dport 80 -j ACCEPT
c) To redirect group of ports request
# iptables -t nat -A PREROUTING -p tcp -d 203.145.184.246 –dport 20:23 -j DNAT –to 192.168.0.88:20-23
# iptables -A FORWARD -p tcp -d 192.168.0.88 –dport 20:23 -j ACCEPT
# iptables -t nat -A PREROUTING -p udp -d 203.145.184.246 –dport 20:23 -j DNAT –to 192.168.0.88:20-23
# iptables -A FORWARD -p udp -d 192.168.0.88 –dport 20:23 -j ACCEPT
d) To redirect all incoming SMTP request coming via interface eth0 to another computer inside local network
# iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 25 -j DNAT –to 192.168.0.88:25
# iptables -A FORWARD -p tcp -d 192.168.0.88 –dport 25 -j ACCEPT

6. To MASQUERADE ( Share the internet using the ip address as gateway )
a) When two NIC cards are used one connected to internet and other
connected to local network.
# iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
Note: Where eth1 is the card connected to internet.
b) When dial up is used.
# iptables -t  nat  -A POSTROUTING -o ppp0 -j MASQUERADE
Note: You need to enable IP forwarding for enabling MASQUERADING.. It can
be achieved by using the tip number 2.

7. Do Masquerading only for one IP address
# iptables -t nat -A POSTROUTING -s 192.168.0.88 -o eth1 -j MASQUERADE

8. Do Masquerading for all IP except for one address
# iptables -t nat -A POSTROUTING -s ! 192.168.0.88 -o eth1 -j MASQUERADE

9. Do Masquerading only for one destination and for one source address
# iptables -t  nat -A POSTROUTING -s 192.168.0.88 -d 209.61.158.248 -o eth1 -j MASQUERADE
Note: 192.168.0.88 is local address and 209.61.158.248 is public address on internet

10. Do Masquerading for all destination except for one and for only one source address
# iptables -t nat -A POSTROUTING -s 192.168.0.88 -d ! 209.61.158.248 -o eth1 -j MASQUERADE

11. Do Masquerading only for one destination port and for one source address
# iptables -t nat -A POSTROUTING -s 192.168.0.88 -o eth1 -p tcp -m tcp –dport 10000 -j MASQUERADE

12. Do Masquerading only for tcp ports and for one source address
# iptables -t nat -A POSTROUTING -s 192.168.0.88 -o eth1 -p tcp -m tcp -j MASQUERADE

13. Do Masquerading only for specified tcp ports and for one source address
# iptables -t nat -A POSTROUTING -s 192.168.0.88 -o eth1 -p tcp -m tcp -m multiport –dports 21,22,23,25,80,110,143,443 -j MASQUERADE
Note : Above command can also be written as below
# iptables -t nat -A POSTROUTING -s 192.168.0.88 -o eth1 -p tcp -m tcp -m multiport –dports ftp,ssh,telnet,smtp,http,imap,pop3,https -j MASQUERADE

14. To clear all IP Tables rules
# iptables -F
# iptables -X
# iptables -Z

15. To view list of rules all applied
# iptables -L
# iptables -nL

16. To see the iptables version
# iptables -V

Related Posts:

• Concurrency and Deadlocking in SQL ServerConcurrency: Concurrency is an ability that allows multiple users to access the same data at the same time. 4 Concurrency Problems: Lost updates Dirty reads Non-repeatable reads Phantom reads Isolation L… Read More
• Top 10 Tips to make Windows Vista High PerformanceWindows Vista is a great looking operating system with some awesome features, but it can be slow, unless you’ve got a hugely powerful PC to run it. For most computers however, a few quick Vista tweaks can make a massive diffe… Read More
• Bits and BytesSome Basic facts and  New Standards  of  Bits and Bytes The basic unit used in computer data storage is called a bit (binary digit).  Computers use these little bits, which are composed of ones and zeros,… Read More
• How to speed up PDF loading with Adobe AcrobatEvery time you run Adobe Acrobat up to 20 plug-ins are loaded unnecessarily Most users do not need even a fraction of them! To disable unneeded plug-ins and make them optional instead, follow these instructions: … Read More
• How to Create a Zpool and Zones in Solaris ?Description: Creating a zpool / Zones Platform: SUN Model: Server Category: Install Problem statement: Zpools and Zone Creation RCA Summary: N.A Solution: N.A Work around: Find it Below Creating a zpool ZFS uses devi… Read More