iptables

# list
iptables -L
iptables -L -t nat 
 
 
# redirect port 222 to 22
iptables -A FORWARD -i eth0 -p tcp --dport 10022 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 10022 -j DNAT --to-destination 172.17.0.10:22
 
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 222 -j REDIRECT --to-port 22
 
 
iptables -P INPUT DROP
 
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
service iptables save
 
# or
iptables-save > /etc/iptables/rules.v4
 
 
iptables -P INPUT DROP
## -- now override with specific "accept" rules:
## Accept incoming TCP connections from eth0 on port 20 and 21
iptables -A INPUT -i eth0 -p tcp --dport 20:21 -j ACCEPT
## Accept SSH connections
## (- although this could have been included above with 20:22)
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
## Accept incoming web connections
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
 
 
 
iptables -F
iptables -L -n
iptables -I INPUT -p tcp --dport 25 -j ACCEPT
iptables -I INPUT -p tcp --dport 993 -j ACCEPT
 
 
 
# Flushing all rules
iptables -F
iptables -X
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
 
 
 
iptables -F
 
iptables -I INPUT -p tcp --dport 25 -j ACCEPT
 
iptables -A INPUT -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT
 
iptables -A INPUT -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT
 
 
 
#Accept ssh traffic from lan1 to client 192.168.20.2 in lan2
iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 22 -d 192.168.20.2 -j ACCEPT
 
#Block all traffic between lan, but permit traffic to internet
iptables -A FORWARD -i eth1 -o ! eth0 -j DROP
iptables -A FORWARD -i eth2 -o ! eth0 -j DROP
 
# redirect port 8080 to 80
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT
/sbin/iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
 
 
<strong>Secure access to MySQL</srong>
# allow connections to MySQL from localhost
iptables -A INPUT -i lo -p tcp --dport 3306 -j ACCEPT
 
# allow connections to MySQL form specific IP and reject from all ther IPs
iptables -A INPUT -p tcp --dport 3306 -s 192.168.1.2 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j REJECT --reject-with icmp-port-unreachable
 
# deltete roule
iptables -D INPUT 4
iptables -D INPUT -s 127.0.0.1 -p tcp --dport 8080 -j ACCEPT
 
# show messages
systemctl status iptables.service
 
 
# routing
sudo ifconfig tap0 down
sudo ifconfig tap0 hw ether 00:11:22:33:44:55
sudo ifconfig tap0 up
sudo route del -net 192.168.1.0 netmask 255.255.255.0 dev tap0
sudo route add 192.168.10.4 gw 192.168.1.254 dev tap0
sudo route add 192.168.1.55 dev tap0
sudo route add -net 192.168.254.0 gw 192.168.1.4 netmask 255.255.255.0 dev tap0
 
# routing test
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o ! lo -j MASQUERADE
 
# block incomming connection
iptables -A INPUT -s 10.0.30.40 -j DROP
 
# block outgoing connections
iptables -A OUTPUT  -d 10.0.1.8 -j DROP
iptables -A OUTPUT  -d 10/8 --dport 3306 -j DROP
# reenable
iptables -D OUTPUT  -d 10.0.1.8 -j DROP
 
# allow outgoing access to a ip
iptables -I INPUT -s 10.0.5.20 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 22 -d 10.0.5.20 -j ACCEPT
 
# clear iptables
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
 
# allow ssh only
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
 
iptables -A INPUT -p tcp -s <ip_from> -d <ssh_host_ip> --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s <ssh_host_ip> -d <ip_from> --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
 
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
 
# forward port to remote machine
iptables -A FORWARD -i eth0 -p tcp --dport 161 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 161 -j DNAT --to-destination 192.168.100.253:161
 
# UDP
http://blog.thoward37.me/articles/code-snippet-iptables-settings-to-prevent-udp-floods/
 
<strong>Links</strong>
https://crm.vpscheap.net/knowledgebase.php?action=displayarticle&id=29
http://www.thegeekstuff.com/scripts/iptables-rules
https://help.ubuntu.com/community/IptablesHowTo
http://www.cyberciti.biz/faq/linux-port-redirection-with-iptables/