Home » » Iptables and examples

Iptables and examples

This is just quick-reference for the kernel 2.4 "iptables" tool from the netfilter framework.
Current set of default tables:
filter (default table): Starts with built-in chains:
INPUT: Arriving.
FORWARD: Being routed.
OUTPUT: Locally generated

nat (traffic that creates new connections): Starts with built-in chains:
PREROUTING: Arriving.
OUTPUT: Locally generated.
POSTROUTING: Exiting.

mangle (specialised packet alteration): Starts with built-in chains:
PREROUTING: Incoming, before routing.
OUTPUT: Locally generated.
INPUT: Arriving.
FORWARD: Being routed.
POSTROUTING: Exiting.

The admin can create/delete/rename additional chains for any target.
Each chain consists of a set of rules, consulted in order (thus the term "chain") until one's conditions match. If none match, the default policy applies, "-P" option. (Policies exist only for built-in chains.

Policy target may only be one of the four predefined rules.) Each rule has:
criterion: Which packets will be affected.
target: Which rule to consult next. (May optionally be one of the predefined rules ACCEPT, DROP, QUEUE=userspace-handled, or RETURN=policy.)
Each rule is assigned a rulenum, which can be used to refer to it in iptables commands.

Since rulesets live in RAM, one can preserve them to disk or reload them using iptables-save and iptables-restore, respectively.
Many of the more interesting features, such as stateful inspection, are via dynamically-loaded helper modules (option "-m").
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

Spoofing:
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP

## Create chain that blocks new connections, except if coming from inside.
# iptables -N block
# iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT
# iptables -A block -j DROP
## Jump to that chain from INPUT and FORWARD chains.
# iptables -A INPUT -j block
# iptables -A FORWARD -j block

Type of Service (TOS) prioritisation: To maximize ssh response while maintaining maximum file data transfer over HTTP connections:
# /sbin/iptables -A PREROUTING -t mangle -p tcp --sport ssh -j TOS --set-tos Minimize-Delay
# /sbin/iptables -A PREROUTING -t mangle -p tcp --sport http -j TOS --set-tos Maximize-Throughput

Share this article :

5 comments:

  1. Kabir HussainMay 31, 2017 at 7:36 PM

    Eid Mubarak Whatsapp Status Messages 2017

    Eid Mubarak Facebook Messages

    Happy Eid mubarak sms

    Happy Eid wishes

    ReplyDelete
  2. UnknownJuly 28, 2017 at 4:29 PM

    Not all are true. Everyone has their own way of thinking but I think they have to reconsider. I like to argue for the most accurate results.
    http://colorswitchplay.com

    ReplyDelete
  3. AnonymousJanuary 2, 2018 at 2:14 PM

    change address weebly

    ReplyDelete
  4. anuJuly 10, 2019 at 4:41 PM

    NTA JEE Main Application Form 2020 will release soon on the official website of National Testing Agency. Check Eligibility Criteria and Apply Here Online know more about jee main application form 2020

    ReplyDelete
  5. sangeeta bisvasJuly 19, 2019 at 5:54 PM

    JEECUP Application Form 2020: UP Board of Technical Education will conduct JEECUP UPJEE 2020 exam. Candidates who wish to take the exam need to fill an online application form. JEECUP Application Form 2020 will be available on the official website.

    ReplyDelete

Please fill your name to response.

Labels