343 lines
10 KiB
HTML
343 lines
10 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en">
|
|
<head>
|
|
<meta charset="UTF-8">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
<meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'self'; style-src 'self'; font-src 'self' data:; img-src 'self' data:; connect-src 'self'; base-uri 'self'; form-action 'self' https://defcon.social https://bsky.app;">
|
|
<meta http-equiv="X-Content-Type-Options" content="nosniff">
|
|
<link rel="stylesheet" href="../assets/css/style.css">
|
|
<link rel="icon" type="image/x-icon" href="../favicon.ico">
|
|
<script>
|
|
// Apply theme immediately to prevent flash
|
|
(function() {
|
|
const theme = localStorage.getItem('theme') ||
|
|
(window.matchMedia && window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light');
|
|
document.documentElement.setAttribute('data-theme', theme);
|
|
})();
|
|
</script>
|
|
<title>iptables Cheatsheet - Cheatsheets - Launch Pad</title>
|
|
</head>
|
|
<body>
|
|
<button class="theme-toggle" id="themeToggle" aria-label="Toggle dark mode">
|
|
<svg class="theme-icon theme-icon-moon" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12.79A9 9 0 1 1 11.21 3 7 7 0 0 0 21 12.79z"></path></svg>
|
|
<svg class="theme-icon theme-icon-sun" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" style="display: none;"><circle cx="12" cy="12" r="5"></circle><line x1="12" y1="1" x2="12" y2="3"></line><line x1="12" y1="21" x2="12" y2="23"></line><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line><line x1="1" y1="12" x2="3" y2="12"></line><line x1="21" y1="12" x2="23" y2="12"></line><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line></svg>
|
|
</button>
|
|
<br/><br/>
|
|
<div class="name">
|
|
__ _______________________ _________._________________________
|
|
\_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/
|
|
| __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_
|
|
| \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \
|
|
\___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ /
|
|
\/ \/ \/ \/ \/ \/ \/
|
|
</div>
|
|
<div class="blog-page-header">
|
|
<div class="blog-header-content">
|
|
<a href="/cheatsheets" class="back-link" title="Back to Cheatsheets">
|
|
<svg xmlns="http://www.w3.org/2000/svg" width="42" height="42" viewBox="0 0 24 24" class="home-icon"><path fill="currentColor" d="M10 20v-6h4v6h5v-8h3L12 3 2 12h3v8z"/></svg>
|
|
</a>
|
|
<h1 class="blog-page-title">iptables Cheatsheet</h1>
|
|
</div>
|
|
</div>
|
|
<div class="blog-post-container">
|
|
<div class="blog-posts-container" style="max-width: 900px; margin: 0 auto;">
|
|
<div class="blog-post">
|
|
<div class="blog-post-content">
|
|
<p><a href="index.html">← Back to cheatsheets</a></p>
|
|
<p><a href="../index.html">← Home</a></p>
|
|
<hr>
|
|
<p>iptables is the traditional Linux firewall tool for configuring IPv4 packet filtering rules. It uses tables and chains to control network traffic.</p>
|
|
<hr>
|
|
<h2>Basic Commands</h2>
|
|
<ul>
|
|
<li>iptables -L - List all rules</li>
|
|
</ul>
|
|
<ul>
|
|
<li>iptables -L -v - List rules with verbose output</li>
|
|
</ul>
|
|
<ul>
|
|
<li>iptables -L -n - List rules with numeric addresses</li>
|
|
</ul>
|
|
<ul>
|
|
<li>iptables -L -v -n --line-numbers - Full listing with line numbers</li>
|
|
</ul>
|
|
<ul>
|
|
<li>iptables -S - Show rules in iptables-save format</li>
|
|
</ul>
|
|
<ul>
|
|
<li>iptables -F - Flush all rules (clear all)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>iptables -X - Delete all user-defined chains</li>
|
|
</ul>
|
|
<ul>
|
|
<li>iptables -Z - Zero all packet and byte counters</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Tables</h2>
|
|
<ul>
|
|
<li>filter - Default table for packet filtering (INPUT, OUTPUT, FORWARD)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>nat - Network address translation (PREROUTING, POSTROUTING, OUTPUT)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>mangle - Packet alteration (all chains)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>raw - Connection tracking exemptions (PREROUTING, OUTPUT)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>security - SELinux rules (INPUT, OUTPUT, FORWARD)</li>
|
|
</ul>
|
|
<p>Use -t to specify table:</p>
|
|
<ul>
|
|
<li>iptables -t nat -L - List NAT rules</li>
|
|
</ul>
|
|
<ul>
|
|
<li>iptables -t mangle -L - List mangle rules</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Chains</h2>
|
|
<h3>Filter Table Chains</h3>
|
|
<ul>
|
|
<li>INPUT - Incoming packets destined for local system</li>
|
|
</ul>
|
|
<ul>
|
|
<li>OUTPUT - Outgoing packets from local system</li>
|
|
</ul>
|
|
<ul>
|
|
<li>FORWARD - Packets routed through the system</li>
|
|
</ul>
|
|
<h3>NAT Table Chains</h3>
|
|
<ul>
|
|
<li>PREROUTING - Alter packets before routing</li>
|
|
</ul>
|
|
<ul>
|
|
<li>POSTROUTING - Alter packets after routing</li>
|
|
</ul>
|
|
<ul>
|
|
<li>OUTPUT - Alter locally-generated packets before routing</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Adding Rules</h2>
|
|
<ul>
|
|
<li>iptables -A <chain> <rule> - Append rule to chain</li>
|
|
</ul>
|
|
<ul>
|
|
<li>iptables -I <chain> <rule> - Insert rule at beginning</li>
|
|
</ul>
|
|
<ul>
|
|
<li>iptables -I <chain> <num> <rule> - Insert rule at position</li>
|
|
</ul>
|
|
<ul>
|
|
<li>iptables -R <chain> <num> <rule> - Replace rule at position</li>
|
|
</ul>
|
|
<ul>
|
|
<li>iptables -D <chain> <rule> - Delete specific rule</li>
|
|
</ul>
|
|
<ul>
|
|
<li>iptables -D <chain> <num> - Delete rule by number</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Rule Matching</h2>
|
|
<h3>Interface Matching</h3>
|
|
<ul>
|
|
<li>-i eth0 - Match input interface</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-o eth0 - Match output interface</li>
|
|
</ul>
|
|
<h3>Address Matching</h3>
|
|
<ul>
|
|
<li>-s 192.168.1.0/24 - Match source address/network</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-d 10.0.0.1 - Match destination address</li>
|
|
</ul>
|
|
<ul>
|
|
<li>! -s 192.168.1.100 - Negate (match everything except)</li>
|
|
</ul>
|
|
<h3>Protocol Matching</h3>
|
|
<ul>
|
|
<li>-p tcp - Match TCP protocol</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-p udp - Match UDP protocol</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-p icmp - Match ICMP protocol</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-p all - Match all protocols</li>
|
|
</ul>
|
|
<h3>Port Matching (requires -p tcp or -p udp)</h3>
|
|
<ul>
|
|
<li>--sport 22 - Match source port</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--dport 80 - Match destination port</li>
|
|
</ul>
|
|
<ul>
|
|
<li>--dport 80:443 - Match port range</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-m multiport --dports 22,80,443 - Match multiple ports</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Targets (Actions)</h2>
|
|
<ul>
|
|
<li>-j ACCEPT - Accept the packet</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-j DROP - Drop the packet silently</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-j REJECT - Reject and send error response</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-j LOG - Log the packet</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-j RETURN - Return to calling chain</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-j SNAT --to-source <ip> - Source NAT</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-j DNAT --to-destination <ip> - Destination NAT</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-j MASQUERADE - Dynamic source NAT (for dynamic IPs)</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Connection Tracking</h2>
|
|
<ul>
|
|
<li>-m state --state NEW - New connections</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-m state --state ESTABLISHED - Established connections</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-m state --state RELATED - Related connections (e.g., FTP data)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-m state --state INVALID - Invalid packets</li>
|
|
</ul>
|
|
<ul>
|
|
<li>-m conntrack --ctstate NEW,ESTABLISHED - Modern syntax</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Common Examples</h2>
|
|
<h3>Allow SSH</h3>
|
|
<pre><code>iptables -A INPUT -p tcp --dport 22 -j ACCEPT</code></pre>
|
|
<h3>Allow Established Connections</h3>
|
|
<pre><code>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</code></pre>
|
|
<h3>Block IP Address</h3>
|
|
<pre><code>iptables -A INPUT -s 192.168.1.100 -j DROP</code></pre>
|
|
<h3>Allow HTTP/HTTPS</h3>
|
|
<pre><code>iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT</code></pre>
|
|
<h3>Port Forwarding (NAT)</h3>
|
|
<pre><code>iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.10:80
|
|
iptables -t nat -A POSTROUTING -j MASQUERADE</code></pre>
|
|
<h3>Log Dropped Packets</h3>
|
|
<pre><code>iptables -A INPUT -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
|
|
iptables -A INPUT -j DROP</code></pre>
|
|
<h3>Basic Firewall Setup</h3>
|
|
<pre><code># Default policies
|
|
iptables -P INPUT DROP
|
|
iptables -P FORWARD DROP
|
|
iptables -P OUTPUT ACCEPT
|
|
|
|
# Allow loopback
|
|
iptables -A INPUT -i lo -j ACCEPT
|
|
|
|
# Allow established
|
|
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
|
|
|
|
# Allow SSH
|
|
iptables -A INPUT -p tcp --dport 22 -j ACCEPT</code></pre>
|
|
<hr>
|
|
<h2>Saving and Restoring</h2>
|
|
<ul>
|
|
<li>iptables-save > /etc/iptables.rules - Save rules to file</li>
|
|
</ul>
|
|
<ul>
|
|
<li>iptables-restore < /etc/iptables.rules - Restore rules from file</li>
|
|
</ul>
|
|
<ul>
|
|
<li>netfilter-persistent save - Save rules (Debian/Ubuntu)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>service iptables save - Save rules (RHEL/CentOS)</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Default Policies</h2>
|
|
<ul>
|
|
<li>iptables -P INPUT DROP - Set default INPUT policy to DROP</li>
|
|
</ul>
|
|
<ul>
|
|
<li>iptables -P OUTPUT ACCEPT - Set default OUTPUT policy to ACCEPT</li>
|
|
</ul>
|
|
<ul>
|
|
<li>iptables -P FORWARD DROP - Set default FORWARD policy to DROP</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Rate Limiting</h2>
|
|
<pre><code># Limit SSH connections to 3 per minute
|
|
iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j ACCEPT
|
|
iptables -A INPUT -p tcp --dport 22 -j DROP</code></pre>
|
|
<hr>
|
|
<h2>IPv6</h2>
|
|
<ul>
|
|
<li>ip6tables - IPv6 version of iptables</li>
|
|
</ul>
|
|
<ul>
|
|
<li>ip6tables -L - List IPv6 rules</li>
|
|
</ul>
|
|
<ul>
|
|
<li>ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT - Allow SSH over IPv6</li>
|
|
</ul>
|
|
<hr>
|
|
<h2>Tips</h2>
|
|
<ul>
|
|
<li>Always allow loopback interface first</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Allow established/related connections before specific rules</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Set default policies after adding allow rules to avoid lockout</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use -n flag for faster output (skips DNS lookups)</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Test rules with -C (check) before adding</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use iptables-save to backup before making changes</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Consider migrating to nftables - it's the modern replacement</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Use --line-numbers when deleting rules by number</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Log before dropping to debug connectivity issues</li>
|
|
</ul>
|
|
<ul>
|
|
<li>Be careful with -F when default policy is DROP (lockout risk)</li>
|
|
</ul>
|
|
<hr>
|
|
<p><a href="index.html">← Back to cheatsheets</a></p>
|
|
<p><a href="../index.html">← Home</a></p>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<script async type="text/javascript" src="../blog/analytics.js"></script>
|
|
<script src="../theme.js"></script>
|
|
</body>
|
|
</html> |