The following are commonly used iptables commands and examples, 100 are listed here:
- Clear rule and custom chains in all rule chains
iptables -F iptables -X
- set default policy
iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT
- Allow traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
- Allow already established and associated connections to pass through
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- Allow access to specified IP addresses or network segments
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
- Allow access to specified ports
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
- Allow access to the specified protocol
iptables -A INPUT -p icmp -j ACCEPT # Allow ICMP protocol packets to pass iptables -A INPUT -p udp --dport 53 -j ACCEPT # Allow DNS protocol packets to pass iptables -A INPUT -p tcp --dport 22 -j ACCEPT # Allow SSH protocol packets to pass
- Prohibit access to specified IP addresses or network segments
iptables -A INPUT -s 192.168.1.0/24 -j DROP
- Allow access to specified MAC addresses
iptables -A INPUT -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT
- Allow access to the specified network card
iptables -A INPUT -i eth0 -j ACCEPT iptables -A OUTPUT -o eth0 -j ACCEPT
- Allow access to specified users (need to cooperate with sudoers file)
iptables -A OUTPUT -m owner --uid-owner www-data -j ACCEPT
- Allow specified headers to be forwarded
iptables -A FORWARD -p tcp --syn -s 192.168.1.0/24 -j ACCEPT iptables -A FORWARD -p udp -d 192.168.2.0/24 -j ACCEPT
- Deny access to the specified port
iptables -A INPUT -p tcp --dport 25 -j REJECT
- Deny access to specified IP addresses or network segments
iptables -A INPUT -s 192.168.1.0/24 -j DROP
- limit rate control
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 10/sec -j ACCEPT
- Add the rules in the script to iptables
bash script.sh
- view current rules
iptables -L
- View the rules of the specified rule chain
iptables -L INPUT
- View the detailed rules of the specified rule chain
iptables -L INPUT -v
- Displays the actual rule format in effect when adding a rule
iptables -S
- Allow packets with the specified MAC address to pass
iptables -A INPUT -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT
- Deny all TCP packets except SYN packets
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
- Restrict SSH access from IP addresses or network segments
iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport ssh -j ACCEPT
- Allow the ICMP protocol packets of the specified IP address or network segment to pass through
iptables -A INPUT -p icmp -s 192.168.1.0/24 -j ACCEPT
- Allow the specified port to access from the specified IP address or network segment
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
- Allow UDP packets from the specified port and IP address or network segment to pass
iptables -A INPUT -p udp --sport 53 -s 192.168.1.0/24 -j ACCEPT
- Allow the data of the specified IP address or network segment to pass through the established connection
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -s 192.168.1.0/24 -j ACCEPT
- Set up SNAT load balancing
iptables -t nat -A PREROUTING -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination 192.168.1.2:80
- Allow access to the external network through an HTTP proxy server
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -A INPUT -p tcp -m tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPT
- Forward HTTP requests to the internal web server
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2:80 iptables -A FORWARD -p tcp -m tcp --dport 80 -d 192.168.1.2 -j ACCEPT
- Deny specific IP address traffic
iptables -A INPUT -s 192.168.1.10 -j DROP
- Deny access to specific TCP ports
iptables -A INPUT -p tcp --dport 22 -j DROP
- Allow specific services from specific IP addresses
iptables -A INPUT -s 192.168.1.10 -p tcp --dport 80 -j ACCEPT
- Only allow SSH access from specific IP addresses
iptables -A INPUT -p tcp --dport ssh -s 192.168.1.10 -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j DROP
- Allow access to specified range of ports
iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
- Prohibit external network IP from accessing internal network (local) server
iptables -I INPUT -i eth0 ! -s 192.168.0/24 -j DROP
- Use localhost as a NAT gateway
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
- Enable X11 forwarding for SSH
iptables -A INPUT -i eth0 -p tcp --dport 6000 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 6000 -m state --state ESTABLISHED -j ACCEPT
- Prevent SYN flood attacks
iptables -N syn_flood iptables -A INPUT -p tcp --syn -j syn_flood iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN iptables -A syn_flood -j DROP
- Limit the number of connections from the same IP within a specified time
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP
- Allow ICMP tools to ping reachability tests
iptables -A INPUT -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -m state --state ESTABLISHED -j ACCEPT
- Set up IP address forwarding
sysctl -w net.ipv4.ip_forward=1 # Enable IP address forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Enable IP address forwarding iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Add NAT rule
- Allow traffic forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward # enable IP forwarding function iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT # Accept forwarding from interface 1 to interface 0 iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT # Accept the reply packet and send it back through interface 1