Iptables/Ip6tables - administration tool for IPv4/IPv6 packet filtering and NAT
Author: Rusty Russell
Developer(s): Netfilter Core Team
Original release: 1998
Tables:
- Filter Table: Used for normal filtering of traffic based on rules defined by user
- NAT Table: Iptable can be used for Network Address Translation purpose. This table contains rules related to NAT
- Mangle Table: Rules in this table can be used to modified the packets based on user given criteria. User can modify the TTL, MMS value, Terms of service(like., which traffic should be given more priority, etc)
- Raw Table: Primarily used to add no connection tracking rules
- Security: Used for mandatory access control networking rules
- PREROUTING Chain: It is used to add rules which define actions that need to be taken before a routing decision is made by a kernel
- INPUT Chain: It is used for rules which are applicable to the traffic/packets coming towards the server
- OUTPUT Chain: It is used for rules which need to be applied on outgoing traffic/packets from server
- FORWARD Chain: It is used for adding rules related to forwarding an IP packet
- POST ROUTING Chain: It is used for adding rules which will define actions that need to be taken after a routing decision which is taken by the kernel
- ACCEPT
- DROP
- REJECT
- LOG
- QUEUE
- RETURN
iptables -[ACD] chain rule-specification [options]
iptables -I chain [rulenum] rule-specification [options]
iptables -R chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
iptables -[LS] [chain [rulenum]] [options]
iptables -[FZ] [chain] [options]
iptables -[NX] chain
iptables -E old-chain-name new-chain-name
iptables -P chain target [options]
iptables -h (print this help information)
Commands:
Either long or short options are allowed.
--append -A chain Append to chain
--check -C chain Check for the existence of a rule
--delete -D chain Delete matching rule from chain
--delete -D chain rulenum
Delete rule rulenum (1 = first) from chain
--insert -I chain [rulenum]
Insert in chain as rulenum (default 1=first)
--replace -R chain rulenum
Replace rule rulenum (1 = first) in chain
--list -L [chain [rulenum]]
List the rules in a chain or all chains
--list-rules -S [chain [rulenum]]
Print the rules in a chain or all chains
--flush -F [chain] Delete all rules in chain or all chains
--zero -Z [chain [rulenum]]
Zero counters in chain or all chains
--new -N chain Create a new user-defined chain
--delete-chain
-X [chain] Delete a user-defined chain
--policy -P chain target
Change policy on chain to target
--rename-chain
-E old-chain new-chain
Change chain name, (moving any references)
Options:
--ipv4 -4 Nothing (line is ignored by ip6tables-restore)
--ipv6 -6 Error (line is ignored by iptables-restore)
[!] --protocol -p proto protocol: by number or name, eg. `tcp'
[!] --source -s address[/mask][...]
source specification
[!] --destination -d address[/mask][...]
destination specification
[!] --in-interface -i input name[+]
network interface name ([+] for wildcard)
--jump -j target
target for rule (may load target extension)
--goto -g chain
jump to chain with no return
--match -m match
extended match (may load extension)
--numeric -n numeric output of addresses and ports
[!] --out-interface -o output name[+]
network interface name ([+] for wildcard)
--table -t table table to manipulate (default: `filter')
--verbose -v verbose mode
--wait -w [seconds] maximum wait to acquire xtables lock before give up
--wait-interval -W [usecs] wait time to try to acquire xtables lock
default is 1 second
--line-numbers print line numbers when listing
--exact -x expand numbers (display exact values)
[!] --fragment -f match second or further fragments only
--modprobe=<command> try to insert modules using this command
--set-counters PKTS BYTES set the counter during insert/append
[!] --version -V print package version
Configuration file
sudo vi
/etc/sysconfig/iptables
sudo service
iptables status
sudo service
iptables start
sudo service
iptables stop
sudo service
iptables status
sudo iptables -L
or sudo iptables –list
iptables -L INPUT
or iptables -L OUTPUT
with line-numbers
and numeric
iptables -L
–line-numbers --numeric
delete rules with
line-number
iptables –delete
INPUT 2
create a new
chain
iptables –new
MOHAN-INPUT
iptables –new
MOHAN-OUTPUT
check rule is
already exists
iptables -t
filter -C INPUT -p tcp –dport 80 -j DROP
deleting chain
iptables -X MOHAN-INPUT
iptables -X MOHAN-OUTPUT
inserting rule
with line-number
iptables -t
filter -I INPUT 2 -p tcp –dport 25 -m state –state
NEW,ESTABLISHED -j ACCEPT
replacing a rule
with line-number
iptables -t
filter -R INPUT 2 -p tcp –dport 25 -j ACCEPT
flushing iptables
iptables -F
renaming chain
name
iptables E
MOHAN-INPUT M-INPUT
used full forms
and short forms
iptables –table
filter –append INPUT –in-interface eno16777736 –protocol tcp
–source 172.20.10.3 –dport 22 -m state –state NEW,ESTABLISHED
–jump ACCEPT
iptables -t
filter -A INPUT -i eno16777736 -p tcp -s 172.20.10.3/24 –dport 22
-m state –state NEW,ESTABLISHED -j ACCEPT
