{"id":127,"date":"2018-07-25T14:37:37","date_gmt":"2018-07-25T10:37:37","guid":{"rendered":"http:\/\/kidds.co.za\/?p=127"},"modified":"2018-07-25T14:41:37","modified_gmt":"2018-07-25T10:41:37","slug":"iptables","status":"publish","type":"post","link":"https:\/\/kidds.co.za\/index.php\/2018\/07\/25\/iptables\/","title":{"rendered":"Iptables the easy to understand"},"content":{"rendered":"<p><a href=\"https:\/\/www.cyberciti.biz\/tips\/linux-iptables-examples.html\">Original Article cyberciti.biz<\/a><\/p>\n<h2>1. Displaying the Status of Your Firewall<\/h2>\n<p>Type the following command as root:<br \/>\n<code># iptables -L -n -v<\/code><br \/>\nSample outputs:<\/p>\n<pre>Chain INPUT (policy ACCEPT 0 packets, 0 bytes)\r\n pkts bytes target     prot opt in     out     source               destination\r\n\r\nChain FORWARD (policy ACCEPT 0 packets, 0 bytes)\r\n pkts bytes target     prot opt in     out     source               destination\r\n\r\nChain OUTPUT (policy ACCEPT 0 packets, 0 bytes)\r\n pkts bytes target     prot opt in     out     source               destination\r\n<\/pre>\n<p>Above output indicates that the firewall is not active. The following sample shows an active firewall:<br \/>\n<code># iptables -L -n -v<\/code><br \/>\nSample outputs:<\/p>\n<pre>Chain INPUT (policy DROP 0 packets, 0 bytes)\r\n pkts bytes target     prot opt in     out     source               destination\r\n    0     0 DROP       all  --  *      *       0.0.0.0\/0            0.0.0.0\/0           state INVALID\r\n  394 43586 ACCEPT     all  --  *      *       0.0.0.0\/0            0.0.0.0\/0           state RELATED,ESTABLISHED\r\n   93 17292 ACCEPT     all  --  br0    *       0.0.0.0\/0            0.0.0.0\/0\r\n    1   142 ACCEPT     all  --  lo     *       0.0.0.0\/0            0.0.0.0\/0\r\n\r\nChain FORWARD (policy DROP 0 packets, 0 bytes)\r\n pkts bytes target     prot opt in     out     source               destination\r\n    0     0 ACCEPT     all  --  br0    br0     0.0.0.0\/0            0.0.0.0\/0\r\n    0     0 DROP       all  --  *      *       0.0.0.0\/0            0.0.0.0\/0           state INVALID\r\n    0     0 TCPMSS     tcp  --  *      *       0.0.0.0\/0            0.0.0.0\/0           tcp flags:0x06\/0x02 TCPMSS clamp to PMTU\r\n    0     0 ACCEPT     all  --  *      *       0.0.0.0\/0            0.0.0.0\/0           state RELATED,ESTABLISHED\r\n    0     0 wanin      all  --  vlan2  *       0.0.0.0\/0            0.0.0.0\/0\r\n    0     0 wanout     all  --  *      vlan2   0.0.0.0\/0            0.0.0.0\/0\r\n    0     0 ACCEPT     all  --  br0    *       0.0.0.0\/0            0.0.0.0\/0\r\n\r\nChain OUTPUT (policy ACCEPT 425 packets, 113K bytes)\r\n pkts bytes target     prot opt in     out     source               destination\r\n\r\nChain wanin (1 references)\r\n pkts bytes target     prot opt in     out     source               destination\r\n\r\nChain wanout (1 references)\r\n pkts bytes target     prot opt in     out     source               destination\r\n<\/pre>\n<p>Where,<\/p>\n<ul>\n<li><strong>-L<\/strong> : List rules.<\/li>\n<li><strong>-v<\/strong> : Display detailed information. This option makes the list command show the interface name, the rule options, and the TOS masks. The packet and byte counters are also listed, with the suffix \u2018K\u2019, \u2018M\u2019 or \u2018G\u2019 for 1000, 1,000,000 and 1,000,000,000 multipliers respectively.<\/li>\n<li><strong>-n<\/strong> : Display IP address and port in numeric format. Do not use DNS to resolve names. This will speed up listing.<\/li>\n<\/ul>\n<h3>1.1. To inspect firewall with line numbers, enter:<\/h3>\n<p><code># iptables -n -L -v --line-numbers<\/code><br \/>\nSample outputs:<\/p>\n<pre>Chain INPUT (policy DROP)\r\nnum  target     prot opt source               destination\r\n1    DROP       all  --  0.0.0.0\/0            0.0.0.0\/0           state INVALID\r\n2    ACCEPT     all  --  0.0.0.0\/0            0.0.0.0\/0           state RELATED,ESTABLISHED\r\n3    ACCEPT     all  --  0.0.0.0\/0            0.0.0.0\/0\r\n4    ACCEPT     all  --  0.0.0.0\/0            0.0.0.0\/0\r\n\r\nChain FORWARD (policy DROP)\r\nnum  target     prot opt source               destination\r\n1    ACCEPT     all  --  0.0.0.0\/0            0.0.0.0\/0\r\n2    DROP       all  --  0.0.0.0\/0            0.0.0.0\/0           state INVALID\r\n3    TCPMSS     tcp  --  0.0.0.0\/0            0.0.0.0\/0           tcp flags:0x06\/0x02 TCPMSS clamp to PMTU\r\n4    ACCEPT     all  --  0.0.0.0\/0            0.0.0.0\/0           state RELATED,ESTABLISHED\r\n5    wanin      all  --  0.0.0.0\/0            0.0.0.0\/0\r\n6    wanout     all  --  0.0.0.0\/0            0.0.0.0\/0\r\n7    ACCEPT     all  --  0.0.0.0\/0            0.0.0.0\/0\r\n\r\nChain OUTPUT (policy ACCEPT)\r\nnum  target     prot opt source               destination\r\n\r\nChain wanin (1 references)\r\nnum  target     prot opt source               destination\r\n\r\nChain wanout (1 references)\r\nnum  target     prot opt source               destination\r\n<\/pre>\n<p>You can use line numbers to delete or insert new rules into the firewall.<\/p>\n<h3>1.2. To display INPUT or OUTPUT chain rules, enter:<\/h3>\n<p><code># iptables -L INPUT -n -v<br \/>\n# iptables -L OUTPUT -n -v --line-numbers<\/code><\/p>\n<h2>2. Stop \/ Start \/ Restart the Firewall<\/h2>\n<p>If you are using CentOS \/ RHEL \/ Fedora Linux, enter:<br \/>\n<code># service iptables stop<br \/>\n# service iptables start<br \/>\n# service iptables restart<\/code><br \/>\nYou can use the iptables command itself to stop the firewall and delete all rules:<br \/>\n<code># iptables -F<br \/>\n# iptables -X<br \/>\n# iptables -t nat -F<br \/>\n# iptables -t nat -X<br \/>\n# iptables -t mangle -F<br \/>\n# iptables -t mangle -X<br \/>\n# iptables -P INPUT ACCEPT<br \/>\n# iptables -P OUTPUT ACCEPT<br \/>\n# iptables -P FORWARD ACCEPT<\/code><br \/>\nWhere,<\/p>\n<ul>\n<li><strong>-F<\/strong> : Deleting (flushing) all the rules.<\/li>\n<li><strong>-X<\/strong> : Delete chain.<\/li>\n<li><strong>-t table_name<\/strong> : Select table (called nat or mangle) and delete\/flush rules.<\/li>\n<li><strong>-P<\/strong> : Set the default policy (such as DROP, REJECT, or ACCEPT).<\/li>\n<\/ul>\n<h2>3. Delete Firewall Rules<\/h2>\n<p>To display line number along with other information for existing rules, enter:<br \/>\n<code># iptables -L INPUT -n --line-numbers<br \/>\n# iptables -L OUTPUT -n --line-numbers<br \/>\n# iptables -L OUTPUT -n --line-numbers | less<br \/>\n# iptables -L OUTPUT -n --line-numbers | grep 202.54.1.1<\/code><br \/>\nYou will get the list of IP. Look at <a href=\"https:\/\/www.cyberciti.biz\/faq\/how-to-iptables-delete-postrouting-rule\/\">the number on the left, then use number to delete it<\/a>. For example delete line number 4, enter:<br \/>\n<code># iptables -D INPUT 4<\/code><br \/>\nOR find source IP 202.54.1.1 and delete from rule:<br \/>\n<code># iptables -D INPUT -s 202.54.1.1 -j DROP<\/code><br \/>\nWhere,<\/p>\n<ul>\n<li><strong>-D <\/strong>: Delete one or more rules from the selected chain<\/li>\n<\/ul>\n<h2>4. Insert Firewall Rules<\/h2>\n<p>To insert one or more rules in the selected chain as the given rule number use the following syntax. First find out line numbers, enter:<br \/>\n# iptables -L INPUT -n \u2013line-numbers<br \/>\nSample outputs:<\/p>\n<pre>Chain INPUT (policy DROP)\r\nnum  target     prot opt source               destination\r\n1    DROP       all  --  202.54.1.1           0.0.0.0\/0\r\n2    ACCEPT     all  --  0.0.0.0\/0            0.0.0.0\/0           state NEW,ESTABLISHED<\/pre>\n<p>To insert rule between 1 and 2, enter:<br \/>\n<code># iptables -I INPUT 2 -s 202.54.1.2 -j DROP<\/code><br \/>\nTo view updated rules, enter:<br \/>\n<code># iptables -L INPUT -n --line-numbers<\/code><br \/>\nSample outputs:<\/p>\n<pre>Chain INPUT (policy DROP)\r\nnum  target     prot opt source               destination\r\n1    DROP       all  --  202.54.1.1           0.0.0.0\/0\r\n2    DROP       all  --  202.54.1.2           0.0.0.0\/0\r\n3    ACCEPT     all  --  0.0.0.0\/0            0.0.0.0\/0           state NEW,ESTABLISHED<\/pre>\n<h2>5. Save Firewall Rules<\/h2>\n<p>To save firewall rules under CentOS \/ RHEL \/ Fedora Linux, enter:<br \/>\n<code># service iptables save<\/code><br \/>\nIn this example, drop an IP and save firewall rules:<br \/>\n<code># iptables -A INPUT -s 202.5.4.1 -j DROP<br \/>\n# service iptables save<\/code><br \/>\nFor all other distros use the iptables-save command:<br \/>\n<code># iptables-save &gt; \/root\/my.active.firewall.rules<br \/>\n# cat \/root\/my.active.firewall.rules<\/code><\/p>\n<h2>6. Restore Firewall Rules<\/h2>\n<p>To restore firewall rules form a file called \/root\/my.active.firewall.rules, enter:<br \/>\n<code># iptables-restore &lt; \/root\/my.active.firewall.rules<\/code><br \/>\nTo restore firewall rules under CentOS \/ RHEL \/ Fedora Linux, enter:<br \/>\n<code># service iptables restart<\/code><\/p>\n<h2>7. Set the Default Firewall Policies<\/h2>\n<p>To drop all traffic:<br \/>\n<code># iptables -P INPUT DROP<br \/>\n# iptables -P OUTPUT DROP<br \/>\n# iptables -P FORWARD DROP<br \/>\n# iptables -L -v -n<br \/>\n#### you will not able to connect anywhere as all traffic is dropped ###<br \/>\n# ping cyberciti.biz<br \/>\n# wget http:\/\/www.kernel.org\/pub\/linux\/kernel\/v3.0\/testing\/linux-3.2-rc5.tar.bz2<\/code><\/p>\n<h3>7.1. Only Block Incoming Traffic<\/h3>\n<p>To drop all incoming \/ forwarded packets, but allow outgoing traffic, enter:<br \/>\n<code># iptables -P INPUT DROP<br \/>\n# iptables -P FORWARD DROP<br \/>\n# iptables -P OUTPUT ACCEPT<br \/>\n# iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT<br \/>\n# iptables -L -v -n<br \/>\n### *** now ping and wget should work *** ###<br \/>\n# ping cyberciti.biz<br \/>\n# wget http:\/\/www.kernel.org\/pub\/linux\/kernel\/v3.0\/testing\/linux-3.2-rc5.tar.bz2<\/code><\/p>\n<h2>8. Drop Private Network Address On Public Interface<\/h2>\n<p>IP spoofing is nothing but to stop the following IPv4 address ranges for private networks on your public interfaces. Packets with non-routable source addresses should be rejected using the following syntax:<br \/>\n<code># iptables -A INPUT -i eth1 -s 192.168.0.0\/24 -j DROP<br \/>\n# iptables -A INPUT -i eth1 -s 10.0.0.0\/8 -j DROP<\/code><\/p>\n<h3>8.1. IPv4 Address Ranges For Private Networks (make sure you block them on public interface)<\/h3>\n<ul>\n<li>10.0.0.0\/8 -j (A)<\/li>\n<li>172.16.0.0\/12 (B)<\/li>\n<li>192.168.0.0\/16 (C)<\/li>\n<li>224.0.0.0\/4 (MULTICAST D)<\/li>\n<li>240.0.0.0\/5 (E)<\/li>\n<li>127.0.0.0\/8 (LOOPBACK)<\/li>\n<\/ul>\n<h2>9. Blocking an IP Address (BLOCK IP)<\/h2>\n<p>To block an attackers ip address called 1.2.3.4, enter:<br \/>\n<code># iptables -A INPUT -s 1.2.3.4 -j DROP<br \/>\n# iptables -A INPUT -s 192.168.0.0\/24 -j DROP<\/code><\/p>\n<h2>10. Block Incoming Port Requests (BLOCK PORT)<\/h2>\n<p>To block all service requests on port 80, enter:<br \/>\n<code># iptables -A INPUT -p tcp --dport 80 -j DROP<br \/>\n# iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP<\/code><\/p>\n<p>To block port 80 only for an ip address 1.2.3.4, enter:<br \/>\n<code># iptables -A INPUT -p tcp -s 1.2.3.4 --dport 80 -j DROP<br \/>\n# iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0\/24 --dport 80 -j DROP<\/code><\/p>\n<h2>11. Block Outgoing IP Address<\/h2>\n<p>To block outgoing traffic to a particular host or domain such as cyberciti.biz, enter:<br \/>\n<code># host -t a cyberciti.biz<\/code><br \/>\nSample outputs:<\/p>\n<pre>cyberciti.biz has address 75.126.153.206<\/pre>\n<p>Note down its ip address and type the following to block all outgoing traffic to 75.126.153.206:<br \/>\n<code># iptables -A OUTPUT -d 75.126.153.206 -j DROP<\/code><br \/>\nYou can use a subnet as follows:<br \/>\n<code># iptables -A OUTPUT -d 192.168.1.0\/24 -j DROP<br \/>\n# iptables -A OUTPUT -o eth1 -d 192.168.1.0\/24 -j DROP<\/code><\/p>\n<h3>11.1. Example &#8211; Block Facebook.com Domain<\/h3>\n<p>First, find out all ip address of facebook.com, enter:<br \/>\n<code># host -t a www.facebook.com<\/code><br \/>\nSample outputs:<\/p>\n<pre>www.facebook.com has address 69.171.228.40<\/pre>\n<p>Find CIDR for 69.171.228.40, enter:<br \/>\n<code># whois 69.171.228.40 | grep CIDR<\/code><br \/>\nSample outputs:<\/p>\n<pre>CIDR:           69.171.224.0\/19<\/pre>\n<p>To prevent outgoing access to www.facebook.com, enter:<br \/>\n<code># iptables -A OUTPUT -p tcp -d 69.171.224.0\/19 -j DROP<\/code><br \/>\nYou can also use domain name, enter:<br \/>\n<code># iptables -A OUTPUT -p tcp -d www.facebook.com -j DROP<br \/>\n# iptables -A OUTPUT -p tcp -d facebook.com -j DROP<\/code><\/p>\n<p>From the iptables man page:<\/p>\n<blockquote><p>&#8230; specifying any name to be resolved with a remote query such as DNS (e.g., facebook.com is a really bad idea), a network IP address (with \/mask), or a plain IP address &#8230;<\/p><\/blockquote>\n<h2>12. Log and Drop Packets<\/h2>\n<p>Type the following to log and block IP spoofing on public interface called eth1<br \/>\n<code># iptables -A INPUT -i eth1 -s 10.0.0.0\/8 -j LOG --log-prefix \"IP_SPOOF A: \"<br \/>\n# iptables -A INPUT -i eth1 -s 10.0.0.0\/8 -j DROP<\/code><br \/>\nBy default everything is logged to \/var\/log\/messages file.<br \/>\n<code># tail -f \/var\/log\/messages<br \/>\n# grep --color 'IP SPOOF' \/var\/log\/messages<\/code><\/p>\n<h2>13. Log and Drop Packets with Limited Number of Log Entries<\/h2>\n<p>The -m limit module can limit the number of log entries created per time. This is used to prevent flooding your log file. To log and drop spoofing per 5 minutes, in bursts of at most 7 entries .<br \/>\n<code># iptables -A INPUT -i eth1 -s 10.0.0.0\/8 -m limit --limit 5\/m --limit-burst 7 -j LOG --log-prefix \"IP_SPOOF A: \"<br \/>\n# iptables -A INPUT -i eth1 -s 10.0.0.0\/8 -j DROP<\/code><\/p>\n<h2>14. Drop or Accept Traffic From Mac Address<\/h2>\n<p>Use the following syntax:<br \/>\n<code># iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP<br \/>\n## *only accept traffic for TCP port # 8080 from mac 00:0F:EA:91:04:07 * ##<br \/>\n# iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT<\/code><\/p>\n<h2>15. Block or Allow ICMP Ping Request<\/h2>\n<p>Type the following command to block ICMP ping requests:<br \/>\n<code># iptables -A INPUT -p icmp --icmp-type echo-request -j DROP<br \/>\n# iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP<\/code><br \/>\nPing responses can also be limited to certain networks or hosts:<br \/>\n<code># iptables -A INPUT -s 192.168.1.0\/24 -p icmp --icmp-type echo-request -j ACCEPT<\/code><br \/>\nThe following only accepts limited type of ICMP requests:<br \/>\n<code>### ** assumed that default INPUT policy set to DROP ** #############<br \/>\niptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT<br \/>\niptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT<br \/>\niptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT<br \/>\n## ** all our server to respond to pings ** ##<br \/>\niptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT<\/code><\/p>\n<h2>16. Open Range of Ports<\/h2>\n<p>Use the following syntax to open a range of ports:<br \/>\n<code>iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT <\/code><\/p>\n<h2>17. Open Range of IP Addresses<\/h2>\n<p>Use the following syntax to open a range of IP address:<br \/>\n<code> ## only accept connection to tcp port 80 (Apache) if ip is between 192.168.1.100 and 192.168.1.200 ##<br \/>\niptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT<\/code><\/p>\n<p><code>## nat example ##<br \/>\niptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.20-192.168.1.25<br \/>\n<\/code><\/p>\n<h2>18. Established Connections and Restarting The Firewall<\/h2>\n<p>When you restart the iptables service it will drop established connections as it unload modules from the system under RHEL \/ Fedora \/ CentOS Linux. Edit, \/etc\/sysconfig\/iptables-config and set IPTABLES_MODULES_UNLOAD as follows:<\/p>\n<pre>IPTABLES_MODULES_UNLOAD = no<\/pre>\n<h2>19. Help Iptables Flooding My Server Screen<\/h2>\n<p>Use the crit log level to send messages to a log file instead of console:<br \/>\n<code>iptables -A INPUT -s 1.2.3.4 -p tcp --destination-port 80 -j LOG --log-level crit<\/code><\/p>\n<h2>20. Block or Open Common Ports<\/h2>\n<p>The following shows syntax for opening and closing common TCP and UDP ports:<\/p>\n<div class=\"wp_syntax\">\n<table>\n<tbody>\n<tr>\n<td class=\"code\">\n<pre class=\"bash\">Replace ACCEPT with DROP to block port:\r\n## open port ssh tcp port 22 ##\r\niptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT\r\niptables -A INPUT -s 192.168.1.0\/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT\r\n\u00a0\r\n## open cups (printing service) udp\/tcp port 631 for LAN users ##\r\niptables -A INPUT -s 192.168.1.0\/24 -p udp -m udp --dport 631 -j ACCEPT\r\niptables -A INPUT -s 192.168.1.0\/24 -p tcp -m tcp --dport 631 -j ACCEPT\r\n\u00a0\r\n## allow time sync via NTP for lan users (open udp port 123) ##\r\niptables -A INPUT -s 192.168.1.0\/24 -m state --state NEW -p udp --dport 123 -j ACCEPT\r\n\u00a0\r\n## open tcp port 25 (smtp) for all ##\r\niptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT\r\n\u00a0\r\n# open dns server ports for all ##\r\niptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT\r\niptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT\r\n\u00a0\r\n## open http\/https (Apache) server port to all ##\r\niptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT\r\niptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT\r\n\u00a0\r\n## open tcp port 110 (pop3) for all ##\r\niptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT\r\n\u00a0\r\n## open tcp port 143 (imap) for all ##\r\niptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT\r\n\u00a0\r\n## open access to Samba file server for lan users only ##\r\niptables -A INPUT -s 192.168.1.0\/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT\r\niptables -A INPUT -s 192.168.1.0\/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT\r\niptables -A INPUT -s 192.168.1.0\/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT\r\niptables -A INPUT -s 192.168.1.0\/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT\r\n\u00a0\r\n## open access to proxy server for lan users only ##\r\niptables -A INPUT -s 192.168.1.0\/24 -m state --state NEW -p tcp --dport 3128 -j ACCEPT\r\n\u00a0\r\n## open access to mysql server for lan users only ##\r\niptables -I INPUT -p tcp --dport 3306 -j ACCEPT<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<h2>21. Restrict the Number of Parallel Connections To a Server Per Client IP<\/h2>\n<p>You can use connlimit module to put such restrictions. To allow 3 ssh connections per client host, enter:<br \/>\n<code># iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT<\/code><\/p>\n<p>Set HTTP requests to 20:<br \/>\n<code># iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP<\/code><br \/>\nWhere,<\/p>\n<ol>\n<li><strong>&#8211;connlimit-above 3<\/strong> : Match if the number of existing connections is above 3.<\/li>\n<li><strong>&#8211;connlimit-mask 24<\/strong> : Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32.<\/li>\n<\/ol>\n<h2>22. List NAT rules<\/h2>\n<p>The syntax is<br \/>\n<code># iptables -t nat -L -n -v<\/code><br \/>\nSample outputs:<\/p>\n<div class=\"wp_syntax\">\n<table>\n<tbody>\n<tr>\n<td class=\"code\">\n<pre class=\"ini\">Chain PREROUTING (policy ACCEPT 496K packets, 29M bytes)\r\n pkts bytes target     prot opt in     out     source               destination         \r\n43557 2613K DNAT       tcp  --  *      *       0.0.0.0\/0            192.168.184.8        tcp dpt:443 to:10.105.28.42:443\r\n68700 4122K DNAT       tcp  --  *      *       0.0.0.0\/0            192.168.184.8        tcp dpt:80 to:10.105.28.42:80\r\n15855  951K DNAT       tcp  --  *      *       0.0.0.0\/0            192.168.184.8        tcp dpt:444 to:10.105.28.45:444\r\n16009  961K DNAT       tcp  --  *      *       0.0.0.0\/0            192.168.184.8        tcp dpt:81 to:10.105.28.45:81\r\n63495 3810K DNAT       tcp  --  *      *       0.0.0.0\/0            192.168.184.8        tcp dpt:445 to:10.105.28.44:445\r\n19615 1177K DNAT       tcp  --  *      *       0.0.0.0\/0            192.168.184.8        tcp dpt:82 to:10.105.28.44:82\r\n\u00a0\r\nChain INPUT (policy ACCEPT 488K packets, 29M bytes)\r\n pkts bytes target     prot opt in     out     source               destination         \r\n\u00a0\r\nChain OUTPUT (policy ACCEPT 3280 packets, 207K bytes)\r\n pkts bytes target     prot opt in     out     source               destination         \r\n\u00a0\r\nChain POSTROUTING (policy ACCEPT 231K packets, 14M bytes)\r\n pkts bytes target     prot opt in     out     source               destination         \r\n 3832  230K MASQUERADE  all  --  *      *       10.105.28.0\/24      !10.105.28.0\/24       \/* generated for LXD network lxdbr0 *\/<\/pre>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>Another option:<br \/>\n<code># iptables -t nat -v -L -n --line-number <\/code><\/p>\n<h2>23. Delete NAT rules<\/h2>\n<p>The <a href=\"https:\/\/www.cyberciti.biz\/faq\/how-to-iptables-delete-postrouting-rule\/iptables-list-postrouting-rules\/\">syntax is as follows to list NAT rules on Linux<\/a>:<br \/>\n<code># iptables -t nat -v -L -n --line-number<br \/>\n# iptables -t nat -v -L PREROUTING -n --line-number<br \/>\n# iptables -t nat -v -L POSTROUTING -n --line-number<\/code><br \/>\nTo delete PREROUTING rule, run:<br \/>\n<code># iptables -t nat -D PREROUTING {number-here}<br \/>\n# iptables -t nat -D PREROUTING 42<\/code><br \/>\n<a href=\"https:\/\/www.cyberciti.biz\/faq\/how-to-iptables-delete-postrouting-rule\/\">To delete POSTROUTING rule<\/a>, run:<br \/>\n<code># iptables -t nat -D POSTROUTING {number-here}<br \/>\n# iptables -t nat -D POSTROUTING 42<\/code><\/p>\n<h2>24. How to redirect port AA to BB<\/h2>\n<p>The <a href=\"https:\/\/www.cyberciti.biz\/faq\/linux-port-redirection-with-iptables\/\">syntax is as follows<\/a>:<br \/>\n<code>iptables -t nat -A PREROUTING -i $interfaceName -p tcp --dport $srcPortNumber -j REDIRECT --to-port $dstPortNumber<\/code><br \/>\nTo redirect all incoming traffic on port 80 redirect to port 8080<br \/>\n<code># iptables -t nat -I PREROUTING --src 0\/0 --dst 192.168.1.5 -p tcp --dport 80 -j REDIRECT --to-ports 8080<\/code><\/p>\n<ul>\n<li><a href=\"https:\/\/www.cyberciti.biz\/faq\/how-to-configure-ufw-to-forward-port-80443-to-internal-server-hosted-on-lan\/\">How to configure ufw to forward port 80\/443 to internal server hosted on LAN<\/a><\/li>\n<\/ul>\n<h2>25. How to reset packet counters<\/h2>\n<p>To see iptables counters run:<br \/>\n<code># iptables -L -n -v<\/code><br \/>\nTo clear\/reset the counters for all rules:<br \/>\n<code># iptables -Z<br \/>\n# iptables -L -n -v<\/code><br \/>\nTo reset the counters for INPUT chain only:<br \/>\n<code># iptables -Z INPUT<\/code><br \/>\nTo reset the counters for rule # 13 in the INPUT chain only:<br \/>\n<code># iptables -Z INPUT 13<\/code><\/p>\n<ul>\n<li><a href=\"https:\/\/www.cyberciti.biz\/faq\/linux-configuring-ip-traffic-accounting\/\">Linux Network IP Accounting<\/a><\/li>\n<\/ul>\n<h2>26. HowTO: Use iptables Like a Pro<\/h2>\n<p>For more information about iptables, please see the manual page by typing man iptables from the command line:<br \/>\n<code>$ man iptables<\/code><br \/>\nYou can see the help using the following syntax too:<br \/>\n<code># iptables -h<\/code><br \/>\nTo see help with specific commands and targets, enter:<br \/>\n<code># iptables -j DROP -h<\/code><\/p>\n<h2>27. Testing Your Firewall<\/h2>\n<p>Find out if ports are open or not, enter:<br \/>\n<code># netstat -tulpn<\/code><br \/>\nFind out if tcp port 80 open or not, enter:<br \/>\n<code># netstat -tulpn | grep :80<\/code><br \/>\nIf port 80 is not open, start the Apache, enter:<br \/>\n<code># service httpd start<\/code><br \/>\nMake sure iptables allowing access to the port 80:<br \/>\n<code># iptables -L INPUT -v -n | grep 80<\/code><br \/>\nOtherwise open port 80 using the iptables for all users:<br \/>\n<code># iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT<br \/>\n# service iptables save<\/code><br \/>\nUse the telnet command to see if firewall allows to connect to port 80:<br \/>\n<code>$ telnet www.cyberciti.biz 80<\/code><br \/>\nSample outputs:<\/p>\n<pre>Trying 75.126.153.206...\r\nConnected to www.cyberciti.biz.\r\nEscape character is '^]'.\r\n^]\r\n\r\ntelnet&gt; quit\r\nConnection closed.\r\n<\/pre>\n<p>You can use the <a title=\"See Linux\/Unix nmap command examples for more info\" href=\"https:\/\/www.cyberciti.biz\/networking\/nmap-command-examples-tutorials\/\">nmap command<\/a> to probe your own server using the following syntax:<br \/>\n<code>$ nmap -sS -p 80 www.cyberciti.biz<\/code><br \/>\nSample outputs:<\/p>\n<pre>Starting Nmap 5.00 ( http:\/\/nmap.org ) at 2011-12-13 13:19 IST\r\nInteresting ports on www.cyberciti.biz (75.126.153.206):\r\nPORT   STATE SERVICE\r\n80\/tcp open  http\r\n\r\nNmap done: 1 IP address (1 host up) scanned in 1.00 seconds\r\n<\/pre>\n<p>I also recommend you install and use sniffer such as tcpdupm and ngrep to test your firewall settings.<\/p>\n<h4>Conclusion:<\/h4>\n<p>This post only list basic rules for new Linux users. You can create and build more complex rules. This requires good understanding of TCP\/IP, Linux kernel tuning via sysctl.conf, and good knowledge of your own setup. Stay tuned for next topics:<\/p>\n<ul>\n<li>Stateful packet inspection.<\/li>\n<li>Using connection tracking helpers.<\/li>\n<li>Network address translation.<\/li>\n<li>Layer 2 filtering.<\/li>\n<li>Firewall testing tools.<\/li>\n<li>Dealing with VPNs, DNS, Web, Proxy, and other protocols.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Original Article cyberciti.biz 1. Displaying the Status of Your Firewall Type the following command as root: # iptables -L -n -v Sample outputs: Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,2],"tags":[],"class_list":["post-127","post","type-post","status-publish","format-standard","hentry","category-iptables","category-linux"],"_links":{"self":[{"href":"https:\/\/kidds.co.za\/index.php\/wp-json\/wp\/v2\/posts\/127","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kidds.co.za\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kidds.co.za\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kidds.co.za\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kidds.co.za\/index.php\/wp-json\/wp\/v2\/comments?post=127"}],"version-history":[{"count":2,"href":"https:\/\/kidds.co.za\/index.php\/wp-json\/wp\/v2\/posts\/127\/revisions"}],"predecessor-version":[{"id":129,"href":"https:\/\/kidds.co.za\/index.php\/wp-json\/wp\/v2\/posts\/127\/revisions\/129"}],"wp:attachment":[{"href":"https:\/\/kidds.co.za\/index.php\/wp-json\/wp\/v2\/media?parent=127"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kidds.co.za\/index.php\/wp-json\/wp\/v2\/categories?post=127"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kidds.co.za\/index.php\/wp-json\/wp\/v2\/tags?post=127"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}