Prerouting Chain[edit]

This is the first chain that traffic will go through. It contains the following tables:

  1. raw
  2. connection tracking
  3. mangle
  4. destination / NAT

Drop RFC3330[edit]

You may wish to drop Special-Use IP addresses defined in RFC 3330. These IPs include internally routed addresses such as 192.168.0.0/16, 10.0.0.0/8, etc., black-hole addresses such as 0.0.0.0, and multicast addresses such as 224.0.0.0/4. There should be no reason for these addresses to be coming in externally and when it does happen, it's probably a spoofed address.

##
## DROP RFC3330
##
# iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP               -m comment  --comment "0.0.0.0/8 source"
# iptables -t mangle -A PREROUTING -d 0.0.0.0/8 -j DROP               -m comment  --comment "0.0.0.0/8 destination"
# iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP           -m comment  --comment "10.0.0.0/8 source"
# iptables -t mangle -A PREROUTING -d 10.0.0.0/8 -j DROP           -m comment  --comment "10.0.0.0/8 destination"
# iptables -t mangle -A PREROUTING -s 100.64.0.0/10 -j DROP           -m comment  --comment "100.64.0.0/10 source"
# iptables -t mangle -A PREROUTING -d 100.64.0.0/10 -j DROP           -m comment  --comment "100.64.0.0/10 destination"
# iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP          -m comment  --comment "169.254.0.0/16 source"
# iptables -t mangle -A PREROUTING -d 169.254.0.0/16 -j DROP          -m comment  --comment "169.254.0.0/16 destination"
# iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP           -m comment  --comment "172.16.0.0/12"
# iptables -t mangle -A PREROUTING -d 172.16.0.0/12 -j DROP           -m comment  --comment "172.16.0.0/12"
# iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP            -m comment  --comment "192.0.2.0/24 source"
# iptables -t mangle -A PREROUTING -d 192.0.2.0/24 -j DROP            -m comment  --comment "192.0.2.0/24 destination"
# iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP          -m comment  --comment "192.168.0.0/16 source"
# iptables -t mangle -A PREROUTING -d 192.168.0.0/16 -j DROP          -m comment  --comment "192.168.0.0/16 destination"
# iptables -t mangle -A PREROUTING -s 198.18.0.0/15 -j DROP           -m comment  --comment "198.18.0.0/15 source"
# iptables -t mangle -A PREROUTING -d 198.18.0.0/15 -j DROP           -m comment  --comment "198.18.0.0/15 destination"
# iptables -t mangle -A PREROUTING -s 198.51.100.0/24 -j DROP         -m comment  --comment "198.51.100.0/24 source"
# iptables -t mangle -A PREROUTING -d 198.51.100.0/24 -j DROP         -m comment  --comment "198.51.100.0/24 destination"
# iptables -t mangle -A PREROUTING -s 203.0.113.0/24 -j DROP          -m comment  --comment "203.0.113.0/24 source"
# iptables -t mangle -A PREROUTING -d 203.0.113.0/24 -j DROP          -m comment  --comment "203.0.113.0/24 destination"
# 
## Special usue IPs, including 255.255.255.255.
# iptables -t mangle -A PREROUTING -s 240.0.0.0/4 -j DROP             -m comment  --comment "240.0.0.0/4 source"
# iptables -t mangle -A PREROUTING -d 240.0.0.0/4 -j DROP             -m comment  --comment "240.0.0.0/4 destination"
# 
## We shouldn't be routing multicast.
# iptables -t mangle -A PREROUTING -s 244.0.0.0/4 -j DROP             -m comment  --comment "244.0.0.0/4 source"
# iptables -t mangle -A PREROUTING -d 244.0.0.0/4 -j DROP             -m comment  --comment "244.0.0.0/4 destination"
# 
## Loopback not allowed unless on the local loopback interface.
# iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP     -m comment  --comment "127.0.0.0/8 source, DROP except on the loopback"
# iptables -t mangle -A PREROUTING -d 127.0.0.0/8 ! -i lo -j DROP     -m comment  --comment "127.0.0.0/8 destination, DROP except on the loopback"

Redirect Outgoing Traffic to Local Port[edit]

To redirect traffic destined to 1.2.3.4:443 to localhost:8080 (ie: Serving https/443 to an internal service listening on 8080), use the REDIRECT directive:

# iptables -t nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 443 -j REDIRECT --to-ports 8080

If you want to redirect traffic to a particular destination rather than 127.0.0.1 (or the primary interface's IP) use DNAT:

# iptables -t nat -A OUTPUT -p udp -d 1.2.3.4 --dport 443 -j DNAT --to-destination 9.8.7.6:8080

Delete a Specific Rule in a Chain[edit]

Suppose I have the following chain and rules:

# iptables -t nat -L neutron-l3-agent-snat -n
Chain neutron-l3-agent-snat (1 references)
target     prot opt source               destination         
neutron-l3-agent-float-snat  all  --  0.0.0.0/0            0.0.0.0/0           
SNAT       all  --  172.20.20.0/24       0.0.0.0/0            to:136.159.2.206
SNAT       all  --  136.159.4.0/24       0.0.0.0/0            to:136.159.2.206

To delete a specific rule, it's easiest to define which line to delete.

# iptables -t nat -L neutron-l3-agent-snat -n --line-number
Chain neutron-l3-agent-snat (1 references)
num  target     prot opt source               destination         
1    neutron-l3-agent-float-snat  all  --  0.0.0.0/0            0.0.0.0/0           
2    SNAT       all  --  172.20.20.0/24       0.0.0.0/0            to:136.159.2.206
3    SNAT       all  --  136.159.4.0/24       0.0.0.0/0            to:136.159.2.206

Then delete it using the line number:

# iptables -t nat -D neutron-l3-agent-snat 3

Cluster IP[edit]

To create a clustered IP address:

Create the clustered IP using IPTables with the clustermac address set to a multicast MAC address.

# iptables -I INPUT -i em1 -d 136.159.5.30 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:5E:00:1e:01 --total-nodes 3 --local-node 3

Add the cluster IP address to your physical network interface.

# ip addr add 136.159.5.30/24 dev em1

Optionally, update ARP.

# arping -U -I em1 136.159.5.30

See Also[edit]

Port Mirroring / IPTables Tee[edit]

An IPTables / netfilter Tee rule mirrors traffic to a specific port or IP address. It is analogous to mirroring a port on a managed switch or router.

On my dd-wrt router, I mirrored all outgoing and incoming traffic to one of my computers.

root@DD-WRT:~# iptables -I PREROUTING -t mangle -j ROUTE --gw 10.1.1.143 --tee
root@DD-WRT:~# iptables -I POSTROUTING -t mangle -j ROUTE --gw 10.1.1.143 --tee


Port Forwarding[edit]

Suppose you have a gateway using IPTables to forward traffic between the NAT and the outside world.

To forward ports to a specific host inside your NAT, append to the PREROUTING table:

## Forwards traffic destined to 136.159.16.8:3389 to the internal address 172.20.1.91:3389
# iptables -t nat -A PREROUTING -p tcp -d 136.159.16.8 --dport 80 -j DNAT --to 172.20.1.91:80

Blocking Traffic by IP[edit]

See also: ipset

Other Tasks[edit]

Dropping All UDP for a specific host[edit]

If a machine is spamming UDP packets, you may want to block it at the firewall.

root@DD-WRT:~# iptables -A OUTPUT -p udp -d 10.1.1.22 -j DROP
root@DD-WRT:~# iptables -A INPUT -p udp -s 10.1.1.22 -j DROP


Enable Dark Mode!