IPTables
Prerouting Chain
This is the first chain that traffic will go through. It contains the following tables:
- raw
- connection tracking
- mangle
- destination / NAT
Tasks
Drop RFC3330
You may wish to drop Special-Use IP addresses defined in RFC 3330. These IPs include internally routed addresses such as 192.168.0.0/16, 10.0.0.0/8, etc., black-hole addresses such as 0.0.0.0, and multicast addresses such as 224.0.0.0/4. There should be no reason for these addresses to be coming in externally and when it does happen, it's probably a spoofed address.
##
## DROP RFC3330
##
# iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP -m comment --comment "0.0.0.0/8 source"
# iptables -t mangle -A PREROUTING -d 0.0.0.0/8 -j DROP -m comment --comment "0.0.0.0/8 destination"
# iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP -m comment --comment "10.0.0.0/8 source"
# iptables -t mangle -A PREROUTING -d 10.0.0.0/8 -j DROP -m comment --comment "10.0.0.0/8 destination"
# iptables -t mangle -A PREROUTING -s 100.64.0.0/10 -j DROP -m comment --comment "100.64.0.0/10 source"
# iptables -t mangle -A PREROUTING -d 100.64.0.0/10 -j DROP -m comment --comment "100.64.0.0/10 destination"
# iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP -m comment --comment "169.254.0.0/16 source"
# iptables -t mangle -A PREROUTING -d 169.254.0.0/16 -j DROP -m comment --comment "169.254.0.0/16 destination"
# iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP -m comment --comment "172.16.0.0/12"
# iptables -t mangle -A PREROUTING -d 172.16.0.0/12 -j DROP -m comment --comment "172.16.0.0/12"
# iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP -m comment --comment "192.0.2.0/24 source"
# iptables -t mangle -A PREROUTING -d 192.0.2.0/24 -j DROP -m comment --comment "192.0.2.0/24 destination"
# iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP -m comment --comment "192.168.0.0/16 source"
# iptables -t mangle -A PREROUTING -d 192.168.0.0/16 -j DROP -m comment --comment "192.168.0.0/16 destination"
# iptables -t mangle -A PREROUTING -s 198.18.0.0/15 -j DROP -m comment --comment "198.18.0.0/15 source"
# iptables -t mangle -A PREROUTING -d 198.18.0.0/15 -j DROP -m comment --comment "198.18.0.0/15 destination"
# iptables -t mangle -A PREROUTING -s 198.51.100.0/24 -j DROP -m comment --comment "198.51.100.0/24 source"
# iptables -t mangle -A PREROUTING -d 198.51.100.0/24 -j DROP -m comment --comment "198.51.100.0/24 destination"
# iptables -t mangle -A PREROUTING -s 203.0.113.0/24 -j DROP -m comment --comment "203.0.113.0/24 source"
# iptables -t mangle -A PREROUTING -d 203.0.113.0/24 -j DROP -m comment --comment "203.0.113.0/24 destination"
#
## Special usue IPs, including 255.255.255.255.
# iptables -t mangle -A PREROUTING -s 240.0.0.0/4 -j DROP -m comment --comment "240.0.0.0/4 source"
# iptables -t mangle -A PREROUTING -d 240.0.0.0/4 -j DROP -m comment --comment "240.0.0.0/4 destination"
#
## We shouldn't be routing multicast.
# iptables -t mangle -A PREROUTING -s 244.0.0.0/4 -j DROP -m comment --comment "244.0.0.0/4 source"
# iptables -t mangle -A PREROUTING -d 244.0.0.0/4 -j DROP -m comment --comment "244.0.0.0/4 destination"
#
## Loopback not allowed unless on the local loopback interface.
# iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP -m comment --comment "127.0.0.0/8 source, DROP except on the loopback"
# iptables -t mangle -A PREROUTING -d 127.0.0.0/8 ! -i lo -j DROP -m comment --comment "127.0.0.0/8 destination, DROP except on the loopback"
Flushing IPTables
# Sets default policy to accept
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Flush all chains
iptables -F
# Delete all chains
iptables -X
# Zero out counters
iptables -Z
# Flush and empty nat, mangle, and raw
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
Redirect outgoing traffic to a local port
To redirect traffic destined to 1.2.3.4:443 to localhost:8080 (ie: Serving https/443 to an internal service listening on 8080), use the REDIRECT directive:
# iptables -t nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 443 -j REDIRECT --to-ports 8080
If you want to redirect traffic to a particular destination rather than 127.0.0.1 (or the primary interface's IP) use DNAT:
# iptables -t nat -A OUTPUT -p udp -d 1.2.3.4 --dport 443 -j DNAT --to-destination 9.8.7.6:8080
Redirect incoming traffic to an external host
To redirect incoming traffic on a specific port to an external server (such as after migrating services to another host, or ghetto load balancing):
$ iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.2.3.4:443
$ iptables -t nat -A POSTROUTING -j MASQUERADE
Mapping incoming traffic to a different internal port
If you have a non-root process that should be exposed on a low port (such as port 80 or 443), you can use IPTables to forward incoming traffic to the high port.
# iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443
Delete a specific rule in a chain
Suppose I have the following chain and rules:
# iptables -t nat -L neutron-l3-agent-snat -n
Chain neutron-l3-agent-snat (1 references)
target prot opt source destination
neutron-l3-agent-float-snat all -- 0.0.0.0/0 0.0.0.0/0
SNAT all -- 172.20.20.0/24 0.0.0.0/0 to:136.159.2.206
SNAT all -- 136.159.4.0/24 0.0.0.0/0 to:136.159.2.206
To delete a specific rule, it's easiest to define which line to delete.
# iptables -t nat -L neutron-l3-agent-snat -n --line-number
Chain neutron-l3-agent-snat (1 references)
num target prot opt source destination
1 neutron-l3-agent-float-snat all -- 0.0.0.0/0 0.0.0.0/0
2 SNAT all -- 172.20.20.0/24 0.0.0.0/0 to:136.159.2.206
3 SNAT all -- 136.159.4.0/24 0.0.0.0/0 to:136.159.2.206
Then delete it using the line number:
# iptables -t nat -D neutron-l3-agent-snat 3
Cluster IP
To create a clustered IP address:
Create the clustered IP using IPTables with the clustermac address set to a multicast MAC address.
# iptables -I INPUT -i em1 -d 136.159.5.30 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:5E:00:1e:01 --total-nodes 3 --local-node 3
Add the cluster IP address to your physical network interface.
# ip addr add 136.159.5.30/24 dev em1
Optionally, update ARP.
# arping -U -I em1 136.159.5.30
See Also
- http://security.maruhn.com/iptables-tutorial/x8906.html
- http://www.bertera.it/index.php/2011/10/04/howto-configure-multiple-mac-address-over-a-single-ethernet-interface/
- http://serverfault.com/questions/623221/iptable-clusterip-doesnt-work
Port Mirroring / IPTables Tee
An IPTables / netfilter Tee rule mirrors traffic to a specific port or IP address. It is analogous to mirroring a port on a managed switch or router.
On my dd-wrt router, I mirrored all outgoing and incoming traffic to one of my computers.
root@DD-WRT:~# iptables -I PREROUTING -t mangle -j ROUTE --gw 10.1.1.143 --tee
root@DD-WRT:~# iptables -I POSTROUTING -t mangle -j ROUTE --gw 10.1.1.143 --tee
Port forwarding
Suppose you have a gateway machine running Linux and you wish to forward traffic between the internal NAT and the outside world through this gateway.
To forward ports to a specific host inside your NAT, append to the PREROUTING table:
## Forwards traffic destined to 136.159.16.8:3389 to the internal address 172.20.1.91:3389
# iptables -t nat -A PREROUTING -p tcp -d 136.159.16.8 --dport 80 -j DNAT --to 172.20.1.91:80
Blocking traffic by IP
See also: ipset
Add a firewall rule at a specific position in a chain
Use -I $chain to insert into a specific chain, followed by the line number. For example, if I wanted to add a rule to the 10th line of the INPUT chain:
# iptables -I INPUT 10 -p tcp -m tcp --dport 8080 -j ACCEPT
Dropping all UDP for a specific host
If a machine is spamming UDP packets, you may want to block it at the firewall.
root@DD-WRT:~# iptables -A OUTPUT -p udp -d 10.1.1.22 -j DROP
root@DD-WRT:~# iptables -A INPUT -p udp -s 10.1.1.22 -j DROP
Make IPTable rules persistent
On CentOS 8, install the iptables-services package. Persist your existing rules by dumping your rules into /etc/sysconfig/iptables.
# iptables-save > /etc/sysconfig/iptables
See Also
- A book on IPTables - https://book.huihoo.com/iptables-tutorial/book1.htm