IPTables

From Leo's Notes
Last edited on 12 March 2022, at 01:22.

Prerouting Chain[edit | edit source]

This is the first chain that traffic will go through. It contains the following tables:

  1. raw
  2. connection tracking
  3. mangle
  4. destination / NAT

Tasks[edit | edit source]

Drop RFC3330[edit | edit source]

You may wish to drop Special-Use IP addresses defined in RFC 3330. These IPs include internally routed addresses such as 192.168.0.0/16, 10.0.0.0/8, etc., black-hole addresses such as 0.0.0.0, and multicast addresses such as 224.0.0.0/4. There should be no reason for these addresses to be coming in externally and when it does happen, it's probably a spoofed address. 

##
## DROP RFC3330
##
# iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP               -m comment  --comment "0.0.0.0/8 source"
# iptables -t mangle -A PREROUTING -d 0.0.0.0/8 -j DROP               -m comment  --comment "0.0.0.0/8 destination"
# iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP           -m comment  --comment "10.0.0.0/8 source"
# iptables -t mangle -A PREROUTING -d 10.0.0.0/8 -j DROP           -m comment  --comment "10.0.0.0/8 destination"
# iptables -t mangle -A PREROUTING -s 100.64.0.0/10 -j DROP           -m comment  --comment "100.64.0.0/10 source"
# iptables -t mangle -A PREROUTING -d 100.64.0.0/10 -j DROP           -m comment  --comment "100.64.0.0/10 destination"
# iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP          -m comment  --comment "169.254.0.0/16 source"
# iptables -t mangle -A PREROUTING -d 169.254.0.0/16 -j DROP          -m comment  --comment "169.254.0.0/16 destination"
# iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP           -m comment  --comment "172.16.0.0/12"
# iptables -t mangle -A PREROUTING -d 172.16.0.0/12 -j DROP           -m comment  --comment "172.16.0.0/12"
# iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP            -m comment  --comment "192.0.2.0/24 source"
# iptables -t mangle -A PREROUTING -d 192.0.2.0/24 -j DROP            -m comment  --comment "192.0.2.0/24 destination"
# iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP          -m comment  --comment "192.168.0.0/16 source"
# iptables -t mangle -A PREROUTING -d 192.168.0.0/16 -j DROP          -m comment  --comment "192.168.0.0/16 destination"
# iptables -t mangle -A PREROUTING -s 198.18.0.0/15 -j DROP           -m comment  --comment "198.18.0.0/15 source"
# iptables -t mangle -A PREROUTING -d 198.18.0.0/15 -j DROP           -m comment  --comment "198.18.0.0/15 destination"
# iptables -t mangle -A PREROUTING -s 198.51.100.0/24 -j DROP         -m comment  --comment "198.51.100.0/24 source"
# iptables -t mangle -A PREROUTING -d 198.51.100.0/24 -j DROP         -m comment  --comment "198.51.100.0/24 destination"
# iptables -t mangle -A PREROUTING -s 203.0.113.0/24 -j DROP          -m comment  --comment "203.0.113.0/24 source"
# iptables -t mangle -A PREROUTING -d 203.0.113.0/24 -j DROP          -m comment  --comment "203.0.113.0/24 destination"
# 
## Special usue IPs, including 255.255.255.255.
# iptables -t mangle -A PREROUTING -s 240.0.0.0/4 -j DROP             -m comment  --comment "240.0.0.0/4 source"
# iptables -t mangle -A PREROUTING -d 240.0.0.0/4 -j DROP             -m comment  --comment "240.0.0.0/4 destination"
# 
## We shouldn't be routing multicast.
# iptables -t mangle -A PREROUTING -s 244.0.0.0/4 -j DROP             -m comment  --comment "244.0.0.0/4 source"
# iptables -t mangle -A PREROUTING -d 244.0.0.0/4 -j DROP             -m comment  --comment "244.0.0.0/4 destination"
# 
## Loopback not allowed unless on the local loopback interface.
# iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP     -m comment  --comment "127.0.0.0/8 source, DROP except on the loopback"
# iptables -t mangle -A PREROUTING -d 127.0.0.0/8 ! -i lo -j DROP     -m comment  --comment "127.0.0.0/8 destination, DROP except on the loopback"

Flushing IPTables[edit | edit source]

# Sets default policy to accept
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
 
# Flush all chains
iptables -F
 
# Delete all chains
iptables -X
 
# Zero out counters
iptables -Z 

# Flush and empty nat, mangle, and raw
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X

Redirect outgoing traffic to a local port[edit | edit source]

To redirect traffic destined to 1.2.3.4:443 to localhost:8080 (ie: Serving https/443 to an internal service listening on 8080), use the REDIRECT directive: 

# iptables -t nat -A OUTPUT -p tcp -d 1.2.3.4 --dport 443 -j REDIRECT --to-ports 8080

If you want to redirect traffic to a particular destination rather than 127.0.0.1 (or the primary interface's IP) use DNAT: 

# iptables -t nat -A OUTPUT -p udp -d 1.2.3.4 --dport 443 -j DNAT --to-destination 9.8.7.6:8080

Redirect incoming traffic to an external host[edit | edit source]

To redirect incoming traffic on a specific port to an external server (such as after migrating services to another host, or ghetto load balancing): 

$ iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 10.2.3.4:443
$ iptables -t nat -A POSTROUTING -j MASQUERADE

Mapping incoming traffic to a different internal port[edit | edit source]

If you have a non-root process that should be exposed on a low port (such as port 80 or 443), you can use IPTables to forward incoming traffic to the high port. 

# iptables -t nat -I PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8443

Delete a specific rule in a chain[edit | edit source]

Suppose I have the following chain and rules: 

# iptables -t nat -L neutron-l3-agent-snat -n
Chain neutron-l3-agent-snat (1 references)
target     prot opt source               destination         
neutron-l3-agent-float-snat  all  --  0.0.0.0/0            0.0.0.0/0           
SNAT       all  --  172.20.20.0/24       0.0.0.0/0            to:136.159.2.206
SNAT       all  --  136.159.4.0/24       0.0.0.0/0            to:136.159.2.206

To delete a specific rule, it's easiest to define which line to delete. 

# iptables -t nat -L neutron-l3-agent-snat -n --line-number
Chain neutron-l3-agent-snat (1 references)
num  target     prot opt source               destination         
1    neutron-l3-agent-float-snat  all  --  0.0.0.0/0            0.0.0.0/0           
2    SNAT       all  --  172.20.20.0/24       0.0.0.0/0            to:136.159.2.206
3    SNAT       all  --  136.159.4.0/24       0.0.0.0/0            to:136.159.2.206

Then delete it using the line number: 

# iptables -t nat -D neutron-l3-agent-snat 3

Cluster IP[edit | edit source]

To create a clustered IP address:

Create the clustered IP using IPTables with the clustermac address set to a multicast MAC address. 

# iptables -I INPUT -i em1 -d 136.159.5.30 -j CLUSTERIP --new --hashmode sourceip --clustermac 01:00:5E:00:1e:01 --total-nodes 3 --local-node 3

Add the cluster IP address to your physical network interface. 

# ip addr add 136.159.5.30/24 dev em1

Optionally, update ARP. 

# arping -U -I em1 136.159.5.30

See Also[edit | edit source]

Port Mirroring / IPTables Tee[edit | edit source]

An IPTables / netfilter Tee rule mirrors traffic to a specific port or IP address. It is analogous to mirroring a port on a managed switch or router.

On my dd-wrt router, I mirrored all outgoing and incoming traffic to one of my computers. 

root@DD-WRT:~# iptables -I PREROUTING -t mangle -j ROUTE --gw 10.1.1.143 --tee
root@DD-WRT:~# iptables -I POSTROUTING -t mangle -j ROUTE --gw 10.1.1.143 --tee

Port forwarding[edit | edit source]

Suppose you have a gateway machine running Linux and you wish to forward traffic between the internal NAT and the outside world through this gateway.

To forward ports to a specific host inside your NAT, append to the PREROUTING table: 

## Forwards traffic destined to 136.159.16.8:3389 to the internal address 172.20.1.91:3389
# iptables -t nat -A PREROUTING -p tcp -d 136.159.16.8 --dport 80 -j DNAT --to 172.20.1.91:80

Blocking traffic by IP[edit | edit source]

See also: ipset

Add a firewall rule at a specific position in a chain[edit | edit source]

Use -I $chain to insert into a specific chain, followed by the line number. For example, if I wanted to add a rule to the 10th line of the INPUT chain: 

# iptables -I INPUT 10 -p tcp -m tcp --dport 8080 -j ACCEPT

Dropping all UDP for a specific host[edit | edit source]

If a machine is spamming UDP packets, you may want to block it at the firewall. 

root@DD-WRT:~# iptables -A OUTPUT -p udp -d 10.1.1.22 -j DROP
root@DD-WRT:~# iptables -A INPUT -p udp -s 10.1.1.22 -j DROP

Make IPTable rules persistent[edit | edit source]

On CentOS 8, install the iptables-services package. Persist your existing rules by dumping your rules into /etc/sysconfig/iptables. 

# iptables-save > /etc/sysconfig/iptables

See Also[edit | edit source]


Various Linux Notes
Linux Tools and Utilites
Package Management
Linux Distributions
Networking
Containers

Recent Changes

Recent Changes under Linux

Recent Changes under Guides

Ad-Free + Tracker-Free

I respect your privacy. This site does not serve ads, use trackers/analytics, or load resources from 3rd party websites.

Cookies may be created by MediaWiki but will contain no user identifiable information.


Back to top