iptables
last edited Mon, 23 Sep 2024 04:23:25 GMT
backlinks:
Securing Linux
iptables
A rule-based firewall that comes pre-installed in most Linux systems. UFW is actually a front-end for iptables.
- sets of rules in tables are chains
- ACCEPT – will allow the packet to pass through.
- DROP – will not let the packet pass through.
- RETURN – stops the packet from traversing through a chain and tell it to go back to the previous chain.
The default filter table has three chains:
- INPUT – controls incoming packets to the server.
- FORWARD – filters incoming packets that will be forwarded somewhere else.
- OUTPUT – filter packets that are going out from your server.
- iptables can be configured to protect against DDoS attacks
save your firewall rules! not applicable foooooooooo000000llr Fedora, CentOS, or RHEL systems
sudo apt-get update -y && apt-get install iptables-persistent -y
sudo service netfilter-persistent save
Restrict a Specific Port direct link to this section
sudo iptables -A INPUT -s IP-ADDRESS -p tcp --dport port_number -j DROP
You can display the results, sudo iptables -L
Block an IP Range direct link to this section
iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 80 -j REJECT
Enable Traffic on Localhost direct link to this section
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
Enabling Connections on HTTP, SSH, and SSL Port direct link to this section
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
Filtering Packets Based on Source direct link to this section
sudo iptables -A INPUT -s 192.168.1.3 -j ACCEPT
- You can also reject packets from a specific IP address by replacing the ACCEPT target with DROP.
Drop all Traffic Outside of Specified Ports direct link to this section
sudo iptables -A INPUT -j DROP