sdvcrx's wiki

本页面只读。您可以查看源文件，但不能更改它。如果您觉得这是系统错误，请联系管理员。
====== iptables ======

{{user:iptables.png|iptables}}

图片来源：[[https://wsgzao.github.io/post/iptables/index.html|iptables配置实践]]

===== Usage =====

Save current iptables configuration:

  service iptables save

===== Options =====

^ option ^ meaning ^
| -A | append rule |
| -j | jump, ''ACCEPT'', ''DROP'' |
| -p | proto, ''tcp'', ''udp'', ''icmp'' |
| -s | source, address[/mask] |
| -d | destination, address[/mask] |
| -m | match |

===== Rules =====

List current iptables rules:

  iptables -nL

Clear **all** iptables rules:

  iptables -F

Allow ping(icmp):

  iptables -A INPUT -p icmp -j ACCEPT

Open ports:

  iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT   # allow ssh

Allow specify ip traffic in and out

  iptables -A INPUT -p tcp -s [ip] -j ACCEPT
  iptables -A OUTPUT -p tcp -d [ip] -j ACCEPT

Allow NTP traffic for time synchronization:

  iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
  iptables -A INPUT -p udp --sport 123 -j ACCEPT

Allow established connections **important**:

  iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Drop all other traffic(ban all incoming traffic) **put this to bottom**:

  iptables -A INPUT -j DROP

===== Router =====

Redirect all dns query to specified ip:

  iptables -t nat -A PREROUTING -p udp -s 192.168.1.0/24 --dport 53 -j DNAT --to 192.168.1.1

Redirect all dns query to specified ip except some ip:

  iptables -t nat -A PREROUTING -p udp -s 192.168.1.24 -j ACCEPT
  iptables -t nat -A PREROUTING -p udp -s 192.168.1.0/24 --dport 53 -j DNAT --to 192.168.1.1


===== Reference =====

  * [[https://github.com/trimstray/iptables-essentials|Iptables Essentials: Common Firewall Rules and Commands]]