PentOpsVault @syztem4our666

PentOpsVault
CheatSheets

Iptables CheatSheet

CheatSheet

iptables is a Linux kernel-level module allowing us to perform various networking manipulations (i.e., packet filtering) to achieve better network security.

View all current iptables rules:

iptables -L -v

View all INPUT rules:

iptables -L INPUT -nv

Blocking and Unblocking IP Addresses

How to block an IP address using iptables:

iptables -I INPUT -s "201.128.33.200" -j DROP

To block a range of IP addresses:

iptables -I INPUT -s "201.128.33.0/24" -j DROP

How to unblock an IP address:

iptables -D INPUT -s "201.128.33.200" -j DROP

Blocking and Unblocking Ports

How to block all connections to a port (example with port 25):

iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -A INPUT -p udp --dport 25 -j DROP

How to unblock a port (example with port 25):

iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p udp --dport 25 -j ACCEPT

Saving iptables Rules

To save all rules so that they are not lost in case of a server reboot:

/etc/init.d/iptables save

Or, alternatively:

service iptables save

Deleting iptables Rules

Delete a rule by line number:

  1. Output all the iptables rules with line numbers:
iptables -L INPUT -n --line-numbers
  1. Delete the rule using its line number:
iptables -D INPUT [LINE NUMBER]

Opening Ports

Open port 3306 (MySQL) to a specific IP (example: 1.2.3.4):

iptables -I INPUT -i eth0 -s 1.2.3.4 -p tcp --dport 3306 -j ACCEPT -m comment --comment "MySQL Access By IP"

Add a rule with a specific port and IP address:

sudo iptables -A INPUT -p tcp -m tcp --dport [port_number] -s [ip_address] -j ACCEPT

Add a rule for a specific port on all addresses:

sudo iptables -A INPUT -p tcp -m tcp --dport [port_number] --sport 1024:65535 -j ACCEPT

Drop a specific IP address:

sudo iptables -I INPUT -s [x.x.x.x] -j DROP

Viewing and Removing Rules

View iptables with rule numbers:

sudo iptables -L INPUT -n --line-numbers

Remove a rule:

sudo iptables -D INPUT [rule_number]

Default Policies

Set default policies for INPUT, OUTPUT, and FORWARD chains:

-P INPUT DROP
-P OUTPUT DROP
-P FORWARD DROP

Allow loopback input and output:

-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

Log denied INPUT and OUTPUT:

-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables-INPUT denied: " --log-level 7
-A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables-OUTPUT denied: " --log-level 7

Allowing ICMP (Ping/Traceroute)

Allow OUTPUT ping/MTR (traceroute with ICMP):

-A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp --icmp-type 11 -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow INPUT ping/MTR:

-A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Allowing HTTP/HTTPS and DNS Traffic

Allow OUTPUT for HTTP/HTTPS:

-A OUTPUT -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT

Allow OUTPUT for DNS:

-A OUTPUT -p udp -m multiport --dports 53,123 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m multiport --sports 53,123 -m state --state ESTABLISHED -j ACCEPT

Previous

Git CheatSheet

Next

MySQL CheatSheet

On this page

View all current iptables rules:View all INPUT rules:Blocking and Unblocking IP AddressesHow to block an IP address using iptables:To block a range of IP addresses:How to unblock an IP address:Blocking and Unblocking PortsHow to block all connections to a port (example with port 25):How to unblock a port (example with port 25):Saving iptables RulesTo save all rules so that they are not lost in case of a server reboot:Deleting iptables RulesDelete a rule by line number:Opening PortsOpen port 3306 (MySQL) to a specific IP (example: 1.2.3.4):Add a rule with a specific port and IP address:Add a rule for a specific port on all addresses:Drop a specific IP address:Viewing and Removing RulesView iptables with rule numbers:Remove a rule:Default PoliciesSet default policies for INPUT, OUTPUT, and FORWARD chains:Allow loopback input and output:Log denied INPUT and OUTPUT:Allowing ICMP (Ping/Traceroute)Allow OUTPUT ping/MTR (traceroute with ICMP):Allow INPUT ping/MTR:Allowing HTTP/HTTPS and DNS TrafficAllow OUTPUT for HTTP/HTTPS:Allow OUTPUT for DNS:
Edit on GitHub