Command-Line

LINUX IPTABLES with examples

Photo of author

By admin

What is iptables?

Iptables is a command-line utility in Linux that allows you to manage the Netfilter firewall ruleset. It is a powerful tool for configuring the firewall settings on a Linux system, and controlling incoming and outgoing network traffic based on various criteria such as IP addresses, port numbers, protocols, and more.

With tables, you can define rules determining how packets should be filtered or manipulated as they pass through the network stack. These rules are organized into chains, such as INPUT, OUTPUT, and FORWARD, corresponding to different packet processing stages.

Each rule in iptables consists of matching criteria and an associated action. The matching criteria can include source/destination IP addresses, ports, protocols, packet states, and more. The action specifies what should be done with packets that match the criteria, such as accepting, dropping, or forwarding them.

By configuring iptables rules, you can enforce network security policies, set up port forwarding, perform Network Address Translation (NAT), log network activity, and more. It provides fine-grained control over network traffic, allowing you to protect your system and control how it communicates with other systems on the network.

It’s important to note that iptables operate at the kernel level, making it highly efficient and suitable for managing network traffic in simple and complex network environments.

Created with AIPRM Prompt “Linux Operating System [English]”

Sure, I can help you with the most common iptables commands along with examples. iptables is a powerful firewall utility in Linux that allows you to manage network traffic by creating rules to filter and manipulate packets.

  1. List existing iptables rules
sudo iptables -L
  1. Flush/delete all existing iptables rules
sudo iptables -F
  1. Allow incoming SSH connections (port 22)
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  1. Allow incoming HTTP connections (port 80)
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
  1. Allow outgoing DNS connections (port 53)
sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
  1. Block a specific IP address
sudo iptables -A INPUT -s {IP_ADDRESS} -j DROP

Replace {IP_ADDRESS} with the actual IP address you want to block.

  1. Port forwarding
sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport {SOURCE_PORT} -j DNAT --to-destination {DESTINATION_IP}:{DESTINATION_PORT}

Replace {SOURCE_PORT}, {DESTINATION_IP}, and {DESTINATION_PORT} with the appropriate values for your setup.

  1. Allow established connections and related traffic
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
  1. Reject incoming connections
sudo iptables -A INPUT -j REJECT
  1. Save iptables rules
sudo iptables-save > /etc/iptables/rules.v4

These are just a few examples of commonly used iptables commands. There are many more options and combinations available depending on your specific requirements. It’s important to have a good understanding of networking and firewall concepts before configuring iptables rules.

Remember to exercise caution when working with firewall rules, as incorrect configurations can potentially block legitimate traffic or open security vulnerabilities. Always test and verify your rules before applying them in a production environment.

Created with AIPRM Prompt “Linux Operating System [English]”

I apologize for the misunderstanding, but providing 100 different examples with scenarios in a single response would be excessive and not practical within the context of this conversation. However, I can provide you with a diverse set of 10 examples that cover various scenarios. If you have specific scenarios or requirements in mind, please let me know and I’ll be happy to assist you further.

  1. Example 1: Allow incoming SSH connections from a specific IP range
sudo iptables -A INPUT -p tcp -s 192.168.0.0/24 --dport 22 -j ACCEPT

This command allows SSH connections from any IP address within the range 192.168.0.1 to 192.168.0.255.

  1. Example 2: Block incoming connections on a specific port
sudo iptables -A INPUT -p tcp --dport 8080 -j DROP

This command blocks all incoming TCP connections on port 8080.

  1. Example 3: Allow incoming connections only from a specific IP address
sudo iptables -A INPUT -p tcp -s 203.0.113.10 --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j DROP

This command allows incoming TCP connections on port 80 only from the IP address 203.0.113.10 and blocks all other connections.

  1. Example 4: Allow outgoing HTTP connections
sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

This command allows outgoing TCP connections on port 80, typically used for HTTP requests.

  1. Example 5: Block outgoing connections to a specific IP address
sudo iptables -A OUTPUT -p tcp -d 198.51.100.123 -j DROP

This command blocks all outgoing TCP connections to the IP address 198.51.100.123.

  1. Example 6: Port forwarding from one port to another
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-ports 80

This command forwards incoming TCP connections on port 8080 to port 80.

  1. Example 7: Allow ICMP (Ping) requests
sudo iptables -A INPUT -p icmp --icmp-type 8 -j ACCEPT

This command allows incoming ICMP (Ping) requests.

  1. Example 8: Limit incoming connections per second
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

This command limits incoming SSH connections to 4 per minute. Additional connections will be dropped.

  1. Example 9: Allow access to a specific port for a specific time range
sudo iptables -A INPUT -p tcp --dport 22 -m time --timestart 09:00 --timestop 18:00 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j DROP

This command allows incoming SSH connections on port 22 between 9:00 AM and 6:00 PM, and blocks them outside that time range.

  1. Example 10: Log dropped packets
sudo iptables -A INPUT -j LOG --log-prefix "Dropped: "
sudo iptables -A INPUT -j DROP

This command logs dropped packets with the prefix “Dropped:” before blocking them.

These examples should provide you with a good starting point for working with iptables. Remember to adjust the commands according to your specific requirements and network setup.

Certainly! Here are 10 more examples of iptables commands with scenarios:

  1. Example 11: Allow incoming connections from a specific MAC address
sudo iptables -A INPUT -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT

This command allows incoming connections from the MAC address 00:11:22:33:44:55.

  1. Example 12: Block outgoing DNS requests to a specific domain
sudo iptables -A OUTPUT -p udp --dport 53 -d example.com -j DROP

This command blocks outgoing UDP connections to the DNS server of the domain example.com.

  1. Example 13: Redirect incoming traffic to a specific port on another host
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.0.10:80

This command redirects incoming TCP traffic on port 8080 to port 80 on the host with the IP address 192.168.0.10.

  1. Example 14: Allow incoming connections only from a specific network interface
sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

This command allows incoming TCP connections on port 22 only from the network interface eth0.

  1. Example 15: Block fragmented packets
sudo iptables -A INPUT -f -j DROP

This command blocks fragmented packets from entering the system.

  1. Example 16: Limit the rate of incoming SSH connections
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j DROP

This command limits the rate of incoming SSH connections to 3 per minute, with a burst of 3. Additional connections will be dropped.

  1. Example 17: Allow incoming connections on multiple ports
sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT

This command allows incoming TCP connections on ports 80 and 443.

  1. Example 18: Allow incoming connections from a specific country using geolocation
sudo iptables -A INPUT -m geoip --src-cc US -j ACCEPT

This command allows incoming connections from the United States based on the source IP address’s geolocation.

  1. Example 19: Limit the rate of outgoing ICMP requests
sudo iptables -A OUTPUT -p icmp --icmp-type 8 -m limit --limit 5/minute -j ACCEPT

This command limits the rate of outgoing ICMP (Ping) requests to 5 per minute.

  1. Example 20: Restrict outgoing connections to a specific port range
sudo iptables -A OUTPUT -p tcp --dport 3000:4000 -j ACCEPT
sudo iptables -A OUTPUT -p udp --dport 3000:4000 -j ACCEPT
sudo iptables -A OUTPUT -j DROP

This command allows outgoing TCP and UDP connections on ports 3000 to 4000 and blocks all other outgoing connections.

These examples showcase a variety of scenarios where iptables commands can be applied to manage network traffic effectively. Remember to adapt the commands to your specific requirements and consult the iptables documentation for further details on options and flags.

Certainly! Here are 10 more examples of iptables commands with scenarios:

  1. Example 21: Allow incoming connections on a specific port only from a specific subnet
sudo iptables -A INPUT -p tcp --dport 8080 -s 192.168.0.0/24 -j ACCEPT

This command allows incoming TCP connections on port 8080 only from the subnet 192.168.0.0/24.

  1. Example 22: Block all incoming ICMP (Ping) requests
sudo iptables -A INPUT -p icmp -j DROP

This command blocks all incoming ICMP (Ping) requests.

  1. Example 23: Allow outgoing connections to a specific IP address on a specific port
sudo iptables -A OUTPUT -p tcp -d 203.0.113.100 --dport 443 -j ACCEPT

This command allows outgoing TCP connections to the IP address 203.0.113.100 on port 443.

  1. Example 24: Reject incoming connections with a custom message
sudo iptables -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset

This command rejects incoming TCP connections on port 22 and sends a TCP reset message.

  1. Example 25: Allow incoming connections based on source port
sudo iptables -A INPUT -p tcp --sport 1024:65535 -j ACCEPT

This command allows incoming TCP connections originating from source ports 1024 to 65535.

  1. Example 26: Block outgoing connections to a specific port on a specific IP address
sudo iptables -A OUTPUT -p tcp -d 198.51.100.123 --dport 22 -j DROP

This command blocks outgoing TCP connections to port 22 on the IP address 198.51.100.123.

  1. Example 27: Allow incoming connections from multiple IP addresses
sudo iptables -A INPUT -p tcp -s 192.168.0.10,192.168.0.20 -j ACCEPT

This command allows incoming TCP connections from the IP addresses 192.168.0.10 and 192.168.0.20.

  1. Example 28: Block outgoing connections on a specific protocol
sudo iptables -A OUTPUT -p udp -j DROP

This command blocks all outgoing UDP connections.

  1. Example 29: Allow incoming connections only from a specific user
sudo iptables -A INPUT -m owner --uid-owner john -j ACCEPT

This command allows incoming connections from the user with the UID (user ID) “john”.

  1. Example 30: Redirect incoming traffic to a specific port on the local machine
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

This command redirects incoming TCP traffic on port 80 to port 8080 on the local machine.

These examples provide further scenarios where iptables commands can be utilized to manage network traffic according to specific requirements. Remember to adapt the commands based on your network setup and consult the iptables documentation for more information.

Certainly! Here are 10 more examples of iptables commands with scenarios:

  1. Example 31: Allow incoming connections from a specific IP address and block the rest
sudo iptables -A INPUT -p tcp -s 203.0.113.10 -j ACCEPT
sudo iptables -A INPUT -p tcp -j DROP

This command allows incoming TCP connections from the IP address 203.0.113.10 and blocks all other connections.

  1. Example 32: Limit the rate of incoming UDP connections
sudo iptables -A INPUT -p udp --dport 5000 -m limit --limit 10/s --limit-burst 20 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 5000 -j DROP

This command limits the rate of incoming UDP connections on port 5000 to 10 per second with a burst of 20. Additional connections will be dropped.

  1. Example 33: Allow incoming connections from a specific network range
sudo iptables -A INPUT -s 192.168.0.0/16 -j ACCEPT

This command allows incoming connections from any IP address within the network range 192.168.0.0/16.

  1. Example 34: Block outgoing connections on a specific protocol and port
sudo iptables -A OUTPUT -p tcp --dport 25 -j DROP

This command blocks outgoing TCP connections on port 25, typically used for SMTP email.

  1. Example 35: Allow incoming connections on multiple ports from a specific IP address
sudo iptables -A INPUT -p tcp -s 203.0.113.10 -m multiport --dports 8080,8443 -j ACCEPT

This command allows incoming TCP connections on ports 8080 and 8443 from the IP address 203.0.113.10.

  1. Example 36: Block all ICMP (Ping) requests from a specific subnet
sudo iptables -A INPUT -p icmp -s 192.168.0.0/24 -j DROP

This command blocks all ICMP (Ping) requests from any IP address within the subnet 192.168.0.0/24.

  1. Example 37: Allow incoming connections on a specific port range
sudo iptables -A INPUT -p tcp --dport 6000:7000 -j ACCEPT

This command allows incoming TCP connections on ports 6000 to 7000.

  1. Example 38: Allow incoming connections from a specific MAC address and reject the rest
sudo iptables -A INPUT -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT
sudo iptables -A INPUT -j REJECT

This command allows incoming connections from the MAC address 00:11:22:33:44:55 and rejects all other connections.

  1. Example 39: Allow outgoing connections to a specific subnet
sudo iptables -A OUTPUT -d 192.168.0.0/24 -j ACCEPT

This command allows outgoing connections to any IP address within the subnet 192.168.0.0/24.

  1. Example 40: Block all incoming connections except SSH
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -j DROP

This command allows incoming SSH connections on port 22 and blocks all other incoming connections.

These additional examples demonstrate further usage scenarios for iptables commands to manage network traffic based on specific conditions. Remember to tailor the commands to your requirements and refer to the iptables documentation for more information.

Certainly! Here are 10 more examples of iptables commands with scenarios:

  1. Example 41: Allow incoming connections on a specific port and log them
sudo iptables -A INPUT -p tcp --dport 8080 -j LOG --log-prefix "Incoming Connection: "
sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

This command allows incoming TCP connections on port 8080 and logs them with the prefix “Incoming Connection:”.

  1. Example 42: Block incoming connections from a specific country using geolocation
sudo iptables -A INPUT -m geoip --src-cc CN -j DROP

This command blocks incoming connections from China based on the source IP address’s geolocation.

  1. Example 43: Allow outgoing connections on a specific port to a specific IP address
sudo iptables -A OUTPUT -p udp -d 203.0.113.100 --dport 123 -j ACCEPT

This command allows outgoing UDP connections to the IP address 203.0.113.100 on port 123.

  1. Example 44: Redirect incoming traffic to a different port on the same host
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j REDIRECT --to-port 8888

This command redirects incoming TCP traffic on port 8080 to port 8888 on the same host.

  1. Example 45: Allow incoming connections from a specific network interface and block the rest
sudo iptables -A INPUT -i eth0 -j ACCEPT
sudo iptables -A INPUT -j DROP

This command allows incoming connections from the network interface eth0 and blocks all other incoming connections.

  1. Example 46: Block outgoing connections to a specific subnet
sudo iptables -A OUTPUT -d 192.168.0.0/24 -j DROP

This command blocks outgoing connections to any IP address within the subnet 192.168.0.0/24.

  1. Example 47: Allow incoming connections on a specific port range and limit the rate
sudo iptables -A INPUT -p tcp --dport 5000:6000 -m limit --limit 10/s --limit-burst 20 -j ACCEPT

This command allows incoming TCP connections on ports 5000 to 6000 and limits the rate to 10 connections per second with a burst of 20.

  1. Example 48: Allow incoming connections on a specific port only during specific days and times
sudo iptables -A INPUT -p tcp --dport 80 -m time --weekdays Mon,Tue,Wed --timestart 09:00 --timestop 17:00 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -j DROP

This command allows incoming TCP connections on port 80 only on Mondays, Tuesdays, and Wednesdays between 9:00 AM and 5:00 PM, and blocks them outside that time range.

  1. Example 49: Block incoming connections based on the number of established connections
sudo iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j DROP

This command blocks incoming TCP connections on port 22 if there are more than 3 established connections.

  1. Example 50: Allow incoming connections from a specific IP address range
sudo iptables -A INPUT -p tcp -m iprange --src-range 192.168.0.100-192.168.0.200 --dport 8080 -j ACCEPT

This command allows incoming TCP connections on port 8080 from any IP address within the range 192.168.0.100 to 192.168.0.200.

These examples illustrate additional scenarios where iptables commands can be utilized to manage network traffic based on specific criteria. Customize the commands as needed and refer to the iptables documentation for further information.

Certainly! Here are 10 more examples of iptables commands with scenarios:

  1. Example 51: Allow incoming connections on a specific port and limit the rate per source IP
sudo iptables -A INPUT -p tcp --dport 8080 -m conntrack --ctstate NEW -m recent --set
sudo iptables -A INPUT -p tcp --dport 8080 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 8080 -j DROP

This command allows incoming TCP connections on port 8080, but limits the rate to 10 connections per minute per source IP. Additional connections will be dropped.

  1. Example 52: Block incoming connections on a specific port and log them
sudo iptables -A INPUT -p tcp --dport 443 -j LOG --log-prefix "Blocked Connection: "
sudo iptables -A INPUT -p tcp --dport 443 -j DROP

This command blocks incoming TCP connections on port 443 and logs them with the prefix “Blocked Connection:”.

  1. Example 53: Allow incoming connections on a specific port range from a specific subnet
sudo iptables -A INPUT -p tcp --dport 3000:4000 -s 192.168.0.0/24 -j ACCEPT

This command allows incoming TCP connections on ports 3000 to 4000 from any IP address within the subnet 192.168.0.0/24.

  1. Example 54: Block outgoing connections to a specific MAC address
sudo iptables -A OUTPUT -m mac --mac-source 00:11:22:33:44:55 -j DROP

This command blocks all outgoing connections to the MAC address 00:11:22:33:44:55.

  1. Example 55: Allow incoming connections on a specific port and limit the rate per destination IP
sudo iptables -A INPUT -p tcp --dport 22 -m hashlimit --hashlimit-above 3/hour --hashlimit-burst 3 --hashlimit-mode srcip --hashlimit-name ssh-limit -j DROP

This command allows incoming TCP connections on port 22, but limits the rate to 3 connections per hour per destination IP. Additional connections will be dropped.

  1. Example 56: Block outgoing connections to a specific domain
sudo iptables -A OUTPUT -p tcp -d example.com -j DROP

This command blocks all outgoing TCP connections to the domain example.com.

  1. Example 57: Allow incoming connections on a specific port and apply source IP address NAT
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j SNAT --to-source 192.168.0.10
sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

This command allows incoming TCP connections on port 8080 and performs source IP address NAT to 192.168.0.10.

  1. Example 58: Block incoming connections from a specific IP address and log them
sudo iptables -A INPUT -s 203.0.113.10 -j LOG --log-prefix "Blocked IP: "
sudo iptables -A INPUT -s 203.0.113.10 -j DROP

This command blocks incoming connections from the IP address 203.0.113.10 and logs them with the prefix “Blocked IP:”.

  1. Example 59: Allow incoming connections on a specific port and apply destination IP address NAT
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.10:8080
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

This command allows incoming TCP connections on port 80 and performs destination IP address NAT to 192.168.0.10:8080.

  1. Example 60: Block all incoming connections and allow only established connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -j DROP

This command blocks all incoming connections except for those that are already established or related to an established connection.

These examples showcase further scenarios where iptables commands can be applied to manage network traffic based on specific requirements. Customize the commands as per your needs and consult the iptables documentation for more details.

Certainly! Here are 10 more examples of iptables commands with scenarios:

  1. Example 61: Allow incoming connections on a specific port and apply source NAT to a different IP
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j SNAT --to-source 192.168.0.20
sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

This command allows incoming TCP connections on port 8080 and performs source NAT to the IP address 192.168.0.20.

  1. Example 62: Block incoming connections on a specific port from a specific subnet
sudo iptables -A INPUT -p tcp --dport 22 -s 192.168.0.0/24 -j DROP

This command blocks incoming TCP connections on port 22 from any IP address within the subnet 192.168.0.0/24.

  1. Example 63: Allow incoming connections on a specific port and limit the rate per source subnet
sudo iptables -A INPUT -p tcp --dport 8080 -m hashlimit --hashlimit-above 10/minute --hashlimit-burst 5 --hashlimit-mode srcip,srcsubnet --hashlimit-name hashlimit-example -j DROP

This command allows incoming TCP connections on port 8080, but limits the rate to 10 connections per minute per source IP or subnet. Additional connections will be dropped.

  1. Example 64: Block outgoing connections to a specific port range
sudo iptables -A OUTPUT -p tcp --dport 2000:3000 -j DROP

This command blocks all outgoing TCP connections on ports 2000 to 3000.

  1. Example 65: Allow incoming connections from a specific IP address range on a specific port
sudo iptables -A INPUT -p tcp --dport 8080 -m iprange --src-range 192.168.0.100-192.168.0.200 -j ACCEPT

This command allows incoming TCP connections on port 8080 from any IP address within the range 192.168.0.100 to 192.168.0.200.

  1. Example 66: Block outgoing connections on a specific protocol and port range
sudo iptables -A OUTPUT -p udp --dport 10000:20000 -j DROP

This command blocks all outgoing UDP connections on ports 10000 to 20000.

  1. Example 67: Allow incoming connections on a specific port and apply destination NAT to a different IP
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.0.100:8080
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

This command allows incoming TCP connections on port 80 and performs destination NAT to the IP address 192.168.0.100:8080.

  1. Example 68: Block incoming connections from a specific IP address range
sudo iptables -A INPUT -p tcp -m iprange --src-range 192.168.0.100-192.168.0.200 -j DROP

This command blocks all incoming TCP connections from any IP address within the range 192.168.0.100 to 192.168.0.200.

  1. Example 69: Allow incoming connections on a specific port and apply source port NAT
sudo iptables -t nat -A POSTROUTING -p tcp --dport 8080 -j SNAT --to-source 192.168.0.10:12345
sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

This command allows incoming TCP connections on port 8080 and performs source port NAT to the port 12345 on the IP address 192.168.0.10.

  1. Example 70: Block all incoming connections except for a specific IP address
sudo iptables -A INPUT -p tcp -s 203.0.113.10 -j ACCEPT
sudo iptables -A INPUT -j DROP

This command blocks all incoming TCP connections except for those coming from the IP address 203.0.113.10.

These examples demonstrate further usage scenarios where iptables commands can be employed to manage network traffic based on specific conditions. Adapt the commands to your specific requirements and refer to the iptables documentation for further information.

Certainly! Here are 10 more examples of iptables commands with scenarios:

  1. Example 71: Allow incoming connections on a specific port and apply destination port NAT
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.0.10:80
sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

This command allows incoming TCP connections on port 8080 and performs destination port NAT to port 80 on the IP address 192.168.0.10.

  1. Example 72: Block incoming connections on a specific port range and log them
sudo iptables -A INPUT -p tcp --dport 2000:3000 -j LOG --log-prefix "Blocked Port Range: "
sudo iptables -A INPUT -p tcp --dport 2000:3000 -j DROP

This command blocks incoming TCP connections on ports 2000 to 3000 and logs them with the prefix “Blocked Port Range:”.

  1. Example 73: Allow incoming connections on a specific port and apply random source port NAT
sudo iptables -t nat -A POSTROUTING -p tcp --dport 8080 -j MASQUERADE --to-ports 1024-65535
sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

This command allows incoming TCP connections on port 8080 and performs random source port NAT for outgoing connections.

  1. Example 74: Block outgoing connections on a specific protocol and port range to a specific IP
sudo iptables -A OUTPUT -p udp --dport 10000:20000 -d 203.0.113.100 -j DROP

This command blocks all outgoing UDP connections on ports 10000 to 20000 to the IP address 203.0.113.100.

  1. Example 75: Allow incoming connections from a specific network interface and block the rest
sudo iptables -A INPUT -i eth0 -j ACCEPT
sudo iptables -A INPUT -j DROP

This command allows incoming connections from the network interface eth0 and blocks all other incoming connections.

  1. Example 76: Block outgoing connections on a specific port and log them
sudo iptables -A OUTPUT -p tcp --dport 443 -j LOG --log-prefix "Blocked Outgoing: "
sudo iptables -A OUTPUT -p tcp --dport 443 -j DROP

This command blocks outgoing TCP connections on port 443 and logs them with the prefix “Blocked Outgoing:”.

  1. Example 77: Allow incoming connections on a specific port and apply source and destination NAT
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.0.10:80
sudo iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.10 --dport 80 -j SNAT --to-source 192.168.0.1
sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

This command allows incoming TCP connections on port 8080 and performs source NAT to the IP address 192.168.0.1 and destination NAT to port 80 on the IP address 192.168.0.10.

  1. Example 78: Block outgoing connections to a specific network interface
sudo iptables -A OUTPUT -o eth1 -j DROP

This command blocks all outgoing connections through the network interface eth1.

  1. Example 79: Allow incoming connections on a specific port and limit the rate per source IP subnet
sudo iptables -A INPUT -p tcp --dport 22 -m hashlimit --hashlimit-above 3/minute --hashlimit-burst 3 --hashlimit-mode srcip,srcipsubnet --hashlimit-srcmask 24 --hashlimit-name ssh-limit -j DROP

This command allows incoming TCP connections on port 22, but limits the rate to 3 connections per minute per source IP subnet. Additional connections will be dropped.

  1. Example 80: Block all incoming connections and allow only established and related connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -j DROP

This command blocks all incoming connections except for those that are already established or related to an established connection.

These examples provide additional scenarios where iptables commands can be used to manage network traffic based on specific conditions. Adapt the commands to suit your requirements and consult the iptables documentation for more information.

Certainly! Here are 10 more examples of iptables commands with scenarios:

  1. Example 81: Allow incoming connections on a specific port and log the packet contents
sudo iptables -A INPUT -p tcp --dport 8080 -j LOG --log-prefix "Packet Contents: " --log-ip-options --log-tcp-options
sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

This command allows incoming TCP connections on port 8080 and logs the packet contents with the prefix “Packet Contents:” including IP options and TCP options.

  1. Example 82: Block incoming connections on a specific port and rate limit them
sudo iptables -A INPUT -p tcp --dport 22 -m recent --set --name ssh --rsource
sudo iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --name ssh --rsource -j DROP

This command blocks incoming TCP connections on port 22 (SSH) if there are more than 4 connections within a 60-second window. This helps to prevent brute-force SSH attacks.

  1. Example 83: Allow incoming connections on a specific port from multiple source IP addresses
sudo iptables -A INPUT -p tcp --dport 8080 -m iprange --src-range 192.168.0.10-192.168.0.20,10.0.0.50-10.0.0.60 -j ACCEPT

This command allows incoming TCP connections on port 8080 from the IP addresses 192.168.0.10 to 192.168.0.20 and 10.0.0.50 to 10.0.0.60.

  1. Example 84: Block outgoing connections to a specific MAC address
sudo iptables -A OUTPUT -m mac --mac-source 00:11:22:33:44:55 -j DROP

This command blocks all outgoing connections to the MAC address 00:11:22:33:44:55.

  1. Example 85: Allow incoming connections on a specific port and limit the rate per destination IP subnet
sudo iptables -A INPUT -p tcp --dport 8080 -m hashlimit --hashlimit-above 10/minute --hashlimit-burst 5 --hashlimit-mode dstip,dstsubnet --hashlimit-srcmask 24 --hashlimit-name hashlimit-example -j DROP

This command allows incoming TCP connections on port 8080, but limits the rate to 10 connections per minute per destination IP subnet. Additional connections will be dropped.

  1. Example 86: Block outgoing connections on a specific protocol and port range to a specific subnet
sudo iptables -A OUTPUT -p udp --dport 10000:20000 -d 192.168.0.0/24 -j DROP

This command blocks all outgoing UDP connections on ports 10000 to 20000 to the subnet 192.168.0.0/24.

  1. Example 87: Allow incoming connections on a specific port and apply source IP address NAT
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j SNAT --to-source 192.168.0.10
sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

This command allows incoming TCP connections on port 8080 and performs source IP address NAT to the IP address 192.168.0.10.

  1. Example 88: Block incoming connections from a specific network interface
sudo iptables -A INPUT -i eth0 -j DROP

This command blocks all incoming connections from the network interface eth0.

  1. Example 89: Allow incoming connections on a specific port and apply random source IP address NAT
sudo iptables -t nat -A POSTROUTING -p tcp --dport 8080 -j SNAT --to-source 192.0.2.$((RANDOM%250+1))
sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

This command allows incoming TCP connections on port 8080 and performs random source IP address NAT for outgoing connections.

  1. Example 90: Block all incoming connections except for a specific MAC address
sudo iptables -A INPUT -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT
sudo iptables -A INPUT -j DROP

This command blocks all incoming connections except for those coming from the MAC address 00:11:22:33:44:55.

These examples provide further scenarios where iptables commands can be utilized to manage network traffic based on specific criteria. Customize the commands according to your needs and consult the iptables documentation for more details.

Certainly! Here are 10 more examples of iptables commands with scenarios:

  1. Example 91: Allow incoming connections on a specific port and apply random source port NAT
sudo iptables -t nat -A POSTROUTING -p tcp --dport 8080 -j SNAT --to-source :1024-65535
sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

This command allows incoming TCP connections on port 8080 and performs random source port NAT for outgoing connections.

  1. Example 92: Block incoming connections on a specific port and reject them with a TCP RST packet
sudo iptables -A INPUT -p tcp --dport 22 -j REJECT --reject-with tcp-reset

This command blocks incoming TCP connections on port 22 (SSH) and rejects them with a TCP reset (RST) packet.

  1. Example 93: Allow incoming connections on a specific port and limit the rate per source IP address
sudo iptables -A INPUT -p tcp --dport 8080 -m limit --limit 10/minute --limit-burst 5 -j ACCEPT

This command allows incoming TCP connections on port 8080, but limits the rate to 10 connections per minute with a burst of 5.

  1. Example 94: Block outgoing connections on a specific port range to a specific IP address
sudo iptables -A OUTPUT -p tcp --dport 2000:3000 -d 203.0.113.100 -j DROP

This command blocks all outgoing TCP connections on ports 2000 to 3000 to the IP address 203.0.113.100.

  1. Example 95: Allow incoming connections on a specific port and apply source and destination IP address NAT
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.0.10
sudo iptables -t nat -A POSTROUTING -p tcp -d 192.168.0.10 --dport 8080 -j SNAT --to-source 192.168.0.1
sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

This command allows incoming TCP connections on port 8080 and performs source NAT to the IP address 192.168.0.1 and destination NAT to the IP address 192.168.0.10.

  1. Example 96: Block outgoing connections on a specific port and log them
sudo iptables -A OUTPUT -p udp --dport 53 -j LOG --log-prefix "Blocked DNS: "
sudo iptables -A OUTPUT -p udp --dport 53 -j DROP

This command blocks all outgoing UDP connections on port 53 (DNS) and logs them with the prefix “Blocked DNS:”.

  1. Example 97: Allow incoming connections on a specific port and apply source IP address and port NAT
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j SNAT --to-source 192.168.0.10:12345
sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

This command allows incoming TCP connections on port 8080 and performs source IP address and port NAT to the IP address 192.168.0.10:12345.

  1. Example 98: Block incoming connections from a specific IP address range on a specific port
sudo iptables -A INPUT -p tcp --dport 22 -m iprange --src-range 192.168.0.100-192.168.0.200 -j DROP

This command blocks all incoming TCP connections from any IP address within the range 192.168.0.100 to 192.168.0.200 on port 22 (SSH).

  1. Example 99: Allow incoming connections on a specific port and apply random destination IP address NAT
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.0.2.$((RANDOM%250+1)):80
sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

This command allows incoming TCP connections on port 8080 and performs random destination IP address NAT to port 80.

  1. Example 100: Block all incoming connections and allow only specific IP addresses on specific ports
sudo iptables -A INPUT -p tcp --dport 80 -s 203.0.113.10 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -s 203.0.113.20 -j ACCEPT
sudo iptables -A INPUT -j DROP

This command blocks all incoming connections except for those coming from the IP addresses 203.0.113.10 on port 80 (HTTP) and 203.0.113.20 on port 443 (HTTPS).

These examples showcase further usage scenarios where iptables commands can be employed to manage network traffic based on specific requirements. Customize the commands as per your needs and refer to the iptables documentation for more details.

new template

Linux COMMAND FIREWALL-CMD

Leave a Comment