Learn IPtables commands For Windows and Linux OS
IPtables is a user-space utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores. Because iptables requires elevated privileges to operate, it must be executed by user root, otherwise it fails to function.
Different kernel modules and programs are currently used for different protocols: iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.
On most Linux systems, iptables is installed as /sbin/iptables. The detailed syntax of the iptables command is documented in its man page, which can be displayed by typing the command “man iptables“.
Also Read – Learn TCP/IP
Network Hacking is gathering information from network and computers over the internet.
IpTables Common options
In each of the iptables invocation forms shown below, the following common options are available:
-t table
Makes the command apply to the specified table. When this option is omitted, the command applies to the filter table by default. -v
Produces verbose output. -n
Produces numeric output (i.e., port numbers instead of service names, and IP addresses instead of domain names). --line-numbers
When listing rules, add line numbers to the beginning of each rule, corresponding to that rule’s position in its chain.
Rule-specifications
Most iptables command forms require you to provide a rule-specification, which is used to match a particular subset of the network packet traffic being processed by a chain. The rule-specification also includes a target that specifies what to do with packets that are matched by the rule. The following options are used (frequently in combination with each other) to create a rule-specification.
-j target --jump target
Specifies the target of a rule. The target is either the name of a user-defined chain (created using the -N option), one of the built-in targets, ACCEPT, DROP, QUEUE, or RETURN, or an extension target, such as REJECT, LOG, DNAT, or SNAT. If this option is omitted in a rule, then matching the rule will have no effect on a packet’s fate, but the counters on the rule will be incremented.
-i [!] in-interface --in-interface [!] in-interface
Name of an interface via which a packet is going to be received (only for packets entering the INPUT, FORWARD and PREROUTING chains). When the ‘!’ argument is used before the interface name, the sense is inverted. If the interface name ends in a ‘+’, then any interface which begins with this name will match. If this option is omitted, any interface name will match.
-o [!] out-interface --out-interface [!] out-interface
Name of an interface via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains). When the ‘!’ argument is used before the interface name, the sense is inverted. If the interface name ends in a ‘+’, then any interface which begins with this name will match. If this option is omitted, any interface name will match.
-p [!] protocol --protocol [!] protocol
Matches packets of the specified protocol name. If ‘!’ precedes the protocol name, this matches all packets that are not of the specified protocol. Valid protocol names are icmp, udp, tcp… A list of all the valid protocols could be found in the file /etc/protocols.
-s [!] source[/prefix] --source [!] source[/prefix]
Matches IP packets coming from the specified source address. The source address can be an IP address, an IP address with associated w:network prefix, or a hostname. If ‘!’ precedes the source, this matches all packets that are not coming from the specified source.
-d [!] destination[/prefix] --destination [!] destination[/prefix]
Matches IP packets going to the specified destination address. The destination address can be an IP address, an IP address with associated w:network prefix, or a hostname. If ‘!’ precedes the destination, this matches all packets that are not going to the specified destination.
--destination-port [!] [port[:port]] --dport [!] [port[:port]]
Matches TCP or UDP packets (depending on the argument to the -p option) destined for the specified port or the range of ports (when the port:port form is used). If ‘!’ precedes the port specification, this matches all TCP or UDP packets not destined for the specified port or port range.
--source-port [!] [port[:port]] --sport [!] [port[:port]]
Matches TCP or UDP packets (depending on the argument to the -p option) coming from the specified port or the range of ports (when the port:port form is used). If ‘!’ precedes the port specification, this matches all TCP or UDP packets not coming from the specified port or port range.
--tcp-flags [!] mask comp
Matches TCP packets having certain TCP protocol flags set or unset. The first argument specified the flags to be examined in each TCP packet, written as a comma-separated list (no spaces allowed). The second argument is a comma-separated list of flags which must be set within those that are examined. The flags are: SYN, ACK, FIN, RST, URG, PSH, ALL, and NONE. Hence, the option “–tcp-flags SYN,ACK,FIN,RST SYN” will only match packets with the SYN flag set and the ACK, FIN and RST flags unset.
[!] --syn
Matches TCP packets having the SYN flag set and the ACK,RST and FIN flags unset. Such packets are used to initiate TCP connections. Blocking such packets on the INPUT chain will prevent incoming TCP connections, but outgoing TCP connections will be unaffected. This option can be combined with others, such as –source to block or allow inbound TCP connections only from certain hosts or networks. This option is equivalent to “–tcp-flags SYN,RST,ACK SYN”. If the ‘!’ flag precedes the –syn, the sense of the option is inverted.
Also Read- Network Hacking
Invocation
iptables { -A | --append | -D | --delete } chain rule-specification [ options ]
This form of the command adds (-A or –append) or deletes (-D or –delete) a rule from the specified chain. For example to add a rule to the INPUT chain in the filter table (the default table when option -t is not specified) to drop all UDP packets, use this command:
iptables -A INPUT -p udp -j DROP
To delete the rule added by the above command, use this command:
iptables -D INPUT -p udp -j DROP
The above command actually deletes the first rule on the INPUT chain that matches the rule-specification “-p udp -j DROP”. If there are multiple identical rules on the chain, only the first matching rule is deleted.
iptables { -R | --replace | -I | --insert } chain rulenum rule-specification [ options ]
This form of the command replaces (-R or –replace) an existing rule or inserts (-I or –insert) a new rule in the specified chain. For instance, to replace the fourth rule in the INPUT chain with a rule that drops all ICMP packets, use this command:
iptables -R INPUT 4 -p icmp -j DROP
To insert a new rule in the second slot in the OUTPUT chain that drops all TCP traffic going to port 80 on any host, use this command:
iptables -I OUTPUT 2 -p tcp --dport 80 -j DROP
iptables { -D | --delete } chain rulenum [ options ]
This form of the command deletes a rule at the specified numeric index in the specified chain. Rules are numbers starting with 1. For example, to delete the third rule from the FORWARD chain, use this command:
iptables -D FORWARD 3
iptables { -L | --list | -F | --flush | -Z | --zero } [ chain ] [ options ]
This form of the command is used to list the rules in a chain (-L or –list), flush (i.e., delete) all rules from a chain (-F or –flush), or zero the byte and packet counters for a chain (-Z or –zero). If no chain is specified, the operation is performed on all chains. For example, to list the rules in the OUTPUT chain, use this command:
iptables -L OUTPUT
To flush all chains, use this command:
iptables -F
To zero the byte and packet counters for the PREROUTING chain in the nat table, use this command:
iptables -t nat -Z PREROUTING iptables { -N | --new-chain } chain iptables { -X | --delete-chain } [ chain ]
This form of the command is used to create (-N or –new-chain) a new user-defined chain or to delete (-X or –delete-chain) an existing user-defined chain. If no chain is specified with the -X or –delete-chain options, all user-defined chains are deleted. It is not possible to delete built-in chains, such as the INPUT or OUTPUT chains in the filter table.
iptables { -P | --policy } chain target
This form of the command is used to set the policy target for a chain. For instance, to set the policy target for the INPUT chain to DROP, use this command:
iptables -P INPUT DROP
iptables { -E | --rename-chain } old-chain-name new-chain-name
This form of the command is used to rename a user-defined chain.
ipset
ipset is used to set up, maintain and inspect so called “IP sets” in the Linux kernel. In IP set usually contains a set of IP addresses, but can also contain sets of other network numbers, depending on its “type”.
Any entry in one set can be bound to another set, allowing for sophisticated matching operations.
A set can only be removed (destroyed) if there are no iptables rules or other sets referring to it.
Commands
These options specify the specific action to perform. Only one of them can be specified on the command line unless otherwise specified below. For all the long versions of the command and option names, you need to use only enough letters to ensure that ipset can differentiate it from all other options.
-N setname type type-specific-options --create setname type type-specific-options
Create a set identified with setname and specified type. Type-specific options must be supplied.
-X [setname] --destroy [setname]
Destroy the specified set, or all sets if none or the keyword “:all:” is specified. Before destroying the set, all bindings belonging to the set elements and the default binding of the set are removed. If the set is still referenced, nothing is done.
-F [setname] --flush [setname]
Delete all entries from the specified set, or flush all sets if none or the keyword “:all:” is given. Bindings are not affected by the flush operation.
-E from-setname to-setname --rename from-setname to-setname
Rename a set. Set identified by to-setname must not exist.
-W from-setname to-setname --swap from-setname to-setname
Swap two sets as they referenced in the Linux kernel. iptables rules or ipset bindings pointing to the content of from-setname will point to the content of to-setname and vice versa. Both sets must exist.
-L [setname] --list [setname]
List the entries and bindings for the specified set, or for all sets if none or the keyword “:all:” is given. The -n, –numeric option can be used to suppress name lookups and generate numeric output. When the -s, –sorted option is given, the entries are listed sorted (if the given set type supports the operation).
-S [setname] --save [setname]
Save the given set, or all sets if none or the keyword :all: is specified to stdout in a format that—restore can read.
-R --restore
Restore a saved session generated by—save. The saved session can be fed from stdin.
When generating a session file please note that the supported commands (create set, add element, bind) must appear in a strict order: first create the set, then add all elements. Then create the next set, add all its elements and so on. Finally you can list all binding commands. Also, it is a restore operation, so the sets being restored must not exist.
- -A, –add setname IP Add an IP to a set.
- -D, –del setname IP Delete an IP from a set.
- -T, –test setname IP Test whether an IP is in a set or not. Exit status number is zero if the tested IP is in the set and nonzero if it is missing from the set.
- -T, –test setname IP—binding to-setname Test whether the IP belonging to the set points to the specified binding. Exit status number is zero if the binding points to the specified set, otherwise it is nonzero. The keyword :default: can be used to test the default binding of the set.
- -B, –bind setname IP—binding to-setname Bind the IP in setname to-setname.
- -U, –unbind setname IP Delete the binding belonging to IP in set setname.
- -H, –help [settype] Print help and settype specific help if settype specified. At the -B, -U and -T commands you can use the token :default: to bind, unbind or test the default binding of a set instead of an IP. At the -U command you can use the token :all: to destroy the bindings of all elements of a set.
OTHER OPTIONS
The following additional options can be specified:
-b, –binding setname The option specifies the value of the binding for the -B binding command, for which it is a mandatory option. You can use it in the -T test command as well to test bindings.
-s, –sorted Sorted output. When listing sets, entries are listed sorted.
-n, –numeric Numeric output. When listing sets, bindings, IP addresses and port numbers will be printed in numeric format. By default the program will try to display them as host names, network names or services (whenever applicable), which can trigger slow DNS lookups.
-q, –quiet Suppress any output to stdout and stderr. ipset will still return possible errors.
SET TYPES ipset supports the following set types:
ipmap
The ipmap set type uses a memory range, where each bit represents one IP address. An ipmap set can store up to 65536 (B-class network) IP addresses. The ipmap set type is very fast and memory cheap, great for use when one want to match certain IPs in a range. Using the—netmask option with a CIDR netmask value between 0-32 when creating an ipmap set, you will be able to store and match network addresses: i.e. an IP address will be in the set if the value resulted by masking the address with the specified netmask can be found in the set.
Options to use when creating an ipmap set:
–from from-IP—to-IP Create an ipmap set from the specified range. –network IP/mask Create an ipmap set from the specified network. –netmask CIDR-netmask When the optional—netmask parameter specified, network addresses will be stored in the set instead of IP addresses, and the from-IP parameter must be a network address.
macipmap
The macipmap set type uses a memory range, where each 8 bytes represents one IP and a MAC addresses. A macipmap set type can store up to 65536 (B-class network) IP addresses with MAC. When adding an entry to a macipmap set, you must specify the entry as IP%MAC. When deleting or testing macipmap entries, the %MAC part is not mandatory.
Options to use when creating an macipmap set:
–from from-IP—to-IP Create a macipmap set from the specified range. –network IP/mask Create a macipmap set from the specified network. –matchunset When the optional—matchunset parameter specified, IP addresses which could be stored in the set but not set yet, will always match. Please note, the set and SET netfilter kernel modules always use the source MAC address from the packet to match, add or delete entries from a macipmap type of set.
portmap
The portmap set type uses a memory range, where each bit represents one port. A portmap set type can store up to 65536 ports. The portmap set type is very fast and memory cheap.
Options to use when creating an portmap set:
–from from-port—to-port Create a portmap set from the specified range.
iphash
The iphash set type uses a hash to store IP addresses. In order to avoid clashes in the hash double-hashing, and as a last resort, dynamic growing of the hash performed. The iphash set type is great to store random addresses. By supplyig the—netmask option with a CIDR netmask value between 0-32 at creating the set, you will be able to store and match network addresses instead: i.e. an IP address will be in the set if the value of the address masked with the specified netmask can be found in the set.
Options to use when creating an iphash set:
–hashsize hashsize The initial hash size (default 1024) –probes probes How many times try to resolve clashing at adding an IP to the hash by double-hashing (default 8). –resize percent Increase the hash size by this many percent (default 50) when adding an IP to the hash could not be performed after probes number of double-hashing. –netmask CIDR-netmask When the optional—netmask parameter specified, network addresses will be stored in the set instead of IP addresses.
Sets created by zero valued resize parameter won’t be resized at all. The lookup time in an iphash type of set approximately linearly grows with the value of the probes parameter. At the same time higher probes values result a better utilized hash while smaller values produce a larger, sparse hash.
nethash
The nethash set type uses a hash to store different size of network addresses. The IP “address” used in the ipset commands must be in the form IP-address/cidr-size where the CIDR block size must be in the inclusive range of 1-31. In order to avoid clashes in the hash double-hashing, and as a last resort, dynamic growing of the hash performed.
Options to use when creating an nethash set:
–hashsize hashsize The initial hash size (default 1024) –probes probes How many times try to resolve clashing at adding an IP to the hash by double-hashing (default 4). –resize percent Increase the hash size by this many percent (default 50) when adding an IP to the hash could not be performed after An IP address will be in a nethash type of set if it is in any of the netblocks added to the set and the matching always start from the smallest size of netblock (most specific netmask) to the biggest ones (least specific netmasks). When adding/deleting IP addresses to a nethash set by the SET netfilter kernel module, it will be added/deleted by the smallest netblock size which can be found in the set.
The lookup time in a nethash type of set is approximately linearly grows with the times of the probes parameter and the number of different mask parameters in the hash. Otherwise the same speed and memory efficiency comments applies here as at the iphash type.
ipporthash
The ipporthash set type uses a hash to store IP address and port pairs. In order to avoid clashes in the hash double-hashing, and as a last resort, dynamic growing of the hash performed. An ipporthash set can store up to 65536 (B-class network) IP addresses with all possible port values. When adding, deleting and testing values in an ipporthash type of set, the entries must be specified as “IP%port”.
The ipporthash types of sets evaluates two src/dst parameters of the set match and SET target.
Options to use when creating an ipporthash set:
–from from-IP—to-IP Create an ipporthash set from the specified range. –network IP/mask Create an ipporthash set from the specified network. –hashsize hashsize The initial hash size (default 1024) –probes probes How many times try to resolve clashing at adding an IP to the hash by double-hashing (default 8). –resize percent Increase the hash size by this many percent (default 50) when adding an IP to the hash could not be performed after probes number of double-hashing. The same resizing, speed and memory efficiency comments applies here as at the iphash type.
iptree
The iptree set type uses a tree to store IP addresses, optionally with timeout values. Options to use when creating an iptree set: –timeout value The timeout value for the entries in seconds (default 0) When adding an IP address to a set, one may add it with a specific timeout value using the syntax IP%timeout-value.
IPtables Rules
Saving Rules
- Debian Based
netfilter-persistent save
- RedHat Based
service iptables save
To Stop / Start / Restart the Firewall,
If you are using RHEL / CentOS / Fedora Linux, the enter the following command.
# service iptables stop # service iptables start # service iptables restart
- List out all of the active iptables rules with verbose
iptables -n -L -v - List out all of the active iptables rules with numeric lines and verbose
iptables -n -L -v –line-numbers - Print out all of the active iptables rules
iptables -S - List Rules as Tables for INPUT chain
iptables -L INPUT - Print all of the rule specifications in the INPUT chain
iptables -S INPUT - Show Packet Counts and Aggregate Size
iptables -L INPUT -v
- To display INPUT or OUTPUT chain rules with numeric lines and verbose
iptables -L INPUT -n -v iptables -L OUTPUT -n -v --line-numbers
- Delete Rule by Chain and Number
iptables -D INPUT 10
- Delete Rule by Specification
iptables -D INPUT -m conntrack --ctstate INVALID -j DROP
- Flush All Rules, Delete All Chains, and Accept All
iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT
iptables -t nat -F iptables -t mangle -F iptables -F iptables -X
- Flush All Chains
iptables -F - Flush a Single Chain
iptables -F INPUT
Following commands are using for-
-F : Deleting (flushing) all the rules.
-X : Delete chain.
-t table_name : Select table (called nat or mangle) and delete/flush rules.
-P : Set the default policy (such as DROP, REJECT, or ACCEPT).
–D : Delete one or more rules from the selected chain
- Insert Firewall Rules
iptables -I INPUT 2 -s 202.54.1.2 -j DROP - Allow Loopback Connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT - Allow Established and Related Incoming Connections
iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT - Allow Established Outgoing Connections
iptables -A OUTPUT -m conntrack –ctstate ESTABLISHED -j ACCEPT - Internal to External
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT - Drop Invalid Packets
iptables -A INPUT -m conntrack –ctstate INVALID -j DROP - Block an IP Address
iptables -A INPUT -s 192.168.252.10 -j DROP - Block and IP Address and Reject
iptables -A INPUT -s 192.168.252.10 -j REJECT - Block Connections to a Network Interface
iptables -A INPUT -i eth0 -s 192.168.252.10 -j DROP - Block Connections to a Network Interface
iptables -A INPUT -i eth0 -s 192.168.252.10 -j DROP - Allow All Incoming SSH
iptables -A INPUT -p tcp –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp –sport 22 -m conntrack –ctstate ESTABLISHED -j ACCEPT - Allow Incoming SSH from Specific IP address or subnet
iptables -A INPUT -p tcp -s 192.168.240.0/24 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
- Allow Outgoing SSH
iptables -A OUTPUT -p tcp –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp –sport 22 -m conntrack –ctstate ESTABLISHED -j ACCEPT - Allow Incoming Rsync from Specific IP Address or Subnet
iptables -A INPUT -p tcp -s 192.168.240.0/24 –dport 873 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp –sport 873 -m conntrack –ctstate ESTABLISHED -j ACCEPT - Allow All Incoming HTTP
iptables -A INPUT -p tcp –dport 80 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp –sport 80 -m conntrack –ctstate ESTABLISHED -j ACCEPT - Allow All Incoming HTTPS
iptables -A INPUT -p tcp –dport 443 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp –sport 443 -m conntrack –ctstate ESTABLISHED -j ACCEPT - Allow All Incoming HTTP and HTTPS
iptables -A INPUT -p tcp -m multiport –dports 80,443 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport –dports 80,443 -m conntrack –ctstate ESTABLISHED -j ACCEPT - Allow MySQL from Specific IP Address or Subnet
iptables -A INPUT -p tcp -s 192.168.240.0/24 --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT
- Allow MySQL to Specific Network Interface
iptables -A INPUT -i eth1 -p tcp –dport 3306 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp –sport 3306 -m conntrack –ctstate ESTABLISHED -j ACCEPT - PostgreSQL from Specific IP Address or Subnet
iptables -A INPUT -p tcp -s 192.168.240.0/24 –dport 5432 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp –sport 5432 -m conntrack –ctstate ESTABLISHED -j ACCEPT - Allow PostgreSQL to Specific Network Interface
iptables -A INPUT -i eth1 -p tcp –dport 5432 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp –sport 5432 -m conntrack –ctstate ESTABLISHED -j ACCEPT - Block Outgoing SMTP Mail
iptables -A OUTPUT -p tcp –dport 25 -j REJECT - Allow All Incoming SMTP
iptables -A INPUT -p tcp –dport 25 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp –sport 25 -m conntrack –ctstate ESTABLISHED -j ACCEPT - Allow All Incoming IMAP
iptables -A INPUT -p tcp –dport 143 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp –sport 143 -m conntrack –ctstate ESTABLISHED -j ACCEPT - Allow All Incoming IMAPS
iptables -A INPUT -p tcp –dport 993 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp –sport 993 -m conntrack –ctstate ESTABLISHED -j ACCEPT - Allow All Incoming POP3
iptables -A INPUT -p tcp –dport 110 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp –sport 110 -m conntrack –ctstate ESTABLISHED -j ACCEPT - Allow All Incoming POP3S
iptables -A INPUT -p tcp –dport 995 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp –sport 995 -m conntrack –ctstate ESTABLISHED -j ACCEPT - Drop Private Network Address On Public Interface
iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP - Only Block Incoming Traffic
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -m state –state NEW,ESTABLISHED -j ACCEPT
Drop All Outgoing to Facebook Networks
Get Facebook AS:
whois -h v4.whois.cymru.com " -v $(host facebook.com | grep "has address" | cut -d " " -f4)" | tail -n1 | awk '{print $1}'
Drop:
for i in $(whois -h whois.radb.net -- '-i origin AS32934' | grep "^route:" | cut -d ":" -f2 | sed -e 's/^[ \t]*//' | sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | cut -d ":" -f2 | sed 's/$/;/') ; do iptables -A OUTPUT -s "$i" -j REJECT done
Log and Drop Packets
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG –log-prefix “IP_SPOOF A: ”
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
By default everything is logged to /var/log/messages file:
tail -f /var/log/messages grep --color 'IP SPOOF' /var/log/messages
Log and Drop Packets with Limited Number of Log Entries
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP_SPOOF A: " iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
Drop or Accept Traffic From Mac Address
iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT
Block or Allow ICMP Ping Request
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP
Specifying Multiple Ports with multiport
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports ssh,smtp,http,https -j ACCEPT
Load Balancing with random* or nth*
_ips=("172.31.250.10" "172.31.250.11" "172.31.250.12" "172.31.250.13") for ip in "${_ips[@]}" ; do iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4 --packet 0 \ -j DNAT --to-destination ${ip}:80 done or
_ips=("172.31.250.10" "172.31.250.11" "172.31.250.12" "172.31.250.13") for ip in "${_ips[@]}" ; do iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m random --average 25 \ -j DNAT --to-destination ${ip}:80 done
Restricting the Number of Connections with limit and iplimit*
iptables -A FORWARD -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 -i eth1 \ -m limit --limit 20/hour --limit-burst 5 -j ACCEPT or iptables -A INPUT -p tcp -m state --state NEW --dport http -m iplimit --iplimit-above 5 -j DROP
Maintaining a List of recent Connections to Match Against
iptables -A FORWARD -m recent --name portscan --rcheck --seconds 100 -j DROP iptables -A FORWARD -p tcp -i eth0 --dport 443 -m recent --name portscan --set -j DROP
Matching Against a string* in a Packet’s Data Payload
iptables -A FORWARD -m string --string '.com' -j DROP iptables -A FORWARD -m string --string '.exe' -j DROP
Time-based Rules with time*
iptables -A FORWARD -p tcp -m multiport --dport http,https -o eth0 -i eth1 \ -m time --timestart 21:30 --timestop 22:30 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT
Packet Matching Based on TTL Values
iptables -A INPUT -s 1.2.3.4 -m ttl --ttl-lt 40 -j REJECT
Protection against port scanning
iptables -N port-scanning iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN iptables -A port-scanning -j DROP
SSH brute-force protection
iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
Syn-flood protection
iptables -N syn_flood iptables -A INPUT -p tcp --syn -j syn_flood iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN iptables -A syn_flood -j DROP iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP: iptables -A INPUT -p icmp -j DROP iptables -A OUTPUT -p icmp -j ACCEPT
Mitigating SYN Floods With SYNPROXY
iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460 iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
Block New Packets That Are Not SYN
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP or iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
Force Fragments packets check
iptables -A INPUT -f -j DROP
XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
Drop all NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
Block Uncommon MSS Values
iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP
Block Packets With Bogus TCP Flags
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
Also read- Learn TCP/IP