IPtables Commands Cheatsheet – For Windows And Linux

Learn IPtables commands For Windows and Linux OS

IPtables is a user-space utility program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores. Because iptables requires elevated privileges to operate, it must be executed by user root, otherwise it fails to function.

Different kernel modules and programs are currently used for different protocols: iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.

On most Linux systems, iptables is installed as /sbin/iptables. The detailed syntax of the iptables command is documented in its man page, which can be displayed by typing the command “man iptables“.

Also Read – Learn TCP/IP

Network Hacking is gathering information from network and computers over the internet.

IpTables Common options
In each of the iptables invocation forms shown below, the following common options are available:

-t table

Makes the command apply to the specified table. When this option is omitted, the command applies to the filter table by default.

-v

Produces verbose output.

-n

Produces numeric output (i.e., port numbers instead of service names, and IP addresses instead of domain names).

--line-numbers

When listing rules, add line numbers to the beginning of each rule, corresponding to that rule’s position in its chain.

Rule-specifications

Most iptables command forms require you to provide a rule-specification, which is used to match a particular subset of the network packet traffic being processed by a chain. The rule-specification also includes a target that specifies what to do with packets that are matched by the rule. The following options are used (frequently in combination with each other) to create a rule-specification.

-j target
--jump target

Specifies the target of a rule. The target is either the name of a user-defined chain (created using the -N option), one of the built-in targets, ACCEPT, DROP, QUEUE, or RETURN, or an extension target, such as REJECT, LOG, DNAT, or SNAT. If this option is omitted in a rule, then matching the rule will have no effect on a packet’s fate, but the counters on the rule will be incremented.

-i [!] in-interface
--in-interface [!] in-interface

Name of an interface via which a packet is going to be received (only for packets entering the INPUT, FORWARD and PREROUTING chains). When the ‘!’ argument is used before the interface name, the sense is inverted. If the interface name ends in a ‘+’, then any interface which begins with this name will match. If this option is omitted, any interface name will match.

-o [!] out-interface
--out-interface [!] out-interface

Name of an interface via which a packet is going to be sent (for packets entering the FORWARD, OUTPUT and POSTROUTING chains). When the ‘!’ argument is used before the interface name, the sense is inverted. If the interface name ends in a ‘+’, then any interface which begins with this name will match. If this option is omitted, any interface name will match.

-p [!] protocol
--protocol [!] protocol

Matches packets of the specified protocol name. If ‘!’ precedes the protocol name, this matches all packets that are not of the specified protocol. Valid protocol names are icmp, udp, tcp… A list of all the valid protocols could be found in the file /etc/protocols.

-s [!] source[/prefix]
--source [!] source[/prefix]

Matches IP packets coming from the specified source address. The source address can be an IP address, an IP address with associated w:network prefix, or a hostname. If ‘!’ precedes the source, this matches all packets that are not coming from the specified source.

-d [!] destination[/prefix]
--destination [!] destination[/prefix]

Matches IP packets going to the specified destination address. The destination address can be an IP address, an IP address with associated w:network prefix, or a hostname. If ‘!’ precedes the destination, this matches all packets that are not going to the specified destination.

--destination-port [!] [port[:port]]
--dport [!] [port[:port]]

Matches TCP or UDP packets (depending on the argument to the -p option) destined for the specified port or the range of ports (when the port:port form is used). If ‘!’ precedes the port specification, this matches all TCP or UDP packets not destined for the specified port or port range.

--source-port [!] [port[:port]]
--sport [!] [port[:port]]

Matches TCP or UDP packets (depending on the argument to the -p option) coming from the specified port or the range of ports (when the port:port form is used). If ‘!’ precedes the port specification, this matches all TCP or UDP packets not coming from the specified port or port range.

--tcp-flags [!] mask comp

Matches TCP packets having certain TCP protocol flags set or unset. The first argument specified the flags to be examined in each TCP packet, written as a comma-separated list (no spaces allowed). The second argument is a comma-separated list of flags which must be set within those that are examined. The flags are: SYN, ACK, FIN, RST, URG, PSH, ALL, and NONE. Hence, the option “–tcp-flags SYN,ACK,FIN,RST SYN” will only match packets with the SYN flag set and the ACK, FIN and RST flags unset.

[!] --syn

Matches TCP packets having the SYN flag set and the ACK,RST and FIN flags unset. Such packets are used to initiate TCP connections. Blocking such packets on the INPUT chain will prevent incoming TCP connections, but outgoing TCP connections will be unaffected. This option can be combined with others, such as –source to block or allow inbound TCP connections only from certain hosts or networks. This option is equivalent to “–tcp-flags SYN,RST,ACK SYN”. If the ‘!’ flag precedes the –syn, the sense of the option is inverted.

Also Read- Network Hacking

Invocation

iptables { -A | --append | -D | --delete } chain rule-specification [ options ]

This form of the command adds (-A or –append) or deletes (-D or –delete) a rule from the specified chain. For example to add a rule to the INPUT chain in the filter table (the default table when option -t is not specified) to drop all UDP packets, use this command:

iptables -A INPUT -p udp -j DROP

To delete the rule added by the above command, use this command:

iptables -D INPUT -p udp -j DROP

The above command actually deletes the first rule on the INPUT chain that matches the rule-specification “-p udp -j DROP”. If there are multiple identical rules on the chain, only the first matching rule is deleted.

iptables { -R | --replace | -I | --insert } chain rulenum rule-specification [ options ]

This form of the command replaces (-R or –replace) an existing rule or inserts (-I or –insert) a new rule in the specified chain. For instance, to replace the fourth rule in the INPUT chain with a rule that drops all ICMP packets, use this command:

iptables -R INPUT 4 -p icmp -j DROP

To insert a new rule in the second slot in the OUTPUT chain that drops all TCP traffic going to port 80 on any host, use this command:

iptables -I OUTPUT 2 -p tcp --dport 80 -j DROP

iptables { -D | --delete } chain rulenum [ options ]

This form of the command deletes a rule at the specified numeric index in the specified chain. Rules are numbers starting with 1. For example, to delete the third rule from the FORWARD chain, use this command:

iptables -D FORWARD 3

iptables { -L | --list | -F | --flush | -Z | --zero } [ chain ] [ options ]

This form of the command is used to list the rules in a chain (-L or –list), flush (i.e., delete) all rules from a chain (-F or –flush), or zero the byte and packet counters for a chain (-Z or –zero). If no chain is specified, the operation is performed on all chains. For example, to list the rules in the OUTPUT chain, use this command:

iptables -L OUTPUT

To flush all chains, use this command:

iptables -F

To zero the byte and packet counters for the PREROUTING chain in the nat table, use this command:

iptables -t nat -Z PREROUTING

iptables { -N | --new-chain } chain
iptables { -X | --delete-chain } [ chain ]

This form of the command is used to create (-N or –new-chain) a new user-defined chain or to delete (-X or –delete-chain) an existing user-defined chain. If no chain is specified with the -X or –delete-chain options, all user-defined chains are deleted. It is not possible to delete built-in chains, such as the INPUT or OUTPUT chains in the filter table.

iptables { -P | --policy } chain target

This form of the command is used to set the policy target for a chain. For instance, to set the policy target for the INPUT chain to DROP, use this command:

iptables -P INPUT DROP

iptables { -E | --rename-chain } old-chain-name new-chain-name

This form of the command is used to rename a user-defined chain.

ipset

ipset is used to set up, maintain and inspect so called “IP sets” in the Linux kernel. In IP set usually contains a set of IP addresses, but can also contain sets of other network numbers, depending on its “type”.

Any entry in one set can be bound to another set, allowing for sophisticated matching operations.

A set can only be removed (destroyed) if there are no iptables rules or other sets referring to it.

Commands

These options specify the specific action to perform. Only one of them can be specified on the command line unless otherwise specified below. For all the long versions of the command and option names, you need to use only enough letters to ensure that ipset can differentiate it from all other options.

-N setname type type-specific-options
--create setname type type-specific-options

Create a set identified with setname and specified type. Type-specific options must be supplied.

-X [setname]
--destroy [setname]

Destroy the specified set, or all sets if none or the keyword “:all:” is specified. Before destroying the set, all bindings belonging to the set elements and the default binding of the set are removed. If the set is still referenced, nothing is done.

-F [setname]
--flush [setname]

Delete all entries from the specified set, or flush all sets if none or the keyword “:all:” is given. Bindings are not affected by the flush operation.

-E from-setname to-setname
--rename from-setname to-setname

Rename a set. Set identified by to-setname must not exist.

-W from-setname to-setname
--swap from-setname to-setname

Swap two sets as they referenced in the Linux kernel. iptables rules or ipset bindings pointing to the content of from-setname will point to the content of to-setname and vice versa. Both sets must exist.

-L [setname]
--list [setname]

List the entries and bindings for the specified set, or for all sets if none or the keyword “:all:” is given. The -n, –numeric option can be used to suppress name lookups and generate numeric output. When the -s, –sorted option is given, the entries are listed sorted (if the given set type supports the operation).

-S [setname]
--save [setname]

Save the given set, or all sets if none or the keyword :all: is specified to stdout in a format that—restore can read.

-R
--restore

Restore a saved session generated by—save. The saved session can be fed from stdin.

When generating a session file please note that the supported commands (create set, add element, bind) must appear in a strict order: first create the set, then add all elements. Then create the next set, add all its elements and so on. Finally you can list all binding commands. Also, it is a restore operation, so the sets being restored must not exist.

• -A, –add setname IP Add an IP to a set.
• -D, –del setname IP Delete an IP from a set.
• -T, –test setname IP Test whether an IP is in a set or not. Exit status number is zero if the tested IP is in the set and nonzero if it is missing from the set.
• -T, –test setname IP—binding to-setname Test whether the IP belonging to the set points to the specified binding. Exit status number is zero if the binding points to the specified set, otherwise it is nonzero. The keyword :default: can be used to test the default binding of the set.
• -B, –bind setname IP—binding to-setname Bind the IP in setname to-setname.
• -U, –unbind setname IP Delete the binding belonging to IP in set setname.
• -H, –help [settype] Print help and settype specific help if settype specified. At the -B, -U and -T commands you can use the token :default: to bind, unbind or test the default binding of a set instead of an IP. At the -U command you can use the token :all: to destroy the bindings of all elements of a set.

OTHER OPTIONS

The following additional options can be specified:

-b, –binding setname The option specifies the value of the binding for the -B binding command, for which it is a mandatory option. You can use it in the -T test command as well to test bindings.

-s, –sorted Sorted output. When listing sets, entries are listed sorted.

-n, –numeric Numeric output. When listing sets, bindings, IP addresses and port numbers will be printed in numeric format. By default the program will try to display them as host names, network names or services (whenever applicable), which can trigger slow DNS lookups.

-q, –quiet Suppress any output to stdout and stderr. ipset will still return possible errors.

SET TYPES ipset supports the following set types:

ipmap

The ipmap set type uses a memory range, where each bit represents one IP address. An ipmap set can store up to 65536 (B-class network) IP addresses. The ipmap set type is very fast and memory cheap, great for use when one want to match certain IPs in a range. Using the—netmask option with a CIDR netmask value between 0-32 when creating an ipmap set, you will be able to store and match network addresses: i.e. an IP address will be in the set if the value resulted by masking the address with the specified netmask can be found in the set.

Options to use when creating an ipmap set:

–from from-IP—to-IP Create an ipmap set from the specified range. –network IP/mask Create an ipmap set from the specified network. –netmask CIDR-netmask When the optional—netmask parameter specified, network addresses will be stored in the set instead of IP addresses, and the from-IP parameter must be a network address.

macipmap

The macipmap set type uses a memory range, where each 8 bytes represents one IP and a MAC addresses. A macipmap set type can store up to 65536 (B-class network) IP addresses with MAC. When adding an entry to a macipmap set, you must specify the entry as IP%MAC. When deleting or testing macipmap entries, the %MAC part is not mandatory.

Options to use when creating an macipmap set:

–from from-IP—to-IP Create a macipmap set from the specified range. –network IP/mask Create a macipmap set from the specified network. –matchunset When the optional—matchunset parameter specified, IP addresses which could be stored in the set but not set yet, will always match. Please note, the set and SET netfilter kernel modules always use the source MAC address from the packet to match, add or delete entries from a macipmap type of set.

portmap

The portmap set type uses a memory range, where each bit represents one port. A portmap set type can store up to 65536 ports. The portmap set type is very fast and memory cheap.

Options to use when creating an portmap set:

–from from-port—to-port Create a portmap set from the specified range.

iphash

The iphash set type uses a hash to store IP addresses. In order to avoid clashes in the hash double-hashing, and as a last resort, dynamic growing of the hash performed. The iphash set type is great to store random addresses. By supplyig the—netmask option with a CIDR netmask value between 0-32 at creating the set, you will be able to store and match network addresses instead: i.e. an IP address will be in the set if the value of the address masked with the specified netmask can be found in the set.

Options to use when creating an iphash set:

–hashsize hashsize The initial hash size (default 1024) –probes probes How many times try to resolve clashing at adding an IP to the hash by double-hashing (default 8). –resize percent Increase the hash size by this many percent (default 50) when adding an IP to the hash could not be performed after probes number of double-hashing. –netmask CIDR-netmask When the optional—netmask parameter specified, network addresses will be stored in the set instead of IP addresses.

Sets created by zero valued resize parameter won’t be resized at all. The lookup time in an iphash type of set approximately linearly grows with the value of the probes parameter. At the same time higher probes values result a better utilized hash while smaller values produce a larger, sparse hash.

nethash

The nethash set type uses a hash to store different size of network addresses. The IP “address” used in the ipset commands must be in the form IP-address/cidr-size where the CIDR block size must be in the inclusive range of 1-31. In order to avoid clashes in the hash double-hashing, and as a last resort, dynamic growing of the hash performed.

Options to use when creating an nethash set:

–hashsize hashsize The initial hash size (default 1024) –probes probes How many times try to resolve clashing at adding an IP to the hash by double-hashing (default 4). –resize percent Increase the hash size by this many percent (default 50) when adding an IP to the hash could not be performed after An IP address will be in a nethash type of set if it is in any of the netblocks added to the set and the matching always start from the smallest size of netblock (most specific netmask) to the biggest ones (least specific netmasks). When adding/deleting IP addresses to a nethash set by the SET netfilter kernel module, it will be added/deleted by the smallest netblock size which can be found in the set.

The lookup time in a nethash type of set is approximately linearly grows with the times of the probes parameter and the number of different mask parameters in the hash. Otherwise the same speed and memory efficiency comments applies here as at the iphash type.

ipporthash

The ipporthash set type uses a hash to store IP address and port pairs. In order to avoid clashes in the hash double-hashing, and as a last resort, dynamic growing of the hash performed. An ipporthash set can store up to 65536 (B-class network) IP addresses with all possible port values. When adding, deleting and testing values in an ipporthash type of set, the entries must be specified as “IP%port”.

The ipporthash types of sets evaluates two src/dst parameters of the set match and SET target.

Options to use when creating an ipporthash set:

–from from-IP—to-IP Create an ipporthash set from the specified range. –network IP/mask Create an ipporthash set from the specified network. –hashsize hashsize The initial hash size (default 1024) –probes probes How many times try to resolve clashing at adding an IP to the hash by double-hashing (default 8). –resize percent Increase the hash size by this many percent (default 50) when adding an IP to the hash could not be performed after probes number of double-hashing. The same resizing, speed and memory efficiency comments applies here as at the iphash type.

iptree

The iptree set type uses a tree to store IP addresses, optionally with timeout values. Options to use when creating an iptree set: –timeout value The timeout value for the entries in seconds (default 0) When adding an IP address to a set, one may add it with a specific timeout value using the syntax IP%timeout-value.

IPtables Rules

Saving Rules

• Debian Based

netfilter-persistent save

• RedHat Based

service iptables save

To Stop / Start / Restart the Firewall,

If you are using RHEL / CentOS /  Fedora Linux, the enter the following command.

# service iptables stop
# service iptables start
# service iptables restart

• List out all of the active iptables rules with verbose
  iptables -n -L -v
• List out all of the active iptables rules with numeric lines and verbose
  iptables -n -L -v –line-numbers
• Print out all of the active iptables rules
  iptables -S
• List Rules as Tables for INPUT chain
  iptables -L INPUT
• Print all of the rule specifications in the INPUT chain
  iptables -S INPUT
• Show Packet Counts and Aggregate Size

  iptables -L INPUT -v

• To display INPUT or OUTPUT chain rules with numeric lines and verbose

  iptables -L INPUT -n -v
  
  iptables -L OUTPUT -n -v --line-numbers

• Delete Rule by Chain and Number

  iptables -D INPUT 10

• Delete Rule by Specification

  iptables -D INPUT -m conntrack --ctstate INVALID -j DROP

• Flush All Rules, Delete All Chains, and Accept All

  iptables -P INPUT ACCEPT
  
  iptables -P FORWARD ACCEPT
  
  iptables -P OUTPUT ACCEPT

iptables -t nat -F

iptables -t mangle -F

iptables -F

iptables -X

• Flush All Chains
  iptables -F
• Flush a Single Chain
  iptables -F INPUT

Following commands are using for-

-F : Deleting (flushing) all the rules.
-X : Delete chain.
-t table_name : Select table (called nat or mangle) and delete/flush rules.
-P : Set the default policy (such as DROP, REJECT, or ACCEPT).
–D : Delete one or more rules from the selected chain

• Insert Firewall Rules
  iptables -I INPUT 2 -s 202.54.1.2 -j DROP
• Allow Loopback Connections
  iptables -A INPUT -i lo -j ACCEPT
  iptables -A OUTPUT -o lo -j ACCEPT
• Allow Established and Related Incoming Connections
  iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
• Allow Established Outgoing Connections
  iptables -A OUTPUT -m conntrack –ctstate ESTABLISHED -j ACCEPT
• Internal to External
  iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
• Drop Invalid Packets
  iptables -A INPUT -m conntrack –ctstate INVALID -j DROP
• Block an IP Address
  iptables -A INPUT -s 192.168.252.10 -j DROP
• Block and IP Address and Reject
  iptables -A INPUT -s 192.168.252.10 -j REJECT
• Block Connections to a Network Interface
  iptables -A INPUT -i eth0 -s 192.168.252.10 -j DROP
• Block Connections to a Network Interface
  iptables -A INPUT -i eth0 -s 192.168.252.10 -j DROP
• Allow All Incoming SSH
  iptables -A INPUT -p tcp –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp –sport 22 -m conntrack –ctstate ESTABLISHED -j ACCEPT
• Allow Incoming SSH from Specific IP address or subnet

  iptables -A INPUT -p tcp -s 192.168.240.0/24 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  
  iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

• Allow Outgoing SSH
  iptables -A OUTPUT -p tcp –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
  iptables -A INPUT -p tcp –sport 22 -m conntrack –ctstate ESTABLISHED -j ACCEPT
• Allow Incoming Rsync from Specific IP Address or Subnet
  iptables -A INPUT -p tcp -s 192.168.240.0/24 –dport 873 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp –sport 873 -m conntrack –ctstate ESTABLISHED -j ACCEPT
• Allow All Incoming HTTP
  iptables -A INPUT -p tcp –dport 80 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp –sport 80 -m conntrack –ctstate ESTABLISHED -j ACCEPT
• Allow All Incoming HTTPS
  iptables -A INPUT -p tcp –dport 443 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp –sport 443 -m conntrack –ctstate ESTABLISHED -j ACCEPT
• Allow All Incoming HTTP and HTTPS
  iptables -A INPUT -p tcp -m multiport –dports 80,443 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp -m multiport –dports 80,443 -m conntrack –ctstate ESTABLISHED -j ACCEPT
• Allow MySQL from Specific IP Address or Subnet

  iptables -A INPUT -p tcp -s 192.168.240.0/24 --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  
  iptables -A OUTPUT -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT

• Allow MySQL to Specific Network Interface
  iptables -A INPUT -i eth1 -p tcp –dport 3306 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -o eth1 -p tcp –sport 3306 -m conntrack –ctstate ESTABLISHED -j ACCEPT
• PostgreSQL from Specific IP Address or Subnet
  iptables -A INPUT -p tcp -s 192.168.240.0/24 –dport 5432 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp –sport 5432 -m conntrack –ctstate ESTABLISHED -j ACCEPT
• Allow PostgreSQL to Specific Network Interface
  iptables -A INPUT -i eth1 -p tcp –dport 5432 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -o eth1 -p tcp –sport 5432 -m conntrack –ctstate ESTABLISHED -j ACCEPT
• Block Outgoing SMTP Mail
  iptables -A OUTPUT -p tcp –dport 25 -j REJECT
• Allow All Incoming SMTP
  iptables -A INPUT -p tcp –dport 25 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp –sport 25 -m conntrack –ctstate ESTABLISHED -j ACCEPT
• Allow All Incoming IMAP
  iptables -A INPUT -p tcp –dport 143 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp –sport 143 -m conntrack –ctstate ESTABLISHED -j ACCEPT
• Allow All Incoming IMAPS
  iptables -A INPUT -p tcp –dport 993 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp –sport 993 -m conntrack –ctstate ESTABLISHED -j ACCEPT
• Allow All Incoming POP3
  iptables -A INPUT -p tcp –dport 110 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp –sport 110 -m conntrack –ctstate ESTABLISHED -j ACCEPT
• Allow All Incoming POP3S
  iptables -A INPUT -p tcp –dport 995 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
  iptables -A OUTPUT -p tcp –sport 995 -m conntrack –ctstate ESTABLISHED -j ACCEPT
• Drop Private Network Address On Public Interface
  iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP
  iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
• Only Block Incoming Traffic
  iptables -P INPUT DROP
  iptables -P FORWARD DROP
  iptables -P OUTPUT ACCEPT
  iptables -A INPUT -m state –state NEW,ESTABLISHED -j ACCEPT

Drop All Outgoing to Facebook Networks
Get Facebook AS:

whois -h v4.whois.cymru.com " -v $(host facebook.com | grep "has address" | cut -d " " -f4)" | tail -n1 | awk '{print $1}'

Drop:

for i in $(whois -h whois.radb.net -- '-i origin AS32934' | grep "^route:" | cut -d ":" -f2 | sed -e 's/^[ \t]*//' | sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | cut -d ":" -f2 | sed 's/$/;/') ; do

iptables -A OUTPUT -s "$i" -j REJECT

done

Log and Drop Packets

iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG –log-prefix “IP_SPOOF A: ”
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

By default everything is logged to /var/log/messages file:

tail -f /var/log/messages
grep --color 'IP SPOOF' /var/log/messages

Log and Drop Packets with Limited Number of Log Entries

iptables -A INPUT -i eth1 -s 10.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP_SPOOF A: "
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

Drop or Accept Traffic From Mac Address

iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT

Block or Allow ICMP Ping Request

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP

Specifying Multiple Ports with multiport

iptables -A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports ssh,smtp,http,https -j ACCEPT

Load Balancing with random* or nth*

_ips=("172.31.250.10" "172.31.250.11" "172.31.250.12" "172.31.250.13")

for ip in "${_ips[@]}" ; do
iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4 --packet 0 \
-j DNAT --to-destination ${ip}:80
done

or

_ips=("172.31.250.10" "172.31.250.11" "172.31.250.12" "172.31.250.13")

for ip in "${_ips[@]}" ; do
iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m random --average 25 \
-j DNAT --to-destination ${ip}:80
done

Restricting the Number of Connections with limit and iplimit*

iptables -A FORWARD -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 -i eth1 \
-m limit --limit 20/hour --limit-burst 5 -j ACCEPT
or

iptables -A INPUT -p tcp -m state --state NEW --dport http -m iplimit --iplimit-above 5 -j DROP

Maintaining a List of recent Connections to Match Against

iptables -A FORWARD -m recent --name portscan --rcheck --seconds 100 -j DROP
iptables -A FORWARD -p tcp -i eth0 --dport 443 -m recent --name portscan --set -j DROP

Matching Against a string* in a Packet’s Data Payload

iptables -A FORWARD -m string --string '.com' -j DROP
iptables -A FORWARD -m string --string '.exe' -j DROP

Time-based Rules with time*

iptables -A FORWARD -p tcp -m multiport --dport http,https -o eth0 -i eth1 \
-m time --timestart 21:30 --timestop 22:30 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT

Packet Matching Based on TTL Values

iptables -A INPUT -s 1.2.3.4 -m ttl --ttl-lt 40 -j REJECT

Protection against port scanning

iptables -N port-scanning
iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
iptables -A port-scanning -j DROP

SSH brute-force protection

iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set
iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP

Syn-flood protection

iptables -N syn_flood

iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP

iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT

iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROP

iptables -A OUTPUT -p icmp -j ACCEPT

Mitigating SYN Floods With SYNPROXY

iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack
iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

Block New Packets That Are Not SYN

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
or

iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

Force Fragments packets check

iptables -A INPUT -f -j DROP

XMAS packets

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

Drop all NULL packets

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

Block Uncommon MSS Values

iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP

Block Packets With Bogus TCP Flags

iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP
iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

Also read- Learn TCP/IP