iptables

# list
iptables -L
iptables -L -t nat
 
# list all roles
iptables -L -v -n
 
# list all roles like iptables-save
iptables -S
 
# flush
sudo iptables -P INPUT ACCEPT
sudo iptables -P FORWARD ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -t nat -F
sudo iptables -t mangle -F
sudo iptables -F
sudo iptables -X
 
# redirect local port 8080 to remote 80
sudo iptables -A FORWARD -i eth0 -p tcp --dport 8080 -j ACCEPT
sudo iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 10.0.1.123:80
 
# redirect to loopback
sudo iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
sudo iptables -t nat -I OUTPUT -p tcp -o lo --dport 80 -j REDIRECT --to-ports 8080
 
# redirect ssh
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 222 -j REDIRECT --to-port 22
 
 
iptables -P INPUT DROP
 
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
service iptables save
 
# or
iptables-save > /etc/iptables/rules.v4
 
 
iptables -P INPUT DROP
## -- now override with specific "accept" rules:
## Accept incoming TCP connections from eth0 on port 20 and 21
iptables -A INPUT -i eth0 -p tcp --dport 20:21 -j ACCEPT
## Accept SSH connections
## (- although this could have been included above with 20:22)
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
## Accept incoming web connections
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
 
 
 
iptables -F
iptables -L -n
iptables -I INPUT -p tcp --dport 25 -j ACCEPT
iptables -I INPUT -p tcp --dport 993 -j ACCEPT
 
 
 
# Flushing all rules
iptables -F
iptables -X
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
 
 
 
iptables -F
 
iptables -I INPUT -p tcp --dport 25 -j ACCEPT
 
iptables -A INPUT -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT
 
iptables -A INPUT -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT
 
 
 
#Accept ssh traffic from lan1 to client 192.168.20.2 in lan2
iptables -A FORWARD -i eth1 -o eth2 -p tcp --dport 22 -d 192.168.20.2 -j ACCEPT
 
#Block all traffic between lan, but permit traffic to internet
iptables -A FORWARD -i eth1 -o ! eth0 -j DROP
iptables -A FORWARD -i eth2 -o ! eth0 -j DROP
 
# redirect port 8080 to 80
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT
/sbin/iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

# flush chain
iptables -F  neutron-l3-agent-scope
 
# view rules
iptables -t mangle -n -L -v
 
# flush rules in chain
iptables -t mangle -F neutron-l3-agent-scope
 
# replace rule
iptables -t mangle -D neutron-l3-agent-scope -i qg-76475992-38 -j MARK --set-xmark 0x4010000/0xffff0000
iptables -t mangle -I neutron-l3-agent-scope -i qg-76475992-38 -j MARK --set-xmark 0x4000000/0xffff0000

# allow connections to MySQL from localhost
iptables -A INPUT -i lo -p tcp --dport 3306 -j ACCEPT
 
# allow connections to MySQL form specific IP and reject from all ther IPs
iptables -A INPUT -p tcp --dport 3306 -s 192.168.1.2 -j ACCEPT
iptables -A INPUT -p tcp --dport 3306 -j REJECT --reject-with icmp-port-unreachable
 
# deltete roule
iptables -D INPUT 4
iptables -D INPUT -s 127.0.0.1 -p tcp --dport 8080 -j ACCEPT
 
# show messages
systemctl status iptables.service
 
 
# routing
sudo ifconfig tap0 down
sudo ifconfig tap0 hw ether 00:11:22:33:44:55
sudo ifconfig tap0 up
sudo route del -net 192.168.1.0 netmask 255.255.255.0 dev tap0
sudo route add 192.168.10.4 gw 192.168.1.254 dev tap0
sudo route add 192.168.1.55 dev tap0
sudo route add -net 192.168.254.0 gw 192.168.1.4 netmask 255.255.255.0 dev tap0
 
# routing test
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -o ! lo -j MASQUERADE
 
# block incomming connection
iptables -A INPUT -s 10.0.30.40 -j DROP
 
# block outgoing connections
iptables -A OUTPUT  -d 10.0.1.8,10.1.10.0/24  -j DROP
iptables -A OUTPUT  -d 10/8 --dport 3306 -j DROP
# reenable
iptables -D OUTPUT  -d 10.0.1.8 -j DROP
 
# allow outgoing access to a ip
iptables -I INPUT -s 10.0.5.20 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 22 -d 10.0.5.20 -j ACCEPT
 
# clear iptables
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
 
# allow ssh only
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
 
iptables -A INPUT -p tcp -s <ip_from> -d <ssh_host_ip> --sport 513:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s <ssh_host_ip> -d <ip_from> --sport 22 --dport 513:65535 -m state --state ESTABLISHED -j ACCEPT
 
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
 
# forward port to remote machine
iptables -A FORWARD -i eth0 -p tcp --dport 161 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 161 -j DNAT --to-destination 192.168.100.253:161
 
# masquerade for a range
iptables -t nat -A POSTROUTING -m iprange --src-range 10.0.0.2-10.0.31.255 -o eth0 -j MASQUERADE
 
# UDP
http://blog.thoward37.me/articles/code-snippet-iptables-settings-to-prevent-udp-floods/
 
# block incomming / outgoing traffic to single IP (on boot)
cat <<EOF>> /etc/network/if-up.d/zentras
#!/bin/bash
iptables -A INPUT -s 10.0.20.22 -j DROP
iptables -A OUTPUT -d 10.0.20.22 -j DROP
EOF
 
# forward to ftp
iptables -t nat -A PREROUTING -i enp2s0 -p tcp --dport 21 -j DNAT --to 10.0.3.207:21
iptables -t nat -D PREROUTING -i enp2s0 -p tcp --dport 21 -j DNAT --to 10.0.3.207:21

apt-get install -y iptables-persistent
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

sudo iptables -t nat -A PREROUTING -j LOG
sudo iptables -t nat -A POSTROUTING -j LOG
 
sudo tail -f /var/log/kern.log

sudo addgroup no-net
sudo adduser ${USER} no-net
sudo iptables -I OUTPUT 1 -m owner --gid-owner no-net -j DROP
sudo ip6tables -I OUTPUT 1 -m owner --gid-owner no-net -j DROP 
 
sg no-net -c "/usr/bin/ping 8.8.8.8"