Linux/iptables: Difference between revisions
< Linux
No edit summary |
m (→Links) |
||
(35 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== | {| | ||
* | ! | ||
** iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE | {| class="wikitable" | ||
!Tables | |||
!Chains | |||
|- | |||
|FILTER | |||
| | |||
* INPUT | |||
* FORWARD | |||
* OUTPUT | |||
|- | |||
|NAT | |||
| | |||
* PREROUTING | |||
* OUTPUT | |||
* POSTROUTING | |||
|- | |||
|MANGLE | |||
(modify ip headers) | |||
| | |||
* PREROUTING | |||
* INPUT | |||
* FORWARD | |||
* OUTPUT | |||
* POSTROUTING | |||
|- | |||
|RAW | |||
(connection tracking) | |||
| | |||
* PREROUTING | |||
* OUTPUT | |||
|- | |||
|(SECURITY) | |||
(SELinux) | |||
| | |||
* INPUT | |||
* FORWARD | |||
* OUTPUT | |||
|} | |||
! | |||
! | |||
{| class="wikitable" | |||
!Targets | |||
!valid in | |||
!note | |||
|- | |||
|REJECT | |||
|INPUT, FORWARD, OUTPUT | |||
|sends response back | |||
|- | |||
|DROP | |||
| | |||
|no response | |||
|- | |||
|ACCEPT | |||
| | |||
| | |||
|- | |||
|RETURN | |||
| | |||
| | |||
|- | |||
|MASQUERADE | |||
|POSTROUTING | |||
| | |||
|- | |||
|REDIRECT | |||
|NAT:PREROUTING + NAT:OUTPUT | |||
| | |||
|} | |||
|} | |||
== Basics == | |||
<pre> | |||
iptables | |||
-A (append - add rule at end) -i (input interface) -j (target) | |||
-C (check) -o (output interface) | |||
-D (delete - remove rule) -s (source address) | |||
-F (flush - remove all rules) -d (destination address) | |||
-I (insert - add at position) | |||
-L (list - show all rules in chain) -p (protocol (tcp/udp)) | |||
-N (new chain) --dport (destination port) | |||
-X (delete chain) --sport (source port) | |||
! (=not / negate) | |||
-t (table to manipulate (default: filter) | |||
-n (numeric output of addresses and ports) | |||
</pre> | |||
== View state == | |||
<pre> | |||
iptables-save # show everything | |||
iptables --list-rules # list filter rules (default: filter) | |||
iptables --list-rules -t nat # list nat rules | |||
</pre> | |||
== iptables + docker == | |||
* Docker manual | |||
<blockquote> | |||
All of Docker's iptables rules are added to the DOCKER chain. Do not manipulate this chain manually. If you need to add rules which load before Docker's rules, add them to the DOCKER-USER chain. These rules are applied before any rules Docker creates automatically. | |||
Other rules added to the FORWARD chain, either manually, or by another iptables-based firewall, are evaluated after the DOCKER-USER and DOCKER chains. This means that if you publish a port through Docker, this port gets published no matter what rules your firewall has configured. If you want rules to apply even when a port gets published through Docker, you must add these rules to the DOCKER-USER chain.</blockquote> | |||
* https://docs.docker.com/network/packet-filtering-firewalls/#add-iptables-policies-before-dockers-rules | |||
== iptables persistent == | |||
<pre> | |||
apt install iptables-persistent | |||
iptables-save -c > /etc/iptables/rules.v4 | |||
ip6tables-save -c > /etc/iptables/rules.v6 | |||
</pre> | |||
== Random examples == | |||
<pre> | |||
iptables -A INPUT -p tcp --dport 22 -j ACCEPT | |||
</pre> | |||
* openvpn | |||
<pre> | |||
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE | |||
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE | |||
</pre> | |||
* wireguard | |||
<pre> | |||
iptables -A FORWARD -i wg0 -j ACCEPT | |||
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | |||
iptables -D FORWARD -i wg0 -j ACCEPT | |||
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE | |||
</pre> | |||
*raspi wifi to ethernet | |||
<pre> | |||
iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE | |||
iptables --append FORWARD --in-interface eth0 -j ACCEPT | |||
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE | |||
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT | |||
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT | |||
</pre> | |||
== Links == | |||
* https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html | |||
* https://gist.github.com/mcastelino/c38e71eb0809d1427a6650d843c42ac2 | |||
* http://rudijs.github.io/2015-07/docker-restricting-container-access-with-iptables/ | |||
* https://stackoverflow.com/questions/45497644/how-to-configure-dockers-iptables-rule-docker-user-to-restrict-output | |||
* https://erravindrapawadia.medium.com/iptables-tutorial-beginners-to-advanced-guide-to-linux-firewall-839e10501759 | |||
[[Category:Linux/Network]] | |||
[[Category:Linux]] |
Latest revision as of 22:18, 4 December 2023
|
|
---|
Basics
iptables -A (append - add rule at end) -i (input interface) -j (target) -C (check) -o (output interface) -D (delete - remove rule) -s (source address) -F (flush - remove all rules) -d (destination address) -I (insert - add at position) -L (list - show all rules in chain) -p (protocol (tcp/udp)) -N (new chain) --dport (destination port) -X (delete chain) --sport (source port) ! (=not / negate) -t (table to manipulate (default: filter) -n (numeric output of addresses and ports)
View state
iptables-save # show everything iptables --list-rules # list filter rules (default: filter) iptables --list-rules -t nat # list nat rules
iptables + docker
- Docker manual
All of Docker's iptables rules are added to the DOCKER chain. Do not manipulate this chain manually. If you need to add rules which load before Docker's rules, add them to the DOCKER-USER chain. These rules are applied before any rules Docker creates automatically.
Other rules added to the FORWARD chain, either manually, or by another iptables-based firewall, are evaluated after the DOCKER-USER and DOCKER chains. This means that if you publish a port through Docker, this port gets published no matter what rules your firewall has configured. If you want rules to apply even when a port gets published through Docker, you must add these rules to the DOCKER-USER chain.
iptables persistent
apt install iptables-persistent iptables-save -c > /etc/iptables/rules.v4 ip6tables-save -c > /etc/iptables/rules.v6
Random examples
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- openvpn
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
- wireguard
iptables -A FORWARD -i wg0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -D FORWARD -i wg0 -j ACCEPT iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
- raspi wifi to ethernet
iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE iptables --append FORWARD --in-interface eth0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
Links
- https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
- https://gist.github.com/mcastelino/c38e71eb0809d1427a6650d843c42ac2
- http://rudijs.github.io/2015-07/docker-restricting-container-access-with-iptables/
- https://stackoverflow.com/questions/45497644/how-to-configure-dockers-iptables-rule-docker-user-to-restrict-output
- https://erravindrapawadia.medium.com/iptables-tutorial-beginners-to-advanced-guide-to-linux-firewall-839e10501759