Linux/iptables: Difference between revisions
< Linux
m (→Links) |
|||
(8 intermediate revisions by the same user not shown) | |||
Line 83: | Line 83: | ||
-N (new chain) --dport (destination port) | -N (new chain) --dport (destination port) | ||
-X (delete chain) --sport (source port) | -X (delete chain) --sport (source port) | ||
! (=not / negate) | |||
-t (table to manipulate (default: filter) | -t (table to manipulate (default: filter) | ||
Line 95: | Line 97: | ||
iptables --list-rules # list filter rules (default: filter) | iptables --list-rules # list filter rules (default: filter) | ||
iptables --list-rules -t nat # list nat rules | iptables --list-rules -t nat # list nat rules | ||
</pre> | |||
== iptables + docker == | |||
* Docker manual | |||
<blockquote> | |||
All of Docker's iptables rules are added to the DOCKER chain. Do not manipulate this chain manually. If you need to add rules which load before Docker's rules, add them to the DOCKER-USER chain. These rules are applied before any rules Docker creates automatically. | |||
Other rules added to the FORWARD chain, either manually, or by another iptables-based firewall, are evaluated after the DOCKER-USER and DOCKER chains. This means that if you publish a port through Docker, this port gets published no matter what rules your firewall has configured. If you want rules to apply even when a port gets published through Docker, you must add these rules to the DOCKER-USER chain.</blockquote> | |||
* https://docs.docker.com/network/packet-filtering-firewalls/#add-iptables-policies-before-dockers-rules | |||
== iptables persistent == | |||
<pre> | |||
apt install iptables-persistent | |||
iptables-save -c > /etc/iptables/rules.v4 | |||
ip6tables-save -c > /etc/iptables/rules.v6 | |||
</pre> | </pre> | ||
Line 132: | Line 150: | ||
* https://gist.github.com/mcastelino/c38e71eb0809d1427a6650d843c42ac2 | * https://gist.github.com/mcastelino/c38e71eb0809d1427a6650d843c42ac2 | ||
* http://rudijs.github.io/2015-07/docker-restricting-container-access-with-iptables/ | * http://rudijs.github.io/2015-07/docker-restricting-container-access-with-iptables/ | ||
* https://stackoverflow.com/questions/45497644/how-to-configure-dockers-iptables-rule-docker-user-to-restrict-output | |||
* https://erravindrapawadia.medium.com/iptables-tutorial-beginners-to-advanced-guide-to-linux-firewall-839e10501759 | |||
[[Category:Linux/Network]] | [[Category:Linux/Network]] | ||
[[Category:Linux]] | [[Category:Linux]] |
Latest revision as of 22:18, 4 December 2023
|
|
---|
Basics
iptables -A (append - add rule at end) -i (input interface) -j (target) -C (check) -o (output interface) -D (delete - remove rule) -s (source address) -F (flush - remove all rules) -d (destination address) -I (insert - add at position) -L (list - show all rules in chain) -p (protocol (tcp/udp)) -N (new chain) --dport (destination port) -X (delete chain) --sport (source port) ! (=not / negate) -t (table to manipulate (default: filter) -n (numeric output of addresses and ports)
View state
iptables-save # show everything iptables --list-rules # list filter rules (default: filter) iptables --list-rules -t nat # list nat rules
iptables + docker
- Docker manual
All of Docker's iptables rules are added to the DOCKER chain. Do not manipulate this chain manually. If you need to add rules which load before Docker's rules, add them to the DOCKER-USER chain. These rules are applied before any rules Docker creates automatically.
Other rules added to the FORWARD chain, either manually, or by another iptables-based firewall, are evaluated after the DOCKER-USER and DOCKER chains. This means that if you publish a port through Docker, this port gets published no matter what rules your firewall has configured. If you want rules to apply even when a port gets published through Docker, you must add these rules to the DOCKER-USER chain.
iptables persistent
apt install iptables-persistent iptables-save -c > /etc/iptables/rules.v4 ip6tables-save -c > /etc/iptables/rules.v6
Random examples
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- openvpn
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
- wireguard
iptables -A FORWARD -i wg0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -D FORWARD -i wg0 -j ACCEPT iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
- raspi wifi to ethernet
iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE iptables --append FORWARD --in-interface eth0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
Links
- https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
- https://gist.github.com/mcastelino/c38e71eb0809d1427a6650d843c42ac2
- http://rudijs.github.io/2015-07/docker-restricting-container-access-with-iptables/
- https://stackoverflow.com/questions/45497644/how-to-configure-dockers-iptables-rule-docker-user-to-restrict-output
- https://erravindrapawadia.medium.com/iptables-tutorial-beginners-to-advanced-guide-to-linux-firewall-839e10501759