Linux/iptables: Difference between revisions

From Wiki
Line 97: Line 97:
</pre>
</pre>


== raspi wifi to ethernet ==
== Random examples  ==
* rc.local
<pre>
** iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
** iptables --append FORWARD --in-interface eth0 -j ACCEPT
</pre>
 
* openvpn
<pre>
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
</pre>
 
* wireguard
<pre>
iptables -A FORWARD -i wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
iptables -D FORWARD -i wg0 -j ACCEPT
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
</pre>
 
 
*raspi wifi to ethernet
<pre>
iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT
 
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
</pre>


== Links ==
== Links ==

Revision as of 19:00, 4 December 2023

Tables Chains
FILTER
  • INPUT
  • FORWARD
  • OUTPUT
NAT
  • PREROUTING
  • OUTPUT
  • POSTROUTING
MANGLE

(modify ip headers)

  • PREROUTING
  • INPUT
  • FORWARD
  • OUTPUT
  • POSTROUTING
RAW

(connection tracking)

  • PREROUTING
  • OUTPUT
(SECURITY)

(SELinux)

  • INPUT
  • FORWARD
  • OUTPUT
Targets valid in note
REJECT INPUT, FORWARD, OUTPUT sends response back
DROP no response
ACCEPT
RETURN
MASQUERADE POSTROUTING
REDIRECT NAT:PREROUTING + NAT:OUTPUT

Basics

iptables
         -A (append - add rule at end)             -i (input interface)          -j (target)
         -C (check)                                -o (output interface)
         -D (delete - remove rule)                 -s (source address)    
         -F (flush - remove all rules)             -d (destination address)
         -I (insert - add at position)              
         -L (list - show all rules in chain)       -p      (protocol (tcp/udp))
         -N (new chain)                            --dport (destination port)
         -X (delete chain)                         --sport (source port)

         -t (table to manipulate (default: filter)

         -n (numeric output of addresses and ports)

View state

iptables-save                  # show everything

iptables --list-rules          # list filter rules (default: filter)
iptables --list-rules -t nat   # list nat rules

Random examples

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  • openvpn
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
  • wireguard
iptables -A FORWARD -i wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -D FORWARD -i wg0 -j ACCEPT
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE


  • raspi wifi to ethernet
iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

Links

Retrieved from "https://wiki.marcluerssen.de/index.php?title=Linux/iptables&oldid=3884"