| Tables
|
Chains
|
| FILTER
|
|
| NAT
|
- PREROUTING
- OUTPUT
- POSTROUTING
|
| MANGLE
(modify ip headers)
|
- PREROUTING
- INPUT
- FORWARD
- OUTPUT
- POSTROUTING
|
| RAW
(connection tracking)
|
|
| (SECURITY)
(SELinux)
|
|
|
|
| Targets
|
valid in
|
note
|
| REJECT
|
INPUT, FORWARD, OUTPUT
|
sends response back
|
| DROP
|
|
no response
|
| ACCEPT
|
|
|
| RETURN
|
|
|
| MASQUERADE
|
POSTROUTING
|
|
| REDIRECT
|
NAT:PREROUTING + NAT:OUTPUT
|
|
|
Basics
iptables
-A (append - add rule at end) -i (input interface) -j (target)
-C (check) -o (output interface)
-D (delete - remove rule) -s (source address)
-F (flush - remove all rules) -d (destination address)
-I (insert - add at position)
-L (list - show all rules in chain) -p (protocol (tcp/udp))
-N (new chain) --dport (destination port)
-X (delete chain) --sport (source port)
-t (table to manipulate (default: filter)
-n (numeric output of addresses and ports)
View state
iptables-save # show everything
iptables --list-rules # list filter rules (default: filter)
iptables --list-rules -t nat # list nat rules
Random examples
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
iptables -A FORWARD -i wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -D FORWARD -i wg0 -j ACCEPT
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
Links