Linux/iptables
< Linux
|
|
---|
Basics
iptables -A (append - add rule at end) -i (input interface) -j (target) -C (check) -o (output interface) -D (delete - remove rule) -s (source address) -F (flush - remove all rules) -d (destination address) -I (insert - add at position) -L (list - show all rules in chain) -p (protocol (tcp/udp)) -N (new chain) --dport (destination port) -X (delete chain) --sport (source port) -t (table to manipulate (default: filter) -n (numeric output of addresses and ports)
View state
iptables-save # show everything iptables --list-rules # list filter rules (default: filter) iptables --list-rules -t nat # list nat rules
Iptables + Docker
All of Docker's iptables rules are added to the DOCKER chain. Do not manipulate this chain manually. If you need to add rules which load before Docker's rules, add them to the DOCKER-USER chain. These rules are applied before any rules Docker creates automatically.Other rules added to the FORWARD chain, either manually, or by another iptables-based firewall, are evaluated after the DOCKER-USER and DOCKER chains. This means that if you publish a port through Docker, this port gets published no matter what rules your firewall has configured. If you want rules to apply even when a port gets published through Docker, you must add these rules to the DOCKER-USER chain.
Random examples
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
- openvpn
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
- wireguard
iptables -A FORWARD -i wg0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -D FORWARD -i wg0 -j ACCEPT iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
- raspi wifi to ethernet
iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE iptables --append FORWARD --in-interface eth0 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
Links
- https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html
- https://gist.github.com/mcastelino/c38e71eb0809d1427a6650d843c42ac2
- http://rudijs.github.io/2015-07/docker-restricting-container-access-with-iptables/
- https://stackoverflow.com/questions/45497644/how-to-configure-dockers-iptables-rule-docker-user-to-restrict-output