Linux/iptables

From Wiki
Tables Chains
FILTER
  • INPUT
  • FORWARD
  • OUTPUT
NAT
  • PREROUTING
  • OUTPUT
  • POSTROUTING
MANGLE

(modify ip headers)

  • PREROUTING
  • INPUT
  • FORWARD
  • OUTPUT
  • POSTROUTING
RAW

(connection tracking)

  • PREROUTING
  • OUTPUT
(SECURITY)

(SELinux)

  • INPUT
  • FORWARD
  • OUTPUT
Targets valid in note
REJECT INPUT, FORWARD, OUTPUT sends response back
DROP no response
ACCEPT
RETURN
MASQUERADE POSTROUTING
REDIRECT NAT:PREROUTING + NAT:OUTPUT

Basics

iptables
         -A (append - add rule at end)             -i (input interface)          -j (target)
         -C (check)                                -o (output interface)
         -D (delete - remove rule)                 -s (source address)    
         -F (flush - remove all rules)             -d (destination address)
         -I (insert - add at position)              
         -L (list - show all rules in chain)       -p      (protocol (tcp/udp))
         -N (new chain)                            --dport (destination port)
         -X (delete chain)                         --sport (source port)

                                                   !  (=not / negate)       

         -t (table to manipulate (default: filter)

         -n (numeric output of addresses and ports)

View state

iptables-save                  # show everything

iptables --list-rules          # list filter rules (default: filter)
iptables --list-rules -t nat   # list nat rules

iptables + docker

  • Docker manual

All of Docker's iptables rules are added to the DOCKER chain. Do not manipulate this chain manually. If you need to add rules which load before Docker's rules, add them to the DOCKER-USER chain. These rules are applied before any rules Docker creates automatically.

Other rules added to the FORWARD chain, either manually, or by another iptables-based firewall, are evaluated after the DOCKER-USER and DOCKER chains. This means that if you publish a port through Docker, this port gets published no matter what rules your firewall has configured. If you want rules to apply even when a port gets published through Docker, you must add these rules to the DOCKER-USER chain.

iptables persistent

apt install iptables-persistent

iptables-save -c > /etc/iptables/rules.v4
ip6tables-save -c > /etc/iptables/rules.v6

Random examples

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
  • openvpn
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
  • wireguard
iptables -A FORWARD -i wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

iptables -D FORWARD -i wg0 -j ACCEPT
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE


  • raspi wifi to ethernet
iptables --table nat --append POSTROUTING --out-interface wlan0 -j MASQUERADE
iptables --append FORWARD --in-interface eth0 -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

Links