iptables
iptables can be used to manage firewalls in Linux.
Chain management
Section titled “Chain management”A chain contains a list of rules.
Creating a new chain
Section titled “Creating a new chain”# iptables --new USER-FOOThe -N switch can be used instead of --new
Listing rules in a chain
Section titled “Listing rules in a chain”# iptables --list USER-FOOThe -L switch can be used instead of --list
It will return 1 if the chain does not exist.
iptables: No chain/target/match by that name.# echo $?1If the chain is empty it will return 0.
Chain USER-FOO (0 references)target prot opt source destination# echo $?0To display more details, add --numeric or -n for numeric IPs, add --verbose or -v to show packet and byte counts.
# iptables --list USER-FOO --numeric --verboseDeleting a chain’s rules
Section titled “Deleting a chain’s rules”To delete all rules in a chain, flush the chain.
# iptables --flush USER-FOOThe -F switch can be used instead of --flush
Deleting a chain
Section titled “Deleting a chain”# iptables --delete-chain USER-FOOThe -X switch can be used instead of --delete-chain
A chain consists of an ordered list of rules. Each rule can be referred by its ordinal or rulenum within a chain.
Rules are numbered starting from 1.
Each rule has a specification.
For a packet to match a rule and perform an action, the packet is matched against the rule-specification.
Rule-specification can include tests such as
-p,--protocolto match a protocol. Examples includetcpandudp.-s,--sourcefor source address/mask.-d,--destinationfor destination address/mask.--source-port,--sportsource port.--destination-port,--dportdestination port.
Rule-specifications can include an action such as
-j,--jumpto jump to a target. Valid targets includeRETURNto exit this chain and continue the previous / calling chainDROPto silently drop the packet. The caller will not see a response.REJECTto actively reject the packet.ACCEPTallow the packet through.- a chain. Processing will move to the specified chain, and continue in the current chain if a
RETURNis matched.
-g,--gotoa chain. Processing will move to the specified chain, but continue in the previous chain if aRETURNis matched. This effectively stops any further processing in the current chain.
conntrack: connection tracking module
Section titled “conntrack: connection tracking module”The conntrack module is useful for packets that have already been NATed, such as those seen in DOCKER-USER after
docker is installed.
To enable this module on a rule, -m conntrack must be added to the rule specification.
Rule-specification now has additional options available when using this module.
--ctstateconnection statuses to match, e.g.NEW,RELATED,ESTABLISHED--ctorigdstoriginal destination address/mask
To exit the chain when a packet matches 333.333.333.333:25
iptables -A DOCKER-USER -j RETURN -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED --ctorigdst 333.333.333.333 --dport 25See the man page iptables-extensions for more details.
Packets flow in the original or reply direction. Rules usually block packets in the original direction only.
To append a rule allowing reply packets in the DOCKER-USER chain, run:
iptables -A DOCKER-USER -j RETURN -p tcp -m conntrack --ctdir REPLYChain and Rule Ordering - Whitelist
Section titled “Chain and Rule Ordering - Whitelist”To configure a chain to behave like a whitelist
- Add rules that jump to
RETURNif the packet matches. The previous chain should be configured toACCEPTthe packets. - Add a final rule in the chain that
DROPs the packet
Port Redirection
Section titled “Port Redirection”In this example we have a tomcat web server running port on port 8080 and 8443, and would like it to also appear on port 80 and 443.
iptables -t nat -A OUTPUT -d localhost -p tcp --dport 80 -j REDIRECT --to-ports 8080iptables -t nat -A OUTPUT -d 10.0.0.20 -p tcp --dport 80 -j REDIRECT --to-ports 8080iptables -t nat -A PREROUTING -d 10.0.0.20 -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -A OUTPUT -d localhost -p tcp --dport 443 -j REDIRECT --to-ports 8443iptables -t nat -A OUTPUT -d 10.0.0.20 -p tcp --dport 443 -j REDIRECT --to-ports 8443iptables -t nat -A PREROUTING -d 10.0.0.20 -p tcp --dport 443 -j REDIRECT --to-ports 8443References
Section titled “References”iptables --helpman iptablesman iptables-extensions