iptables FAQ

Published: Sat 25 July 2020
By evpo

In OS.

List rules

iptables -L -v -n --line-numers

We can use the line numbers later to delete rules.

Delete rules

iptables -D INPUT 1

INPUT is the chain from which we delete the rule with line number 1

Allow incoming connection to a port

Allow incoming connections to port 1510 on external port eth0:

iptables -A INPUT -p tcp -i eth0 --dport 1510 -j ACCEPT
iptables -A OUTPUT -p tcp -o eth0 --sport 1510 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow outbound connection to a port

Allow outbound traffic to port 8000 on external port eth0 to the external destination: 192.168.22.70:8000

iptables -A OUTPUT -p tcp -o eth0 -d 192.168.22.70 --dport 8000 -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -p tcp -i eth0 -s 192.168.22.70 --sport 8000 -j ACCEPT

Allow all local connections

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Drop all other connections by changing policies

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

How to configure a router?

echo 1 > /proc/sys/net/ipv4/ip_forward

The same to remain after reboot:

vim /etc/sysctl.conf

Find and change:

net.ipv4.ip_forward = 1

Add iptables rules:

ext="eth0"
int="eth1"

iptables -t nat -A POSTROUTING -o ${ext} -j MASQUERADE
iptables -A FORWARD -i ${ext} -o ${int} -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ${int} -o ${ext} -j ACCEPT

How to forward a port to a service in the local network?

We will forward port 1550 from client facing ip to the internal service ip with port 1500:

external_client_ip="192.168.22.70"
client_facing_ip="192.168.22.67"
client_facing_port=1550
internal_service_ip="192.168.22.157"
internal_service_port=1500
iptables -t nat -A PREROUTING -s ${external_client_ip} -d ${client_facing_ip} -p tcp -m tcp --dport ${client_facing_port} -j DNAT --to-destination ${internal_service_ip}:${internal_service_port}
iptables -t nat -A POSTROUTING -s ${external_client_ip} -d ${internal_service_ip} -j MASQUERADE

links