Security Stuff!!
Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode
  1. Hamza Megahed
  2. /
  3. IPTables
  4. /
  5. IPTables 3

IPTables 3

Adding new chain

You can use this flag iptables -N LAN
Example:
To manage your Intranet easily you should write a new chain and write Intranet rules in this chain.
1- Create new chain ptables -N LAN
2- Forward all traffic in network (192.168.0.0/24) into LAN chain.
iptables -I INPUT 1 -s 192.168.0.0/24 -j LAN
Then you can manage your Intranet rules easily in LAN chain such as:
iptables -A LAN -p tcp --dport 22 -j ACCEPT

Change Default Policy

You can change default policy for a chain from ACCEPT to DROP or to LOG … etc for example to change default policy for INPUT chain to DROP all communications instead of ACCEPT, for example iptables -P INPUT DROP

Matching multiple ports

To match more than one port in one rule You can use this flag (-m multiport)
Example:
Deny hosts to connect to SSH and Telnet
iptables -A INPUT -p tcp -m multiport --dport 22,23 -j DROP
Use iptables -L to list rules for all chains

Chain INPUT (policy ACCEPT)  
target     prot opt source               destination        
ACCEPT     all  --  anywhere             anywhere            state
RELATED,ESTABLISHED  
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere            state NEW
tcp dpt:ssh  
REJECT     all  --  anywhere             anywhere            reject-with
icmp-host-prohibited  

Chain FORWARD (policy ACCEPT)  
target     prot opt source               destination        
REJECT     all  --  anywhere             anywhere            reject-with
icmp-host-prohibited  

Chain OUTPUT (policy ACCEPT)  
target     prot opt source               destination

Use iptables -L --line-number to list rules by line number

Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
2 ACCEPT icmp -- anywhere anywhere
3 ACCEPT all -- anywhere anywhere
4 ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
5 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination   

Deleting

For deleting rules by rule number you can use this flag -D
Example:
iptables -D INPUT 4 This will delete line number 4 from input chain.

Replace

For replacing one rule with another one by line number you can use this flag -R
Example:
iptables -R INPUT 3 -s 192.168.0.5 -j ACCEPT This will replace rule number 4 in input chain with (Accept 192.168.0.5)

Inserting

For inserting rule in a chain by line number you can use this flag -I
Example:
iptables -I INPUT 4 -p tcp --dport 22 -j ACCEPT This will insert in line number 4 (ACCEPT SSH)

Negation

You can use this flag !
Example:
Deny all traffic but not from 192.168.0.10
iptables -A INPUT -s ! 192.168.0.10 -j DROP

Logging

For logging a traffic you can use this flag -J LOG
Example:
Log all traffic from 192.168.0.10
iptables -A INPUT -s 192.168.0.10 -j LOG

Dealing with wildcard

Such as eth , ppp … etc, you can use this flag -i , and replace the number beside the interface with + such as (eth+) instead of (eth0 or eth1 .. etc).
Example:
Deny SSH from eth interface
iptables -A INPUT -i eth+ -p tcp --dport 22 -j DROP

Note: You must manage your chains and rules in perfect way because processing occurs in IPTables on packages from up to down, and this may affect on your connection speed.