Board index Linux Iptables

Moderator: chandranjoy

Iptables - General Stuffs

Postby chandranjoy » Wed Mar 17, 2010 9:12 pm

How to allow an IP through IPtables?
# iptables -A INPUT -p TCP -s 192.168.1.26 -j ACCEPT

(OR)
# iptables -A INPUT -p TCP -s 192.168.1.26 -d 192.168.1.20 -j ACCEPT


-A Append this rule to INPUT chain
-p Protocol (like tcp,udp,icmp or all)
-s Source address (which IP you want to allow)
-j Jump to this –> ACCEPT
-d Destination address (by default it will take the local system)


How to deny an IP through IPtables?

# iptables -A INPUT -p TCP -s 192.168.1.26 -j DROP
(or)
# iptables -A INPUT -p TCP -s 192.168.1.26 -j REJECT


-A Append this rule to INPUT chain
-p Protocol (like tcp,udp,icmp or all)
-s Source address (which IP you want to allow)
-j Jump to this –> DROP/REJECT

Note: DROP only drop the signal, but REJECT will notify to destination
like “connection refused”.
-d Destination address (by default it will take the local system)
Note: The rules mentioned above are allow/deny an IP to whole TCP protocol
suite,not for a specific service or port.


How to allow an IP to access a system through SSH?

# iptables -A INPUT -p TCP --dport 22 -s 192.168.1.26 -j ACCEPT

--dport Destination port. (ssh port number:22)

How to block an IP to access a system through FTP?
# iptables -A INPUT -p TCP --dport 21 -s 192.168.1.26 -j ACCEPT

--dport Destination port. (ssh port number:22)

How to redirect all traffic on http port(80) to port 8080

#iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
-t –>Queue type, 3 types of queues available: 1.filter 2.nat 3.mangle
1.Filter : (Packet Filtering)
It has 3 chains : 1.INPUT 2.OUTPUT 3.FORWARD

2.Nat : (Network Address Translation)
It has 3 Chains : 1.PREROUTING 2.POSTROUTING 3.OUTPUT

3.Mangle : (TCP Header modification)
It has 5 chains : 1.PREROUTING 2.POSTROUTING 3.OUTPUT 4.INPUT 5.FORWARD

Other Options:

-i : Match “input” interface on which the packet enters
-o : Match “output” interface on which the packet exit
s
Ex:
# iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p TCP -j ACCEPT

In the above rule, -s 0/0 is mentioned for “all”

How to Prevent from SYN flood attacks?
# iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT

The above rule will not allow for syn floods more than 5/second.

To prevent icmp (ping protocol) requests/replies
# iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -i eth0 -j ACCEPT

The above rule will not allow more than 1 echo-request reply/second.
chandranjoy
Site Admin
 
Posts: 283
Joined: Fri Oct 23, 2009 11:19 pm

Return to Iptables

Who is online

Users browsing this forum: No registered users and 1 guest


cron