1

http://www.thegeekstuff.com/2011/01/iptables-fundamentals

http://www.linuxhowtos.org/Security/iptables.htm

https://www.cyberciti.biz/tips/linux-iptables-examples.html

#IPTABLES TABLES and CHAINS

IPTables has the following 4 built-in tables.

1. Filter Table

INPUT chain

OUTPUT chain

FORWARD chain

2. NAT table

PREROUTING chain –  / DNAT / iptables -t nat -A PREROUTING -p tcp --dport 5000 -j REDIRECT --to-ports 22

POSTROUTING chain – / SNAT / iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE

3. Mangle table

PREROUTING chain

OUTPUT chain

FORWARD chain

INPUT chain

POSTROUTING chain

4. Raw table

PREROUTING chain

OUTPUT chain

#Structure of iptables Options

iptables [-t <table-name>] <command> <chain-name> <parameter-1> \

         <option-1> <parameter-n> <option-n>

         

#Flush Iptables

 iptables -F

 iptables -X

 iptables -t nat -F

 iptables -t nat -X

 iptables -t mangle -F

 iptables -t mangle -X

# Delete Firewall Rules

 iptables -L INPUT -n --line-numbers

 iptables -D INPUT 4

# Display Iptables

 iptables -nvL

 iptables -t nat -L

 iptanles -t mangle -L

#Stop / Start / Restart the Firewall

 service iptables stop

 service iptables start

 service iptables restart

 

# Blocking an IP Address (BLOCK IP)

 iptables -A INPUT -s 1.2.3.4 -j DROP

 iptables -A INPUT -s 192.168.0.0/24 -j DROP

# Block Incoming Port Requests (BLOCK PORT)

 iptables -A INPUT -p tcp --dport 80 -j DROP

 iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP

# Block Outgoing IP Address

# iptables -A OUTPUT -d 75.126.153.206 -j DROP

# Drop or Accept Traffic From Mac Address

 iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP

 *only accept traffic for TCP port # 8080 from mac 00:0F:EA:91:04:07 * ##

 iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT

# Block or Allow ICMP Ping Request

 iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

 iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP

 iptables -A INPUT -s 192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT

 

#Open Range of Ports

iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT

iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT