1
http://www.thegeekstuff.com/2011/01/iptables-fundamentals
http://www.linuxhowtos.org/Security/iptables.htm
https://www.cyberciti.biz/tips/linux-iptables-examples.html
#IPTABLES TABLES and CHAINS
IPTables has the following 4 built-in tables.
1. Filter Table
INPUT chain
OUTPUT chain
FORWARD chain
2. NAT table
PREROUTING chain – / DNAT / iptables -t nat -A PREROUTING -p tcp --dport 5000 -j REDIRECT --to-ports 22
POSTROUTING chain – / SNAT / iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
3. Mangle table
PREROUTING chain
OUTPUT chain
FORWARD chain
INPUT chain
POSTROUTING chain
4. Raw table
PREROUTING chain
OUTPUT chain
#Structure of iptables Options
iptables [-t <table-name>] <command> <chain-name> <parameter-1> \
<option-1> <parameter-n> <option-n>
#Flush Iptables
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Delete Firewall Rules
iptables -L INPUT -n --line-numbers
iptables -D INPUT 4
# Display Iptables
iptables -nvL
iptables -t nat -L
iptanles -t mangle -L
#Stop / Start / Restart the Firewall
service iptables stop
service iptables start
service iptables restart
# Blocking an IP Address (BLOCK IP)
iptables -A INPUT -s 1.2.3.4 -j DROP
iptables -A INPUT -s 192.168.0.0/24 -j DROP
# Block Incoming Port Requests (BLOCK PORT)
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP
# Block Outgoing IP Address
# iptables -A OUTPUT -d 75.126.153.206 -j DROP
# Drop or Accept Traffic From Mac Address
iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
*only accept traffic for TCP port # 8080 from mac 00:0F:EA:91:04:07 * ##
iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT
# Block or Allow ICMP Ping Request
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -s 192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT
#Open Range of Ports
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT