IPtables


for backing up

iptables-save -c > /etc/iptables-save


for restoring with bytes and packet counter

cat /etc/iptables-save | iptables-restore -c 


for restoring without overwriting existing rules

cat /etc/iptables-save | iptables-restore -n


examples

iptables -A INPUT -p tcp --sport 22

iptables -A INPUT -p tcp --sport 22:80            from 22 to 80

iptables -A INPUT -p tcp --source-port :80     from 0 to 80

iptables -A INPUT -p tcp --source-port 22:     from 22 to 65535

iptables -A INPUT -p tcp --source-port !22     all but 22

iptables -A INPUT -p tcp --source-port !22:80     all but port 22 to 80

iptables -A INPUT -p tcp --dport 22


iptables -A INPUT -p tcp --tcp-flags SYN,FIN,ACK SYN


iptables -A INPUT -p udp --sport 53

iptables -A INPUT -p udp --dport 53


iptables -A INPUT -p icmp --icmp-type 8

iptables --protocol icmp --help


iptables -A INPUT -p tcp -m multiport --source-port 22,53,80,110       (max 15)

iptables -A INPUT -p tcp -m multiport --destination-port 22,53,80,110       (max 15)

iptables -A INPUT -p tcp -m multiport -port 22,53,80,110  (both src and dst)  (max 15)


iptables -A INPUT -m state --state RELATED,ESTABLISHED


default polices

iptables -P INPUT ACCEPT



destination NAT . All packets for 15.45.23.67 to range of lan ips 192.168.1.1 to 10

iptables -t nat -A PREROUTING -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination \

192.168.1.1-192.168.1.10


iptables -t nat -A PREROUTING -p tcp -d 15.45.23.67 --dport 80 -j DNAT --to-destination \

192.168.1.1:80


external client ----- internet ---------- firewall _________ http server

                                                                                                 |

                                                                                       internal client


$INET_IP      firewall external ip

$HTTP_IP     http server internal ip

$LAN_IP      firewall internal ip

$EXT_BOX   external client ip

$LAN_BOX   internal client ip


for external client

iptables -t nat -A PREROUTING --dst $INET_IP -p tcp --dport 80 \

-j DNAT --to-destination $HTTP_IP 


for internal client

iptables -t nat -A POSTROUTING -p tcp --dst $HTTP_IP --dport 80 \

-j SNAT --to-source $LAN_IP


for firewall itself

iptables -t nat -A OUTPUT --dst $INET_IP -p tcp --dport 80 \

-j DNAT --to-destination $HTTP_IP


Masquerading

iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE --to-ports \

1024-31000


Redirect for transparent proxy

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT \

--to-ports 8080


SNAT  several hosts sharing one internet connection

iptables -t nat -A POSTROUTING -p tcp -o eth0 -j SNAT --to-source \

194.236.50.155-194.236.50.160:1024-32000


ip forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward


dynamic ip support

echo "1" > /proc/sys/net/ipv4/ip_dynaddr


logging

man syslog.conf

iptables -A FORWARD -p tcp -j LOG --log-level debug

iptables -A INPUT -p tcp -j LOG --log-prefix "INPUT packets"

this options tells to prefix all log messags with specific prefix, which can be combined with grep

to track specific problems from different rules. Prefix can be 29 letters long.


to get dynamic ip

INT_IP=`ifconfig $INTERNAL | grep inet | cut -d : -f 2 | cut -d \ -f 1`


ppp and masquerading

iptables -A INPUT -m state --state NEW,INVALID -i ppp0 -j DROP

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

echo "1" > /proc/sys/net/ipv4/ip_forward

for ftp active connections use ip_conntrack

for identd and smtp

iptables -I INPUT 1 -p tcp -m multiport -dport 113,25 -j ACCEPT


1