
important iptables rules
###########################
Block website in iptables / Block domain in iptables
# iptables -A FORWARD ! -s 70.35.206.118/24 -m string –string “facebook.com” –algo bm –to 65535 -j DROP
or
-A FORWARD ! -s 70.35.206.0/24 -m string –string “facebook.com” –algo bm –to 65535 -j DROP
________________________________________________________________________________________________
Block ip adress in iptables
Then you can block IP address 192.168.1.2 in the server with this command:
iptables -A INPUT -s 192.168.1.2 -j DROP
Then you can block outoging IP address 192.168.1.2 from the server with this command:
iptables -A OUTPUT -d 192.168.1.2 -j DROP
_______________________________________________________________________
redirect url to another url /redirect domain to another domain
# iptables -t nat -I PREROUTING -p tcp –dport 80 -d 217.160.0.99 -j DNAT –to-destination 172.217.9.46
# iptables -t nat -I PREROUTING -p tcp –dport 443 -d 217.160.0.99 -j DNAT –to-destination 172.217.9.46
or
-A PREROUTING -d 217.160.0.99/32 -p tcp -m tcp –dport 443 -j DNAT –to-destination 172.217.9.46
-A PREROUTING -d 217.160.0.99/32 -p tcp -m tcp –dport 80 -j DNAT –to-destination 172.217.9.46
iptables-save
service iptables reload
_________________________________________________________________________
open and block ports (open only 22 , 80 , 443 , 1723) in iptables
iptables -F
iptables -X
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack –ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 22 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp –sport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp –sport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 443 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp –sport 443 -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 1723 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp –sport 1723 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
________________________________________________________________________________________________
Redirect port to another port in iptables
sudo iptables -t nat -A OUTPUT -p tcp -m owner ! –uid-owner root –dport 143 -j REDIRECT –to-port 465
-A OUTPUT -p tcp -m owner ! –uid-owner 0 -m tcp –dport 143 -j REDIRECT –to-ports 465
________________________________________________________________________________________________
allow all websites except (service-bestvpn.com ip :217.160.0.99 )- block all websites in iptables
iptables -I OUTPUT -p tcp -m tcp –dport 443 -j REJECT –reject-with icmp-port-unreachable
iptables -I OUTPUT -p tcp -m tcp –dport 80 -j REJECT –reject-with icmp-port-unreachable
iptables -I OUTPUT -p tcp -m tcp -d 217.160.0.99/32 –dport 80 -j ACCEPT
iptables -I OUTPUT -p tcp -m tcp -d 217.160.0.99/32 –dport 443 -j ACCEPT
###############################################################
################Iptables Actions##################
##############################################################################
# sudo iptables -S _____________________________________ To list all IPv4 rules
sudo iptables -L (or) sudo iptables –list _____To list all tables rules
sudo iptables -F ____________________________________________to remove all iptables
The procedure to list all rules on Linux is as follows:
- Open the terminal app or login using ssh:
ssh user@server-name - To list all IPv4 rules :
sudo iptables -S - To list all IPv6 rules :
sudo ip6tables -S - To list all tables rules :
sudo iptables -L -v -n | more - To list all rules for INPUT tables :
sudo iptables -L INPUT -v -n
sudo iptables -S INPUT
Viewing all iptables rules in Linux
The syntax is:
iptables -S iptables --list iptables -L iptables -S TABLE_NAME iptables --table NameHere --list iptables -t NameHere -L -n -v --line-numbers |
Print all rules in the selected chain
sudo iptables -S
sudo iptables -S INPUT
iptables -S OUTPUT
How to list rules for given tables
Type the following command as root user:
# iptables -L INPUT
# iptables -L FORWARD
# iptables -L OUTPUT
# iptables -L
Let us try to understand rules:
- target – Tell what to down when a packet matches the rule.
- prot – The protocol for rule.
- opt – Additional options for rule.
- source – The source IP address/subnet/domain name.
- destination – The destination IP address/subnet/domain name.
iptables–save > /etc/iptables/rules. v4 to save
Thank you so much.
Radwan daoud