important iptables rules

###########################
Block website in iptables / Block domain in iptables 

# iptables -A FORWARD ! -s 70.35.206.118/24 -m string –string “facebook.com” –algo bm –to 65535 -j DROP

or

-A FORWARD ! -s 70.35.206.0/24 -m string –string “facebook.com” –algo bm –to 65535 -j DROP

click here to watch video

________________________________________________________________________________________________

Block ip adress in iptables 

Then you can block IP address 192.168.1.2 in the server with this command:

iptables -A INPUT -s 192.168.1.2 -j DROP

Then you can block outoging IP address 192.168.1.2 from the server with this command:

iptables -A OUTPUT -d 192.168.1.2 -j DROP

 

click here to watch video

click here to watch video

_______________________________________________________________________

redirect url to another url /redirect domain to another domain

# iptables -t nat -I PREROUTING -p tcp –dport 80 -d 217.160.0.99 -j DNAT –to-destination 172.217.9.46
# iptables -t nat -I PREROUTING -p tcp –dport 443 -d 217.160.0.99 -j DNAT –to-destination 172.217.9.46

or

-A PREROUTING -d 217.160.0.99/32 -p tcp -m tcp –dport 443 -j DNAT –to-destination 172.217.9.46
-A PREROUTING -d 217.160.0.99/32 -p tcp -m tcp –dport 80 -j DNAT –to-destination 172.217.9.46

iptables-save
service iptables reload

 

click here to watch video

_________________________________________________________________________

open and block ports (open only 22 , 80 , 443 , 1723) in iptables

iptables -F
iptables -X
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack –ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 22 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp –sport 22 -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp –sport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 443 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp –sport 443 -j ACCEPT
/sbin/iptables -A INPUT -p tcp –dport 1723 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp –sport 1723 -j ACCEPT
iptables -A INPUT -p gre -j ACCEPT
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP

 

 

click here to watch video

click here to watch video

________________________________________________________________________________________________

Redirect port to another port in iptables

sudo iptables -t nat -A OUTPUT -p tcp -m owner ! –uid-owner root –dport 143 -j REDIRECT –to-port 465

-A OUTPUT -p tcp -m owner ! –uid-owner 0 -m tcp –dport 143 -j REDIRECT –to-ports 465

 

click here to watch video

________________________________________________________________________________________________

allow all websites except (service-bestvpn.com ip :217.160.0.99 )- block all websites  in iptables

iptables -I OUTPUT -p tcp -m tcp –dport 443 -j REJECT –reject-with icmp-port-unreachable
iptables -I OUTPUT -p tcp -m tcp –dport 80 -j REJECT –reject-with icmp-port-unreachable
iptables -I OUTPUT -p tcp -m tcp -d 217.160.0.99/32 –dport 80 -j ACCEPT
iptables -I OUTPUT -p tcp -m tcp -d 217.160.0.99/32 –dport 443 -j ACCEPT

 

click here to watch video

###############################################################

################Iptables Actions##################

##############################################################################

# sudo iptables -S        _____________________________________ To list all IPv4 rules

sudo iptables -L   (or)   sudo iptables –list    _____To list all tables rules

sudo iptables -F ____________________________________________to remove all iptables

The procedure to list all rules on Linux is as follows:

  1. Open the terminal app or login using ssh:
    ssh user@server-name
  2. To list all IPv4 rules :
    sudo iptables -S
  3. To list all IPv6 rules :
    sudo ip6tables -S
  4. To list all tables rules :
    sudo iptables -L -v -n | more
  5. To list all rules for INPUT tables :
    sudo iptables -L INPUT -v -n
    sudo iptables -S INPUT

Viewing all iptables rules in Linux

The syntax is:

iptables -S
iptables --list
iptables -L
iptables -S TABLE_NAME
iptables --table NameHere --list
iptables -t NameHere -L -n -v --line-numbers

 

Print all rules in the selected chain

sudo iptables -S
sudo iptables -S INPUT
iptables -S OUTPUT

How to list rules for given tables

Type the following command as root user:
# iptables -L INPUT
# iptables -L FORWARD
# iptables -L OUTPUT
# iptables -L

Let us try to understand rules:

  • target – Tell what to down when a packet matches the rule.
  • prot – The protocol for rule.
  • opt – Additional options for rule.
  • source – The source IP address/subnet/domain name.
  • destination – The destination IP address/subnet/domain name.

 

iptablessave > /etc/iptables/rulesv4                         to save

 

Thank you so much.

Radwan daoud

 

Share

Leave a Reply