The following are commonly used iptables commands and examples, 100 are listed here:
- Clear rule and custom chains in all rule chains
iptables -F
iptables -X
- set default policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
- Allow traffic on the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
- Allow already established and associated connections to pass through
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
- Allow access to specified IP addresses or network segments
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
- Allow access to specified ports
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
- Allow access to the specified protocol
iptables -A INPUT -p icmp -j ACCEPT # 允许 ICMP 协议包通过
iptables -A INPUT -p udp --dport 53 -j ACCEPT # 允许 DNS 协议包通过
iptables -A INPUT -p tcp --dport 22 -j ACCEPT # 允许 SSH 协议包通过
- Prohibit access to specified IP addresses or network segments
iptables -A INPUT -s 192.168.1.0/24 -j DROP
- Allow access to the specified MAC address
iptables -A INPUT -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT
- Allow access to the specified network card
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT
- Allow access to specified users (need to cooperate with sudoers file)
iptables -A OUTPUT -m owner --uid-owner www-data -j ACCEPT
- Allow specified headers to be forwarded
iptables -A FORWARD -p tcp --syn -s 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -p udp -d 192.168.2.0/24 -j ACCEPT
- Deny access to the specified port
iptables -A INPUT -p tcp --dport 25 -j REJECT
- Deny access to specified IP addresses or network segments
iptables -A INPUT -s 192.168.1.0/24 -j DROP
- limit rate control
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 10/sec -j ACCEPT
- Add the rules in the script to iptables
bash script.sh
- view current rules
iptables -L
- View the rules of the specified rule chain
iptables -L INPUT
- View the detailed rules of the specified rule chain
iptables -L INPUT -v
- Displays the actual rule format in effect when adding a rule
iptables -S
- Allow packets with the specified MAC address to pass
iptables -A INPUT -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT
- Deny all TCP packets except SYN packets
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
- Restrict SSH access from IP address or network segment
iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport ssh -j ACCEPT
- Allow the ICMP protocol packets of the specified IP address or network segment to pass through
iptables -A INPUT -p icmp -s 192.168.1.0/24 -j ACCEPT
- Allow the specified port to access from the specified IP address or network segment
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
- Allow UDP packets from the specified port and IP address or network segment to pass
iptables -A INPUT -p udp --sport 53 -s 192.168.1.0/24 -j ACCEPT
- Allow the data of the specified IP address or network segment to pass through the established connection
iptables -A INPUT -m conntrack --ctstate ESTABLISHED -s 192.168.1.0/24 -j ACCEPT
- Set up SNAT load balancing
iptables -t nat -A PREROUTING -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination 192.168.1.2:80
- Allow access to external networks through an HTTP proxy server
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -A INPUT -p tcp -m tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPT
- Forward HTTP requests to the internal web server
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.1.2:80
iptables -A FORWARD -p tcp -m tcp --dport 80 -d 192.168.1.2 -j ACCEPT
- Deny traffic from specific IP addresses
iptables -A INPUT -s 192.168.1.10 -j DROP
- Deny specific TCP port access
iptables -A INPUT -p tcp --dport 22 -j DROP
- Allow specific services from specific IP addresses
iptables -A INPUT -s 192.168.1.10 -p tcp --dport 80 -j ACCEPT
- Only allow SSH access from specific IP addresses
iptables -A INPUT -p tcp --dport ssh -s 192.168.1.10 -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j DROP
- Allow access to specified range of ports
iptables -A INPUT -p tcp --dport 1024:65535 -j ACCEPT
- Prohibit external network IP from accessing internal network (local) server
iptables -I INPUT -i eth0 ! -s 192.168.0/24 -j DROP
- Use localhost as a NAT gateway
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
- Enable the X11 forwarding function of SSH
iptables -A INPUT -i eth0 -p tcp --dport 6000 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 6000 -m state --state ESTABLISHED -j ACCEPT
- Prevent SYN flood attacks
iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP
- Limit the number of connections from the same IP within a specified time
iptables -A INPUT -p tcp --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP
- Allow ICMP tools to ping reachability tests
iptables -A INPUT -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -m state --state ESTABLISHED -j ACCEPT
- Set up IP address forwarding
sysctl -w net.ipv4.ip_forward=1 # 启用IP地址转发
echo 1 > /proc/sys/net/ipv4/ip_forward # 启用IP地址转发
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # 添加 NAT 规则
- Allow traffic forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward # 启用 IP 转发功能
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT # 接受接口1到接口0的转发
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT # 接受回复数据包并通过接口1发回