iptables commands

Dec 12, 2018
linux firewall hugo

Linux Router

If you need to set up your Slackware Linux machine as a router for other systems, you’ll want to set up the interfaces in /etc/rc.d/rc.inet1.conf, and set up NAT support with something like this in /etc/rc.d/rc.firewall, and then make rc.firewall executable.

    # Delete and flush.  Default table is "filter".
    # Others like "nat" must be explicitly stated.
    iptables --flush
    # Flush all the rules in filter and nat tables
    iptables --table nat --flush
    # Delete all chains that are not in default filter and nat table
    iptables --delete-chain
    iptables --table nat --delete-chain
    # Set up IP FORWARDing and Masquerading
    iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
    iptables --append FORWARD --in-interface eth1 -j ACCEPT
    echo "Enabling ip_forwarding..."
    echo 1 > /proc/sys/net/ipv4/ip_forward

Save & Restore rules

iptables-save and iptables-restore in slackware. Create a set of rules manually, then use

iptables-save > /etc/iptables.rules

Put in /etc/rc.d/rc.local

iptables-restore /etc/iptables.rules

Blocking with iptables

How do I block specific incoming ip address?

Following iptable rule will drop incoming connection from host/IP 202.54.20.22:

iptables -A INPUT -s 202.54.20.22 -j DROP
iptables -A OUTPUT -d 202.54.20.22 -j DROP

A simple shell script to block lots of IP address If you have lots of IP address use the following shell script:

Create a text file: ( vi /root/ip.blocked ). Now append IP address:

    # Ip address block  file
    202.54.20.22
    202.54.20.1/24
    65.66.36.87

Create a script as follows or add following script line to existing iptables shell script:

    BLOCKDB='/root/ip.blocked'
    IPS=$(grep -Ev "^#" $BLOCKDB)
    for i in $IPS
    do
    iptables -A INPUT -s $i -j DROP
    iptables -A OUTPUT -d $i -j DROP
    done

Save & close the file. Execute the file.

iptables basic rules

iptables tutorial on digital ocean for centos.

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 81 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 1891 -j ACCEPT    (custom ssh 1891)
iptables -A INPUT -p tcp -s YOUR_IP_ADDRESS -m tcp --dport 1891 -j ACCEPT (ssh only from one ip)
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP

iptables -L -n
iptables-save | sudo tee /etc/sysconfig/iptables
chkconfig --level 35 iptables on
service iptables restart