{"id":13497567,"url":"https://github.com/trimstray/iptables-essentials","last_synced_at":"2026-02-16T08:09:10.177Z","repository":{"id":38859680,"uuid":"144721723","full_name":"trimstray/iptables-essentials","owner":"trimstray","description":"Iptables Essentials: Common Firewall Rules and Commands.","archived":false,"fork":false,"pushed_at":"2024-11-19T13:59:50.000Z","size":322,"stargazers_count":1554,"open_issues_count":4,"forks_count":286,"subscribers_count":68,"default_branch":"master","last_synced_at":"2025-10-11T12:11:42.275Z","etag":null,"topics":["firewall","firewall-configuration","firewall-rules","iptables","iptables-configurations","iptables-firewall","iptables-rules"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trimstray.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-08-14T13:09:19.000Z","updated_at":"2025-10-09T10:27:20.000Z","dependencies_parsed_at":"2025-02-11T23:35:08.268Z","dependency_job_id":"adc889d4-bc95-4de6-9328-71d713e2261c","html_url":"https://github.com/trimstray/iptables-essentials","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/trimstray/iptables-essentials","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trimstray%2Fiptables-essentials","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trimstray%2Fiptables-essentials/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trimstray%2Fiptables-essentials/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trimstray%2Fiptables-essentials/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trimstray","download_url":"https://codeload.github.com/trimstray/iptables-essentials/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trimstray%2Fiptables-essentials/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29503256,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-16T08:07:58.651Z","status":"ssl_error","status_checked_at":"2026-02-16T08:07:56.823Z","response_time":115,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["firewall","firewall-configuration","firewall-rules","iptables","iptables-configurations","iptables-firewall","iptables-rules"],"created_at":"2024-07-31T20:00:33.629Z","updated_at":"2026-02-16T08:09:10.150Z","avatar_url":"https://github.com/trimstray.png","language":null,"readme":"\u003ch2 align=\"center\"\u003eIptables Essentials: Common Firewall Rules and Commands\u003c/h2\u003e\n\n\u003cbr\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/trimstray/iptables-essentials/pulls\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/PRs-welcome-brightgreen.svg?longCache=true\" alt=\"Pull Requests\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"LICENSE.md\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/License-MIT-lightgrey.svg?longCache=true\" alt=\"MIT License\"\u003e\n  \u003c/a\u003e\n\u003c/p\u003e\n\n\u003cbr\u003e\n\n## :ballot_box_with_check: TODO\n\n- [ ] Add useful Iptables configuration examples\n- [x] Add useful Kernel Settings (sysctl) configuration\n- [ ] Add links to useful external resources\n- [x] Add advanced configuration examples, commands, rules\n\n****\n\n## Table of Contents\n\n- [Tools to help you configure Iptables](#tools-to-help-you-configure-iptables)\n- [Manuals/Howtos/Tutorials](#manualshowtostutorials)\n- [Useful Kernel Settings (sysctl) configuration](#useful-kernel-settings-sysctl-configuration)\n  * [rp_filter](#rp_filter)\n  * [log_martians](#log_martians)\n  * [send_redirects](#send_redirects)\n  * [accept_source_route](#accept_source_route)\n  * [accept_redirects](#accept_redirects)\n  * [tcp_syncookies](#tcp_syncookies)\n  * [icmp_echo_ignore_broadcasts](#icmp_echo_ignore_broadcasts)\n  * [ip_forward](#ip_forward)\n- [How it works?](#how-it-works)\n- [Iptables Rules](#iptables-rules)\n  * [Saving Rules](#saving-rules)\n    - [Debian Based](#debian-based)\n    - [RedHat Based](#redhat-based)\n  * [List out all of the active iptables rules with verbose](#list-out-all-of-the-active-iptables-rules-with-verbose)\n  * [List out all of the active iptables rules with numeric lines and verbose](#list-out-all-of-the-active-iptables-rules-with-numeric-lines-and-verbose)\n  * [Print out all of the active iptables rules](#print-out-all-of-the-active-iptables-rules)\n  * [List Rules as Tables for INPUT chain](#list-rules-as-tables-for-input-chain)\n  * [Print all of the rule specifications in the INPUT chain](#print-all-of-the-rule-specifications-in-the-input-chain)\n  * [Show Packet Counts and Aggregate Size](#show-packet-counts-and-aggregate-size)\n  * [To display INPUT or OUTPUT chain rules with numeric lines and verbose](#to-display-input-or-output-chain-rules-with-numeric-lines-and-verbose)\n  * [Delete Rule by Chain and Number](#delete-rule-by-chain-and-number)\n  * [Delete Rule by Specification](#delete-rule-by-specification)\n  * [Flush All Rules, Delete All Chains, and Accept All](#flush-all-rules-delete-all-chains-and-accept-all)\n  * [Flush All Chains](#flush-all-chains)\n  * [Flush a Single Chain](#flush-a-single-chain)\n  * [Insert Firewall Rules](#insert-firewall-rules)\n  * [Allow Loopback Connections](#allow-loopback-connections)\n  * [Allow Established and Related Incoming Connections](#allow-established-and-related-incoming-connections)\n  * [Allow Established Outgoing Connections](#allow-established-outgoing-connections)\n  * [Internal to External](#internal-to-external)\n  * [Drop Invalid Packets](#drop-invalid-packets)\n  * [Block an IP Address](#block-an-ip-address)\n  * [Block and IP Address and Reject](#block-and-ip-address-and-reject)\n  * [Block Connections to a Network Interface](#block-connections-to-a-network-interface)\n  * [Allow All Incoming SSH](#allow-all-incoming-ssh)\n  * [Allow Incoming SSH from Specific IP address or subnet](#allow-incoming-ssh-from-specific-ip-address-or-subnet)\n  * [Allow Outgoing SSH](#allow-outgoing-ssh)\n  * [Allow Incoming Rsync from Specific IP Address or Subnet](#allow-incoming-rsync-from-specific-ip-address-or-subnet)\n  * [Allow All Incoming HTTP](#allow-all-incoming-http)\n  * [Allow All Incoming HTTPS](#allow-all-incoming-https)\n  * [Allow All Incoming HTTP and HTTPS](#allow-all-incoming-http-and-https)\n  * [Allow MySQL from Specific IP Address or Subnet](#allow-mysql-from-specific-ip-address-or-subnet)\n  * [Allow MySQL to Specific Network Interface](#allow-mysql-to-specific-network-interface)\n  * [PostgreSQL from Specific IP Address or Subnet](#postgresql-from-specific-ip-address-or-subnet)\n  * [Allow PostgreSQL to Specific Network Interface](#allow-postgresql-to-specific-network-interface)\n  * [Block Outgoing SMTP Mail](#block-outgoing-smtp-mail)\n  * [Allow All Incoming SMTP](#allow-all-incoming-smtp)\n  * [Allow All Incoming IMAP](#allow-all-incoming-imap)\n  * [Allow All Incoming IMAPS](#allow-all-incoming-imaps)\n  * [Allow All Incoming POP3](#allow-all-incoming-pop3)\n  * [Allow All Incoming POP3S](#allow-all-incoming-pop3s)\n  * [Drop Private Network Address On Public Interface](#drop-private-network-address-on-public-interface)\n  * [Drop All Outgoing to Facebook Networks](#drop-all-outgoing-to-facebook-networks)\n  * [Log and Drop Packets](#log-and-drop-packets)\n  * [Log and Drop Packets with Limited Number of Log Entries](#log-and-drop-packets-with-limited-number-of-log-entries)\n  * [Drop or Accept Traffic From Mac Address](#drop-or-accept-traffic-from-mac-address)\n  * [Block or Allow ICMP Ping Request](#block-or-allow-icmp-ping-request)\n  * [Specifying Multiple Ports with `multiport`](#specifying-multiple-ports-with-multiport)\n  * [Load Balancing with `random*` or `nth*`](#load-balancing-with-random-or-nth)\n  * [Restricting the Number of Connections with `limit` and `iplimit*`](#restricting-the-number-of-connections-with-limit-and-iplimit)\n  * [Maintaining a List of recent Connections to Match Against](#maintaining-a-list-of-recent-connections-to-match-against)\n  * [Matching Against a `string*` in a Packet's Data Payload](#matching-against-a-string-in-a-packets-data-payload)\n  * [Time-based Rules with `time*`](#time-based-rules-with-time)\n  * [Packet Matching Based on TTL Values](#packet-matching-based-on-ttl-values)\n  * [Protection against port scanning](#protection-against-port-scanning)\n  * [SSH brute-force protection](#ssh-brute-force-protection)\n  * [Syn-flood protection](#syn-flood-protection)\n    - [Mitigating SYN Floods With SYNPROXY](#mitigating-syn-floods-with-synproxy)\n  * [Block New Packets That Are Not SYN](#block-new-packets-that-are-not-syn)\n  * [Force Fragments packets check](#force-fragments-packets-check)\n  * [XMAS packets](#xmas-packets)\n  * [Drop all NULL packets](#drop-all-null-packets)\n  * [Block Uncommon MSS Values](#block-uncommon-mss-values)\n  * [Block Packets With Bogus TCP Flags](#block-packets-with-bogus-tcp-flags)\n  * [Block Packets From Private Subnets (Spoofing)](#block-packets-from-private-subnets-spoofing)\n- [Advanced configuration examples](#advanced-configuration-examples)\n  * [Packet handling in Python using NFQUEUE target](#packet-handling-in-python-using-nfqueue-target)\n    - [ACCEPT all packets from specific source on (filter:INPUT) and DROP everything else](#accept-all-packets-from-specific-source-on-filterinput-and-drop-everything-else)\n    - [Write your own port knocking script to secure ssh access](#write-your-own-port-knocking-script-to-secure-ssh-access)\n\n****\n\n## Tools to help you configure Iptables\n\n\u003cp\u003e\n\u0026nbsp;\u0026nbsp;:small_orange_diamond: \u003ca href=\"http://shorewall.org/\"\u003e\u003cb\u003eShorewall\u003c/b\u003e\u003c/a\u003e - advanced gateway/firewall configuration tool for GNU/Linux.\u003cbr\u003e\n\u0026nbsp;\u0026nbsp;:small_orange_diamond: \u003ca href=\"https://firewalld.org/\"\u003e\u003cb\u003eFirewalld\u003c/b\u003e\u003c/a\u003e - provides a dynamically managed firewall.\u003cbr\u003e\n\u0026nbsp;\u0026nbsp;:small_orange_diamond: \u003ca href=\"https://wiki.ubuntu.com/UncomplicatedFirewall\"\u003e\u003cb\u003eUFW\u003c/b\u003e\u003c/a\u003e - default firewall configuration tool for Ubuntu.\u003cbr\u003e\n\u0026nbsp;\u0026nbsp;:small_orange_diamond: \u003ca href=\"https://github.com/firehol/firehol\"\u003e\u003cb\u003eFireHOL\u003c/b\u003e\u003c/a\u003e - offer simple and powerful configuration for all Linux firewall and traffic shaping requirements.\u003cbr\u003e\n\u003c/p\u003e\n\n## Manuals/Howtos/Tutorials\n\n\u003cp\u003e\n\u0026nbsp;\u0026nbsp;:small_orange_diamond: \u003ca href=\"https://major.io/2010/04/12/best-practices-iptables/\"\u003e\u003cb\u003eBest practices: iptables - by Major Hayden\u003c/b\u003e\u003c/a\u003e\u003cbr\u003e\n\u0026nbsp;\u0026nbsp;:small_orange_diamond: \u003ca href=\"https://www.booleanworld.com/depth-guide-iptables-linux-firewall/\"\u003e\u003cb\u003eAn In-Depth Guide to Iptables, the Linux Firewall\u003c/b\u003e\u003c/a\u003e\u003cbr\u003e\n\u0026nbsp;\u0026nbsp;:small_orange_diamond: \u003ca href=\"https://linuxgazette.net/108/odonovan.html\"\u003e\u003cb\u003eAdvanced Features of netfilter/iptables\u003c/b\u003e\u003c/a\u003e\u003cbr\u003e\n\u0026nbsp;\u0026nbsp;:small_orange_diamond: \u003ca href=\"http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables\"\u003e\u003cb\u003eLinux Firewalls Using iptables\u003c/b\u003e\u003c/a\u003e\u003cbr\u003e\n\u0026nbsp;\u0026nbsp;:small_orange_diamond: \u003ca href=\"https://serverfault.com/questions/696182/debugging-iptables-and-common-firewall-pitfalls\"\u003e\u003cb\u003eDebugging iptables and common firewall pitfalls?\u003c/b\u003e\u003c/a\u003e\u003cbr\u003e\n\u0026nbsp;\u0026nbsp;:small_orange_diamond: \u003ca href=\"https://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO-4.html\"\u003e\u003cb\u003eNetfilter Hacking HOWTO\u003c/b\u003e\u003c/a\u003e\u003cbr\u003e\n\u0026nbsp;\u0026nbsp;:small_orange_diamond: \u003ca href=\"https://making.pusher.com/per-ip-rate-limiting-with-iptables/\"\u003e\u003cb\u003ePer-IP rate limiting with iptables\u003c/b\u003e\u003c/a\u003e\u003cbr\u003e\n\u003c/p\u003e\n\n## Useful Kernel Settings (sysctl) Configuration\n\n##### rp_filter\n\n  \u003e _Disable routing triangulation. Respond to queries out the same interface, not another. Also protects against IP spoofing._\n\n```bash\ncat \u003c\u003c EOF \u003e\u003e /etc/sysctl.d/40-custom.conf\nnet/ipv4/conf/all/rp_filter = 1\nEOF\n```\n\n- [rp_filter and LPIC-3 Linux Security](https://www.theurbanpenguin.com/rp_filter-and-lpic-3-linux-security/)\n- [Linux kernel rp_filter settings (Reverse path filtering)](https://www.slashroot.in/linux-kernel-rpfilter-settings-reverse-path-filtering)\n- [Reverse Path Filtering](http://tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.kernel.rpf.html)\n\n##### log_martians\n\n  \u003e _Enable logging of packets with malformed IP addresses._\n\n```bash\ncat \u003c\u003c EOF \u003e\u003e /etc/sysctl.d/40-custom.conf\nnet/ipv4/conf/all/log_martians = 1\nEOF\n```\n\n- [What is the usefulness of logging of martians packet?](https://serverfault.com/questions/570980/what-is-the-usefulness-of-logging-of-martians-packet-e-g-net-ipv4-conf-all-lo)\n\n##### send_redirects\n\n  \u003e _Disables sending of all IPv4 ICMP redirected packets on all interfaces._\n\n```bash\ncat \u003c\u003c EOF \u003e\u003e /etc/sysctl.d/40-custom.conf\nnet/ipv4/conf/all/send_redirects = 0\nEOF\n```\n\n- [Disable source routing](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing)\n- [What are ICMP redirects and should they be blocked?](https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked)\n\n##### accept_source_route\n\n  \u003e _Disable source routed packets (packets with the Strict Source Route (SSR) or Loose Source Routing (LSR) option set)._\n\n```bash\ncat \u003c\u003c EOF \u003e\u003e /etc/sysctl.d/40-custom.conf\nnet/ipv4/conf/all/accept_source_route = 0\nEOF\n```\n\n- [Disable source routing](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing)\n- [The system must not accept IPv4 source-routed packets by default.](https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2017-12-08/finding/V-38529)\n\n##### accept_redirects\n\n  \u003e _Disable acceptance of ICMP redirects._\n\n```bash\ncat \u003c\u003c EOF \u003e\u003e /etc/sysctl.d/40-custom.conf\nnet/ipv4/conf/all/accept_redirects = 0\nEOF\n```\n\n- [What are ICMP redirects and should they be blocked?](https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked)\n- [The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages.](https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2018-11-28/finding/V-73175)\n\n##### tcp_syncookies\n\n  \u003e _Turn on SYN-flood protections (protection from Denial of Service (DOS) attacks)._\n\n```bash\ncat \u003c\u003c EOF \u003e\u003e /etc/sysctl.d/40-custom.conf\nnet/ipv4/tcp_syncookies = 1\nEOF\n```\n\n- [Hardening your TCP/IP Stack Against SYN Floods](https://www.ndchost.com/wiki/server-administration/hardening-tcpip-syn-flood)\n- [Linux: Turn On TCP SYN Cookie Protection](https://www.cyberciti.biz/faq/enable-tcp-syn-cookie-protection/)\n- [Better alternative for tcp_syncookies in Linux](https://serverfault.com/questions/705504/better-alternative-for-tcp-syncookies-in-linux)\n\n##### icmp_echo_ignore_broadcasts\n\n  \u003e _Disable responding to ping broadcasts._\n\n```bash\ncat \u003c\u003c EOF \u003e\u003e /etc/sysctl.d/40-custom.conf\nnet/ipv4/icmp_echo_ignore_broadcasts = 1\nEOF\n```\n\n- [What is ICMP broadcast good for?](https://superuser.com/questions/306065/what-is-icmp-broadcast-good-for)\n- [The system must not respond to ICMPv4 sent to a broadcast address.](https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2018-11-28/finding/V-38535)\n\n##### ip_forward\n\n  \u003e _Enable IP routing. Required if your firewall is protecting a network, NAT included._\n\n```bash\ncat \u003c\u003c EOF \u003e\u003e /etc/sysctl.d/40-custom.conf\nnet/ipv4/ip_forward = 1\nEOF\n```\n\n- [Introduction to routers](http://linux-training.be/security/ch10.html)\n- [How to Enable IP Forwarding in Linux](http://www.ducea.com/2006/08/01/how-to-enable-ip-forwarding-in-linux/)\n- [What is kernel ip forwarding?](https://unix.stackexchange.com/questions/14056/what-is-kernel-ip-forwarding)\n\n## How it works?\n\n\u003cp align=\"center\"\u003e\n    \u003cimg src=\"https://github.com/trimstray/iptables-essentials/blob/master/static/img/iptables-packet-flow-ng.png\"\n        alt=\"Master\"\u003e\n\u003c/p\u003e\n\n## Iptables Rules\n\n#### Saving Rules\n\n###### Debian Based\n\n```bash\nnetfilter-persistent save\n```\n\n###### RedHat Based\n\n```bash\nservice iptables save\n```\n\n#### List out all of the active iptables rules with verbose\n\n```bash\niptables -n -L -v\n```\n\n#### List out all of the active iptables rules with numeric lines and verbose\n\n```bash\niptables -n -L -v --line-numbers\n```\n\n#### Print out all of the active iptables rules\n\n```bash\niptables -S\n```\n\n#### List Rules as Tables for INPUT chain\n\n```bash\niptables -L INPUT\n```\n\n#### Print all of the rule specifications in the INPUT chain\n\n```bash\niptables -S INPUT\n```\n\n#### Show Packet Counts and Aggregate Size\n\n```bash\niptables -L INPUT -v\n```\n\n#### To display INPUT or OUTPUT chain rules with numeric lines and verbose\n\n```bash\niptables -L INPUT -n -v\niptables -L OUTPUT -n -v --line-numbers\n```\n\n#### Delete Rule by Chain and Number\n\n```bash\niptables -D INPUT 10\n```\n\n#### Delete Rule by Specification\n\n```bash\niptables -D INPUT -m conntrack --ctstate INVALID -j DROP\n```\n\n#### Flush All Rules, Delete All Chains, and Accept All\n\n```bash\niptables -P INPUT ACCEPT\niptables -P FORWARD ACCEPT\niptables -P OUTPUT ACCEPT\n\niptables -t nat -F\niptables -t mangle -F\niptables -F\niptables -X\n```\n\n#### Flush All Chains\n\n```bash\niptables -F\n```\n\n#### Flush a Single Chain\n\n```bash\niptables -F INPUT\n```\n\n#### Insert Firewall Rules\n\n```bash\niptables -I INPUT 2 -s 202.54.1.2 -j DROP\n```\n\n#### Allow Loopback Connections\n\n```bash\niptables -A INPUT -i lo -j ACCEPT\niptables -A OUTPUT -o lo -j ACCEPT\n```\n\n#### Allow Established and Related Incoming Connections\n\n```bash\niptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n```\n\n#### Allow Established Outgoing Connections\n\n```bash\niptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT\n```\n\n#### Internal to External\n\n```bash\niptables -A FORWARD -i eth1 -o eth0 -j ACCEPT\n```\n\n#### Drop Invalid Packets\n\n```bash\niptables -A INPUT -m conntrack --ctstate INVALID -j DROP\n```\n\n#### Block an IP Address\n\n```bash\niptables -A INPUT -s 192.168.252.10 -j DROP\n```\n\n#### Block and IP Address and Reject\n\n```bash\niptables -A INPUT -s 192.168.252.10 -j REJECT\n```\n\n#### Block Connections to a Network Interface\n\n```bash\niptables -A INPUT -i eth0 -s 192.168.252.10 -j DROP\n```\n\n#### Allow All Incoming SSH\n\n```bash\niptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT\niptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT\n```\n\n#### Allow Incoming SSH from Specific IP address or subnet\n\n```bash\niptables -A INPUT -p tcp -s 192.168.240.0/24 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT\niptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT\n```\n\n#### Allow Outgoing SSH\n\n```bash\niptables -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT\niptables -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT\n```\n\n#### Allow Incoming Rsync from Specific IP Address or Subnet\n\n```bash\niptables -A INPUT -p tcp -s 192.168.240.0/24 --dport 873 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT\niptables -A OUTPUT -p tcp --sport 873 -m conntrack --ctstate ESTABLISHED -j ACCEPT\n```\n\n#### Allow All Incoming HTTP\n\n```bash\niptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT\niptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT\n```\n\n#### Allow All Incoming HTTPS\n\n```bash\niptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT\niptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT\n```\n\n#### Allow All Incoming HTTP and HTTPS\n\n```bash\niptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT\niptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT\n```\n\n#### Allow MySQL from Specific IP Address or Subnet\n\n```bash\niptables -A INPUT -p tcp -s 192.168.240.0/24 --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT\niptables -A OUTPUT -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT\n```\n\n#### Allow MySQL to Specific Network Interface\n\n```bash\niptables -A INPUT -i eth1 -p tcp --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT\niptables -A OUTPUT -o eth1 -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT\n```\n\n#### PostgreSQL from Specific IP Address or Subnet\n\n```bash\niptables -A INPUT -p tcp -s 192.168.240.0/24 --dport 5432 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT\niptables -A OUTPUT -p tcp --sport 5432 -m conntrack --ctstate ESTABLISHED -j ACCEPT\n```\n\n#### Allow PostgreSQL to Specific Network Interface\n\n```bash\niptables -A INPUT -i eth1 -p tcp --dport 5432 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT\niptables -A OUTPUT -o eth1 -p tcp --sport 5432 -m conntrack --ctstate ESTABLISHED -j ACCEPT\n```\n\n#### Block Outgoing SMTP Mail\n\n```bash\niptables -A OUTPUT -p tcp --dport 25 -j REJECT\n```\n\n#### Allow All Incoming SMTP\n\n```bash\niptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT\niptables -A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT\n```\n\n#### Allow All Incoming IMAP\n\n```bash\niptables -A INPUT -p tcp --dport 143 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT\niptables -A OUTPUT -p tcp --sport 143 -m conntrack --ctstate ESTABLISHED -j ACCEPT\n```\n\n#### Allow All Incoming IMAPS\n\n```bash\niptables -A INPUT -p tcp --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT\niptables -A OUTPUT -p tcp --sport 993 -m conntrack --ctstate ESTABLISHED -j ACCEPT\n```\n\n#### Allow All Incoming POP3\n\n```bash\niptables -A INPUT -p tcp --dport 110 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT\niptables -A OUTPUT -p tcp --sport 110 -m conntrack --ctstate ESTABLISHED -j ACCEPT\n```\n\n#### Allow All Incoming POP3S\n\n```bash\niptables -A INPUT -p tcp --dport 995 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT\niptables -A OUTPUT -p tcp --sport 995 -m conntrack --ctstate ESTABLISHED -j ACCEPT\n```\n\n#### Drop Private Network Address On Public Interface\n\n```bash\niptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP\niptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP\n```\n\n#### Drop All Outgoing to Facebook Networks\n\nGet Facebook AS:\n\n```bash\nwhois -h v4.whois.cymru.com \" -v $(host facebook.com | grep \"has address\" | cut -d \" \" -f4)\" | tail -n1 | awk '{print $1}'\n```\n\nDrop:\n\n```bash\nfor i in $(whois -h whois.radb.net -- '-i origin AS32934' | grep \"^route:\" | cut -d \":\" -f2 | sed -e 's/^[ \\t]*//' | sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | cut -d \":\" -f2 | sed 's/$/;/') ; do\n\n  iptables -A OUTPUT -s \"$i\" -j REJECT\n\ndone\n```\n\n#### Log and Drop Packets\n\n```bash\niptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-prefix \"IP_SPOOF A: \"\niptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP\n```\n\nBy default everything is logged to `/var/log/messages` file:\n\n```bash\ntail -f /var/log/messages\ngrep --color 'IP SPOOF' /var/log/messages\n```\n\n#### Log and Drop Packets with Limited Number of Log Entries\n\n```bash\niptables -A INPUT -i eth1 -s 10.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix \"IP_SPOOF A: \"\niptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP\n```\n\n#### Drop or Accept Traffic From Mac Address\n\n```bash\niptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP\niptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT\n```\n\n#### Block or Allow ICMP Ping Request\n\n```bash\niptables -A INPUT -p icmp --icmp-type echo-request -j DROP\niptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP\n```\n\n#### Specifying Multiple Ports with `multiport`\n\n```bash\niptables -A INPUT -i eth0 -p tcp -m state --state NEW -m multiport --dports ssh,smtp,http,https -j ACCEPT\n```\n\n#### Load Balancing with `random*` or `nth*`\n\n```bash\n_ips=(\"172.31.250.10\" \"172.31.250.11\" \"172.31.250.12\" \"172.31.250.13\")\n\nfor ip in \"${_ips[@]}\" ; do\n  iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m nth --counter 0 --every 4 --packet 0 \\\n    -j DNAT --to-destination ${ip}:80\ndone\n```\n\nor\n\n```bash\n_ips=(\"172.31.250.10\" \"172.31.250.11\" \"172.31.250.12\" \"172.31.250.13\")\n\nfor ip in \"${_ips[@]}\" ; do\n  iptables -A PREROUTING -i eth0 -p tcp --dport 80 -m state --state NEW -m random --average 25 \\\n    -j DNAT --to-destination ${ip}:80\ndone\n```\n\n#### Restricting the Number of Connections with `limit` and `iplimit*`\n\n```bash\niptables -A FORWARD -m state --state NEW -p tcp -m multiport --dport http,https -o eth0 -i eth1 \\\n    -m limit --limit 20/hour --limit-burst 5 -j ACCEPT\n```\n\nor\n\n```bash\niptables -A INPUT -p tcp -m state --state NEW --dport http -m iplimit --iplimit-above 5 -j DROP\n```\n\n#### Maintaining a List of recent Connections to Match Against\n\n```bash\niptables -A FORWARD -m recent --name portscan --rcheck --seconds 100 -j DROP\niptables -A FORWARD -p tcp -i eth0 --dport 443 -m recent --name portscan --set -j DROP\n```\n\n#### Matching Against a `string*` in a Packet's Data Payload\n\n```bash\niptables -A FORWARD -m string --string '.com' -j DROP\niptables -A FORWARD -m string --string '.exe' -j DROP\n```\n\n#### Time-based Rules with `time*`\n\n```bash\niptables -A FORWARD -p tcp -m multiport --dport http,https -o eth0 -i eth1 \\\n    -m time --timestart 21:30 --timestop 22:30 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT\n```\n\n#### Packet Matching Based on TTL Values\n\n```bash\niptables -A INPUT -s 1.2.3.4 -m ttl --ttl-lt 40 -j REJECT\n```\n\n#### Protection against port scanning\n\n```bash\niptables -N port-scanning\niptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN\niptables -A port-scanning -j DROP\n```\n\n#### SSH brute-force protection\n\n```bash\niptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set\niptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP\n```\n\n#### Syn-flood protection\n\n```bash\niptables -N syn_flood\n\niptables -A INPUT -p tcp --syn -j syn_flood\niptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN\niptables -A syn_flood -j DROP\n\niptables -A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT\n\niptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:\niptables -A INPUT -p icmp -j DROP\n\niptables -A OUTPUT -p icmp -j ACCEPT\n```\n\n##### Mitigating SYN Floods With SYNPROXY\n\n```bash\niptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack\niptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460\niptables -A INPUT -m conntrack --ctstate INVALID -j DROP\n```\n\n#### Block New Packets That Are Not SYN\n\n```bash\niptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP\n```\n\nor\n\n```bash\niptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP\n```\n\n#### Force Fragments packets check\n\n```bash\niptables -A INPUT -f -j DROP\n```\n\n#### XMAS packets\n\n```bash\niptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP\n```\n\n#### Drop all NULL packets\n\n```bash\niptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP\n```\n\n#### Block Uncommon MSS Values\n\n```bash\niptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP\n```\n\n#### Block Packets With Bogus TCP Flags\n\n```bash\niptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP\niptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP\niptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP\niptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP\niptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP\niptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP\niptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP\niptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP\niptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP\niptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP\niptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP\niptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP\niptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP\n```\n\n#### Block Packets From Private Subnets (Spoofing)\n\n```bash\n_subnets=(\"224.0.0.0/3\" \"169.254.0.0/16\" \"172.16.0.0/12\" \"192.0.2.0/24\" \"192.168.0.0/16\" \"10.0.0.0/8\" \"0.0.0.0/8\" \"240.0.0.0/5\")\n\nfor _sub in \"${_subnets[@]}\" ; do\n  iptables -t mangle -A PREROUTING -s \"$_sub\" -j DROP\ndone\niptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP\n```\n\n## Advanced configuration examples\n\n### Packet handling in Python using NFQUEUE target\n\n  \u003e _This target passes the packet to userspace using the nfnetlink_queue handler. The packet is put into the queue identified by its 16-bit queue number. Userspace can inspect and modify the packet if desired. Userspace must then drop or reinject the packet into the kernel._\n\n#### ACCEPT all packets from specific source on (filter:INPUT) and DROP everything else\n\n  \u003e _This rule forwards all filter:INPUT packets to queue 1 with NFQUEUE target._\n\n```bash\niptables -A INPUT -j NFQUEUE --queue-num 1\n```\n\n  \u003e _Script to bind to netfilter queue 1 and handle packets._\n  \n```python\n#!/usr/bin/python3\n\nfrom netfilterqueue import NetfilterQueue\nfrom scapy.all import *\n\ndef packetanalyzer(pkt):\n    ip=IP(pkt.get_payload())\n    if(ip.src==\"192.168.122.1\"):\n        print(f\"New packet from {ip.src}\")\n        pkt.accept()\n    else:\n\tpkt.drop()\n\nnfqueue=NetfilterQueue()\nnfqueue.bind(1, packetanalyzer)\nnfqueue.run()\n```\n\n#### Write your own port knocking script to secure ssh access\n\n  \u003e _DROP all ssh requests and send secret port requests to user-space with NFQUEUE target._\n\n```bash\niptables -t filter -I INPUT -p tcp --dport 22 -j DROP\niptables -t raw -I PREROUTING -p tcp --sport 65534 --dport 65535 -j NFQUEUE --queue-num 1\n```\n\n  \u003e _This script capture packet from netfilter queue 1 and check SOURCEPORT and SECRETPORT for port knocking and allow source to connect to ssh for EXPIRETIME, default is 30 minutes.\n  \n```python\n#!/usr/bin/python3\n\nfrom os\timport system\nfrom netfilterqueue import NetfilterQueue\nfrom scapy.layers.inet import IP\nfrom time import time\n\nSOURCEPORT=65534\nSECRETPORT=65535\nEXPIRETIME=30\nALLOWED={}\n\ndef portknocking(pkt):\n    packet=IP(pkt.get_payload())\n    currtime=time()\n    for item in list(ALLOWED):\n        if(currtime-ALLOWED[item] \u003e= EXPIRETIME*60):\n            del ALLOWED[item]\n    if(packet.sport==SOURCEPORT and packet.dport==SECRETPORT and packet.src not in ALLOWED):\n        print(f\"Port {packet.dport} knocked by {packet.src}:{packet.sport}\")\n        system(f\"iptables -I INPUT -p tcp --dport 22 -s {packet.src} -j ACCEPT\")\n        system(f\"echo 'iptables -D INPUT -p tcp --dport 22 -s {packet.src} -j ACCEPT' | at now + {EXPIRETIME} minutes\")\n        ALLOWED[packet.src]=time()\n        pkt.drop()\n\nnfqueue=NetfilterQueue()\nnfqueue.bind(1, portknocking)\n\ntry:\n    nfqueue.run()\nexcept KeyboardInterrupt:\n    print(\"\\nExit with Keyboard Interrupt\")\n```\n\n  \u003e _To knocking port and allow ssh connections from your computer just execute this command:_\n\n```bash\nnc -p 65534 SERVER 65535\n```\n","funding_links":[],"categories":["Others","\u003ca id=\"946d766c6a0fb23b480ff59d4029ec71\"\u003e\u003c/a\u003e防护\u0026\u0026Defense","Uncategorized","Security","Others (1002)","others","Network Devices","\u003ca id=\"0abd611fc3e9a4d9744865ca6e47a6b2\"\u003e\u003c/a\u003e工具","\u003ca id=\"8c5a692b5d26527ef346687e047c5c21\"\u003e\u003c/a\u003e收集","Hardening"],"sub_categories":["\u003ca id=\"ce6532938f729d4c9d66a5c75d1676d3\"\u003e\u003c/a\u003e防火墙\u0026\u0026FireWall","Uncategorized","Hardening","Firewalls","Ghidra"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrimstray%2Fiptables-essentials","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrimstray%2Fiptables-essentials","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrimstray%2Fiptables-essentials/lists"}