Home tmade.de

Home Wiki

IP-Tables

SLES

1. Step: IP-Tables will be set:

/usr/sbin/iptables -A FORWARD -p tcp --destination-port 80 -j ACCEPT
/usr/sbin/iptables -A FORWARD -p tcp --destination-port 443 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 80 --to-ports 8080
/usr/sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 443 --to-ports 8443
/usr/sbin/iptables -A OUTPUT -d 172.16.123.23/32 -j REJECT --reject-with icmp-port-unreachable       
/usr/sbin/iptables -A OUTPUT -d 172.16.123.141/32 -j REJECT --reject-with icmp-port-unreachable
/usr/sbin/iptables -A OUTPUT -d 172.16.123.22/32 -j REJECT --reject-with icmp-port-unreachable

2. Step: IP-Tables will be saved

iptables-save > /etc/iptables_custom.conf	

3. Step: A script will be created and IP_Tables exported

echo '#!/bin/sh' > /etc/sysconfig/network/if-up.d/iptables
echo 'echo "IPTABLES will be started"' >> /etc/sysconfig/network/if-up.d/iptables
echo "iptables-restore < /etc/iptables_custom.conf" >> /etc/sysconfig/network/if-up.d/iptables

4. Step: Make the startscript (Init-Script) executable

chmod +x /etc/sysconfig/network/if-up.d/iptables

5. Step: Check the tables after reboot

iptables --list

or

iptables -L -n 

To show all settings run

iptables-save

or to show NAT Rules

iptables -t nat -L -vn 

Systemd

Create a executable script (e. g.: “chmod 750 /sbin/iptables.sh”) with following content:

iptables.sh
#!/bin/bash
# Configure iptables
 
# Limit PATH
PATH="/sbin:/usr/sbin:/bin:/usr/bin"
 
# iptables configuration
firewall_start() {
  # Define rules
  /usr/sbin/iptables -A FORWARD -p tcp --destination-port 80 -j ACCEPT
  /usr/sbin/iptables -A FORWARD -p tcp --destination-port 443 -j ACCEPT
  /usr/sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 80 --to-ports 8080
  /usr/sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 443 --to-ports 8443
}
 
# clear iptables configuration
firewall_stop() {
  iptables -P INPUT ACCEPT
  iptables -P FORWARD ACCEPT
  iptables -P OUTPUT ACCEPT
  iptables -t nat -F
  iptables -t mangle -F
  iptables -F
  iptables -X
}
 
# execute action
case "$1" in
  start|restart)
    echo "Starting firewall"
    firewall_stop
    firewall_start
    ;;
  stop)
    echo "Stopping firewall"
    firewall_stop
    ;;
 
esac

Create unit-file:

cat << EOF | sudo tee /etc/systemd/system/iptables.service
[Unit]
Description=iptables service
After=network.target

[Service]
Type=oneshot
ExecStart=/sbin/iptables.sh start
RemainAfterExit=true
ExecStop=/sbin/iptables.sh stop
StandardOutput=journal

[Install]
WantedBy=multi-user.target
EOF

Update systemd:

systemctl daemon-reload

Usage:

systemctl start iptables.service
systemctl stop iptables.service
systemctl status iptables.service
systemctl is-enabled iptables.service      #check, if active on system boot
systemctl enable iptables.service          #enable to start with system

Delete IP-Tables

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X

To delete/add manually:

iptables-save > somefile

Edit with favourite texteditor like vi, than

iptables-restore < somefile

Delete Single Rules

Execute:

  iptables -L INPUT --line-numbers
  iptables -L FORWARD --line-numbers
  iptables -L OUTPUT --line-numbers
  

Output example:

root@rasp:~# iptables -L FORWARD --line-numbers
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
2    ACCEPT     all  --  anywhere             anywhere
3    ACCEPT     all  --  anywhere             anywhere

To delete rule 1 run:

iptables -D FORWARD 1

Forwarding

To forward incomming trafic to another IP:

First you have to check “cat /proc/sys/net/ipv4/ip_forward”

If you are getting “0” forwarding isn´t allowed. To change it run

echo "1" > /proc/sys/net/ipv4/ip_forward

or

sysctl net.ipv4.ip_forward=1

Check it with “cat /proc/sys/net/ipv4/ip_forward” and you get “1”

Afterwards you can set your rules such as e.g.:

iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 192.168.1.30:22
iptables -t nat -A POSTROUTING -j MASQUERADE

To forward to IP range:

iptables -t nat -A PREROUTING -p tcp --dport 1111 -j DNAT --to-destination 192.168.1.100-192.168.1.200:1111
iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.100-192.168.1.200

To forward to a port range:

iptables -t nat -A PREROUTING -p tcp --dport 1024:65000 -j DNAT --to-destination 192.168.1.30:1024-65000

Commands

  iptables -vnL                            #Show hom many times a rule was used
  iptables -t filter -L FORWARD -nv        #Show hom many times a forward rule was used
  iptables -t filter -L INPUT -nv
  iptables -t filter -L OUTPUT -nv
  iptables -L INPUT --line-numbers
  iptables -L FORWARD --line-numbers
  iptables -L OUTPUT --line-numbers
  
linux/iptables.txt · Last modified: 2019/04/24 11:08 by tmade
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki