1. Step: IP-Tables will be set:
/usr/sbin/iptables -A FORWARD -p tcp --destination-port 80 -j ACCEPT /usr/sbin/iptables -A FORWARD -p tcp --destination-port 443 -j ACCEPT /usr/sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 80 --to-ports 8080 /usr/sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 443 --to-ports 8443 /usr/sbin/iptables -A OUTPUT -d 172.16.123.23/32 -j REJECT --reject-with icmp-port-unreachable /usr/sbin/iptables -A OUTPUT -d 172.16.123.141/32 -j REJECT --reject-with icmp-port-unreachable /usr/sbin/iptables -A OUTPUT -d 172.16.123.22/32 -j REJECT --reject-with icmp-port-unreachable
2. Step: IP-Tables will be saved
iptables-save > /etc/iptables_custom.conf
3. Step: A script will be created and IP_Tables exported
echo '#!/bin/sh' > /etc/sysconfig/network/if-up.d/iptables echo 'echo "IPTABLES will be started"' >> /etc/sysconfig/network/if-up.d/iptables echo "iptables-restore < /etc/iptables_custom.conf" >> /etc/sysconfig/network/if-up.d/iptables
4. Step: Make the startscript (Init-Script) executable
chmod +x /etc/sysconfig/network/if-up.d/iptables
5. Step: Check the tables after reboot
iptables --list
or
iptables -L -n
To show all settings run
iptables-save
or to show NAT Rules
iptables -t nat -L -vn
Create a executable script (e. g.: “chmod 750 /sbin/iptables.sh”) with following content:
#!/bin/bash # Configure iptables # Limit PATH PATH="/sbin:/usr/sbin:/bin:/usr/bin" # iptables configuration firewall_start() { # Define rules /usr/sbin/iptables -A FORWARD -p tcp --destination-port 80 -j ACCEPT /usr/sbin/iptables -A FORWARD -p tcp --destination-port 443 -j ACCEPT /usr/sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 80 --to-ports 8080 /usr/sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 443 --to-ports 8443 } # clear iptables configuration firewall_stop() { iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -F iptables -t mangle -F iptables -F iptables -X } # execute action case "$1" in start|restart) echo "Starting firewall" firewall_stop firewall_start ;; stop) echo "Stopping firewall" firewall_stop ;; esac
Create unit-file:
cat << EOF | sudo tee /etc/systemd/system/iptables.service [Unit] Description=iptables service After=network.target [Service] Type=oneshot ExecStart=/sbin/iptables.sh start RemainAfterExit=true ExecStop=/sbin/iptables.sh stop StandardOutput=journal [Install] WantedBy=multi-user.target EOF
Update systemd:
systemctl daemon-reload
Usage:
systemctl start iptables.service systemctl stop iptables.service systemctl status iptables.service systemctl is-enabled iptables.service #check, if active on system boot systemctl enable iptables.service #enable to start with system
iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -F iptables -t mangle -F iptables -F iptables -X
To delete/add manually:
iptables-save > somefile
Edit with favourite texteditor like vi, than
iptables-restore < somefile
Execute:
iptables -L INPUT --line-numbers iptables -L FORWARD --line-numbers iptables -L OUTPUT --line-numbers
Output example:
root@rasp:~# iptables -L FORWARD --line-numbers Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 2 ACCEPT all -- anywhere anywhere 3 ACCEPT all -- anywhere anywhere
To delete rule 1 run:
iptables -D FORWARD 1
To forward incomming trafic to another IP:
First you have to check “cat /proc/sys/net/ipv4/ip_forward”
If you are getting “0” forwarding isn´t allowed. To change it run
echo "1" > /proc/sys/net/ipv4/ip_forward
or
sysctl net.ipv4.ip_forward=1
Check it with “cat /proc/sys/net/ipv4/ip_forward” and you get “1”
Afterwards you can set your rules such as e.g.:
iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 192.168.1.30:22 iptables -t nat -A POSTROUTING -j MASQUERADE
To forward to IP range:
iptables -t nat -A PREROUTING -p tcp --dport 1111 -j DNAT --to-destination 192.168.1.100-192.168.1.200:1111 iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.100-192.168.1.200
To forward to a port range:
iptables -t nat -A PREROUTING -p tcp --dport 1024:65000 -j DNAT --to-destination 192.168.1.30:1024-65000
iptables -vnL #Show hom many times a rule was used iptables -t filter -L FORWARD -nv #Show hom many times a forward rule was used iptables -t filter -L INPUT -nv iptables -t filter -L OUTPUT -nv iptables -L INPUT --line-numbers iptables -L FORWARD --line-numbers iptables -L OUTPUT --line-numbers