------------------------------------------------------------------------------- IPtable Notes... iptables add and remove rules iptables-save Dump the current iptable settings NOTE "firewalld" is a configuration tool on top of iptables. See https://antofthy.gitlab.io/info/apps/firewalld.txt ------------------------------------------------------------------------------- Delete a specific rule from iptables To delete a specific rule... # To get the rule number iptables -nL INPUT --line-numbers # list that rule to double check # The -S flag lists it as arguments to iptables (-A) iptables -S INPUT 8 # delete that rule... iptables -D INPUT 8 # Append rule to chain (get from /etc/sysconfig/iptables) iptable -A INPUT .... # Insert to chain at linenumber (before what is there) iptable -I INPUT 50 ... # delete a CHAIN iptables -X f2b-SSH Note that using -S will output the exact 'iptable' command options needed to re-add that rule. Clear old TESTING rules... iptables -F TESTING iptables -X TESTING Clear all rules iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -t nat -F iptables -t mangle -F iptables -F iptables -X Check with (use IP & port numbers, instead of FQDN & Service Names) iptables -nvL ------------------------------------------------------------------------------- Stop access (and log) specific port from a specific ip iptables -A INPUT -s 65.55.44.100 -p tcp \ --destination-port 25 -j LOG "SMTP Drop" iptables -A INPUT -s 65.55.44.100 -p tcp \ --destination-port 25 -j DROP service iptables save or you can use a subnet... -s 192.168.1.0/24 or everything not this subnet -s \! 132.234.0.0/16 iptables -A INPUT -p TCP -d \! 132.234.0.0/16 --dport 25 -j REJECT Also see "sysprogs/linux_firewall.txt" ------------------------------------------------------------------------------- Masquarade a Intranet (out connections only) iptables -t nat -A POSTROUTING -o em2 -j MASQUERADE Where em2 is the interface for the external network EG em1 is intranet (LAN) em2 is internet (WAN) For full routing you will need to also do... iptables -A FORWARD -i em2 -o em1 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i em1 -o em2 -j ACCEPT but the FORWARD chain may have a global 'ACCEPT' policy on the fORWARD chain. so that the above is not needed. ------------------------------------------------------------------------------- Port Knocking IP table rules # Netfilter/IPtables - example of multiple-port knocking # Note: Knock ports 100,200,300,400 to open SSH port for 5 seconds. # very simple means of achieving the port-knocking using iptable rules only. # # Needs the iptables "recent" module compiled/loaded into the kernel # # Example: knock TCP using 'telnet' program: # $> alias k='telnet ip_address_or_hostname' # $> k 100 ; k 200 ; k 300 ; k 400 ; ssh ip_address_or_hostname # Then press Ctrl-C 4 times. That's all. Enjoy. # # From http://www.debian-administration.org/articles/268 HOST_IP="12.34.56.78" /sbin/iptables -N INTO-PHASE2 /sbin/iptables -A INTO-PHASE2 -m recent --name PHASE1 --remove /sbin/iptables -A INTO-PHASE2 -m recent --name PHASE2 --set /sbin/iptables -A INTO-PHASE2 -j LOG --log-prefix "INTO PHASE2: " /sbin/iptables -N INTO-PHASE3 /sbin/iptables -A INTO-PHASE3 -m recent --name PHASE2 --remove /sbin/iptables -A INTO-PHASE3 -m recent --name PHASE3 --set /sbin/iptables -A INTO-PHASE3 -j LOG --log-prefix "INTO PHASE3: " /sbin/iptables -N INTO-PHASE4 /sbin/iptables -A INTO-PHASE4 -m recent --name PHASE3 --remove /sbin/iptables -A INTO-PHASE4 -m recent --name PHASE4 --set /sbin/iptables -A INTO-PHASE4 -j LOG --log-prefix "INTO PHASE4: " /sbin/iptables -A INPUT -m recent --update --name PHASE1 /sbin/iptables -A INPUT -p tcp --dport 100 -m recent --set --name PHASE1 /sbin/iptables -A INPUT -p tcp --dport 200 -m recent --rcheck --name PHASE1 -j INTO-PHASE2 /sbin/iptables -A INPUT -p tcp --dport 300 -m recent --rcheck --name PHASE2 -j INTO-PHASE3 /sbin/iptables -A INPUT -p tcp --dport 400 -m recent --rcheck --name PHASE3 -j INTO-PHASE4 /sbin/iptables -A INPUT -p tcp -s $HOST_IP --dport 22 -m recent --rcheck --seconds 5 --name PHASE4 -j ACCEPT -------------------------------------------------------------------------------