Table of Contents

iptables

Table of ContentsClose

1. Info/Documentation

man iptables-extensions # for details on target extensions such as REJECT

1.1. Searching

We want to search with rg and strings in iptables logs: journalctl -k | rg "SRC"

refused packet: IN=tun0 OUT= MAC= SRC=3.125.194.96 DST=10.8.0.19 LEN=52 TOS=0x00 PREC=0x00 TTL=54 ID=30015 DF PROTO=TCP SPT=80 DPT=55938 WINDOW=502 RES=0x00 ACK URGP=0
rpfilter drop: IN=wlan0 OUT= MAC=e8:48:b8:c8:6b:90:f8:c4:f3:7e:a5:d5:08:00 SRC=3.74.105.242 DST=192.168.1.10 LEN=52 TOS=0x00 PREC=0x00 TTL=57 ID=23558 DF PROTO=TCP SPT=80 DPT=39776 WINDOW=465 RES=0x00 ACK URGP=0
rpfilter drop: IN=wlan0 OUT= MAC=e8:48:b8:c8:6b:90:f8:c4:f3:7e:a5:d5:08:00 SRC=54.161.152.147 DST=192.168.1.10 LEN=52 TOS=0x00 PREC=0x00 TTL=57 ID=6126 DF PROTO=TCP SPT=443 DPT=53528 WINDOW=442 RES=0x00 ACK URGP=0
rpfilter drop: IN=wlan0 OUT= MAC=e8:48:b8:c8:6b:90:f8:c4:f3:7e:a5:d5:08:00 SRC=3.74.105.242 DST=192.168.1.10 LEN=52 TOS=0x00 PREC=0x00 TTL=57 ID=23559 DF PROTO=TCP SPT=80 DPT=39776 WINDOW=465 RES=0x00 ACK URGP=0
rpfilter drop: IN=wlan0 OUT= MAC=e8:48:b8:c8:6b:90:f8:c4:f3:7e:a5:d5:08:00 SRC=54.161.152.147 DST=192.168.1.10 LEN=52 TOS=0x00 PREC=0x00 TTL=57 ID=6127 DF PROTO=TCP SPT=443 DPT=53528 WINDOW=442 RES=0x00 ACK URGP=0

2. Save & restore

iptables-save # just dump ALL(all tables), does not really save anywhere
iptables-save -f /etc/iptables/iptables.rules # save rules to default location
iptables-restore /etc/iptables/iptables.rules

3. List rules

iptables --list-rules or iptables -S # file view, specify -t else 'filter' table
iptables -nvL --line-numbers -t <table_name> # suitable for CLI viewing (numeric port&addr)
iptables -vL --line-numbers -t <table_name> # suitable for CLI viewing (non-numeric)
iptables -L --line-numbers -t <table_name> # suitable for most CLI viewing (simple)
iptables -L --line-numbers -t <table_name> | column -t # formatted

4. Resetting

iptables -t <table_name> -F <optional_chain> # delete rules in chain
iptables -t <table_name> -X <optional_chain> # delete chain itself if non-empty

5. Editing

  • -A : append rule to chain
  • -I : insert rule to chain
  • -R : replace rule on chain
  • -D : delete rule from chain

6. Match & target

  • -m <match_name> : specify match, see man iptables-extensions for options for the match
  • -j <target_name> : specify target, see man iptables-extensions for options for the target

7. Policy

iptables -t <table_name> -P <chain> <target> # eg. iptables -t filter -P FORWARD DROP

Created: 2024-07-16 Tue 16:44

Validate