iptables#
iptables is the user-space utility for the Linux kernel firewall. The operator uses it both to lock down their own attack platform and to inspect rules already in place on a target.
Chains#
INPUT, incoming connections.
OUTPUT, outgoing connections.
FORWARD, incoming connections that are not local (routing and NAT).
Actions#
ACCEPT, allow the specified connection parameters.
DROP, drop the specified connection parameters.
REJECT, disallow the connection and send a reject notification to the source.
Rules#
$ iptables -F # flush existing rules
$ iptables -n -L -v --line-numbers # display all active rules
# default chain policies
$ iptables -P INPUT <DROP|ACCEPT|REJECT>
$ iptables -P OUTPUT <DROP|ACCEPT|REJECT>
$ iptables -P FORWARD <DROP|ACCEPT|REJECT>
$ iptables -L <INPUT|OUTPUT|FORWARD> # rules by chain
# single IP inbound
$ iptables -A INPUT -s 10.0.0.10 -j <ACCEPT|DROP|REJECT>
# single IP outbound
$ iptables -A OUTPUT -d 10.0.0.10 -j <ACCEPT|DROP|REJECT>
# drop outbound access to a specific site
$ iptables -A OUTPUT -p tcp -d example.com -j DROP
# delete a specific rule
$ iptables -D INPUT -s 10.0.0.10 -p tcp -dport 80 -j ACCEPT
$ iptables -D OUTPUT -d 10.0.0.10 -p tcp -dport 80 -j ACCEPT
# delete by rule number
$ iptables -n -L -v --line-numbers
$ iptables -D <INPUT|OUTPUT|FORWARD> 5
# insert a rule at a specific position
$ iptables -I INPUT 3 -s 10.0.0.10 -j DROP
$ iptables -I OUTPUT 2 -d 10.0.0.10 -j ACCEPT
# allow established + related inbound and outbound
$ iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$ iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
References#
man 8 iptables