############################################################ # Searchable Keywords: firewall iptables ip nat docker #---------------- Linux iptables rules/commands ---------------------# This is what I usually do but I'm use to openbsd pf. This just seems easier for me. I build a iptables file in the /etc directory. Then make my edits to that. Then edit the /etc/sysconfig/iptables-config file to save the running iptables to /etc/sysconfig/iptables upon restarting the service. This were they reside by default and remain the primary location for iptables. Also please note that this is iptables version iptables v1.2.11 . EXAMPLE: #iptables -L >/etc/iptables_rules IPTABLES rules that only allow port 22,443,8080 in but reject icmp(ping) more /etc/iptables_rules # Generated by iptables-save v1.2.11 on Tue Aug 14 14:08:03 2007 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [1:70] :RH-Firewall-1-INPUT - [0:0] -A INPUT -j RH-Firewall-1-INPUT -A FORWARD -j RH-Firewall-1-INPUT -A RH-Firewall-1-INPUT -i lo -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 8080 -j ACCEPT -A RH-Firewall-1-INPUT -p tcp --dport 443 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Tue Aug 14 14:08:03 2007 Display running rule set: # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (2 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:webcache ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED 5B REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Reloading or reinstalling iptables rule set: If you edit the iptables file you created by redirecting iptables -L to iptables_rules file. You can reload the newly edited rules file with the following command. # iptables-restore /etc/iptables_rules #---------------------- Commands -------------------------------# iptables -L <------------- List existing chains/targets/protocols..... iptables -A -j DROP -s 172.23.18.20 <----- append to drop packets of source 172.23.. well, maybe not............ iptables -A OUTPUT -j REJECT -s 172.23.18.20 -d 172.23.12.50 iptables -F <---------- Flush chain rules by number or on by one iptables -P (REJECT,ACCEPT, DROP...) <-- Set the default policy for a particular chain. iptables -A DMZ-rules -j ACCEPT -p tcp --dport 80 <-- -j tells iptables where to go if the rule matches(jump to) -p indicates the protocol service iptables save <---------------------------- save the current running iptables config to /etc/sysconfig/iptables #------------ More Linux iptables rules/commands ----------------# ------------- Example ---------- Create a new chain,DMZ-rules, drop packets coming in and going out port 63. Allow ssh(port 22) inbound as well as www(port 80). The last thing done is make the default policy "DROP", so allow what is listed but drop everything else. iptables -N DMZ-rules <---------------------------- Create a new chain iptables -A DMZ-rules -j DROP -p tcp --dport 63 <--- Append to the new chain to drop packets desinte for port 63 iptables -A DMZ-rules -j ACCEPT -p tcp --dport 22 <- Allow/Accept packets to port 22 iptables -A DMZ-rules -j ACCEPT -p tcp --dport 80 iptables -A INPUT -j DMZ-rules iptables -A OUTPUT -j DMZ-rules iptables -A FORWARD -j DMZ-rules ============== THE LAST THING YOU DO ! ! =============== if you do this BEFORE the above...you better be on the console. Otherwise you just locked yourself out This sets the default policy for the chain "INPUT" to "DROP". So if you are not any of the lines above, you will dropped without a reset. iptables -P INPUT DROP =========================================================== Add icmp to/from host this will allow icmp of any kind #----------- Deleting and removing rules and chains -----------# iptables -A DMZ-rules -p icmp -j ACCEPT Delete the same rule(it happens to be rule #4. Find the rule number using iptables -L) iptables -D DMZ-rules 4 Allow icmp echo requests iptables -A DMZ-rules -p icmp --icmp-type echo-request -j ACCEPT or Allow icmp echo requests but NOT host redirect iptables -A DMZ-rules -p icmp --icmp-type ! host-redirect -j ACCEPT # iptables -L |more Chain INPUT (policy ACCEPT) <-------------------------- Chain "INPUT" target prot opt source destination interf-1 all -- anywhere anywhere <----- rule #1 interf-2 all -- anywhere anywhere <---- rule # 2 interf-3 all -- anywhere anywhere <-----rule #3 interf-4 all -- anywhere anywhere <---- rule #4 REJECT all -- shasta anywhere <----- rule number 5 So to delete rule number 5: # iptables -D INPUT 5 To delete an entire chain: # iptables -X DMZ-rules #------------------------ Adding a chain to the nat chain ----------------- This adds iptables rules for docker. the 172.x.x.x address is a docker address # iptables -t nat -N DOCKER # iptables -N DOCKER # iptables -t nat -A DOCKER -p tcp -d 0/0 --dport 9000 -j DNAT --to-destination 172.17.0.15:9000 # iptables -t nat -N DOCKER <-------------- Create/associate the DOCKER chain to the nat chain # iptables -N DOCKER <------------- Yes this seems redundant but you have create the DOCKER chain See also Sparc-Linux-notes/ipchains Solarisnotes-12-27-13/RedHat/iptables_forwarding_NAT