IPtables commands cheat sheet Overview
IPtables is one of the most well know firewalls(and quite effective as well) which also comes on many Linux distro’s pre-installed by default. The purpose of this post is to act as an Iptables commands cheat sheet, considering how Iptables is powerfull, it’s also has a numerous commands for many networking scenarios. Iptables uses various different table rules with multiple chains to block and allow traffic:
FILTER: this is the default table that is meant to filter the traffic rules
INPUT: Under input chain we define the rules and behaviors to control incoming connections.
OUTPUT: Under the output chain we control the outgoing connections
FORWARD: as the name suggests, WE use forward chain to specify incoming connections .
that we are going to redirect right away to another route, address or port(forward it). Forwarding is commonly used together with NAT
NAT – network address translation table that is used for mapping multiple local traffic resources to the outgoing connections to establish a new route. NAT table has the following chain rules included:
PREROUTING – is used to control/modify a packet as soon it has arrived(incoming connections)
OUTPUT – is used for modifying locally generated packets
POSTROUTING – is used to control/modify a packet as soon as it’s about to leave(outgoing connections)
MANGLE – mangle table is used for packet modification or packet altering. Mangle table has 5 chain rules:
PREROUTING – for altering incoming connections
OUTPUT – for altering locally generated packets INPUT – for incoming packets
POSTROUTING – for altering packets as they are about to go out
FORWARD – for packets routed through the box(or needs to be forwarded to a new connection/route) For this cheat sheet there’s a github repo with a downloadable version in .pdf : LINK
# iptables -t nat -L
# iptables -t nat -L --line-numbers
How to delete and add rules
# iptables -D INPUT 10
Flush all chain(delete all chain rules)
# iptables -F
Flush a single chain
# iptables -F INPUT
# Iptables -t nat -F
# Iptables -t mangle -
– Add a new rule
# iptables -I INPUT -s 123.123.123.133 -j DROP
# iptables -A INPUT -p tcp --dport 22 -j REJECT
Block traffic
# iptables -A INPUT -s 192.168.100.1 -j DROP
# iptables -A INPUT -s 192.168.1.100/24 -j DROP
Block an IP address to reject all packets
# iptables -A INPUT -s 192.168.1.100 -j REJECT
# iptables -A INPUT -i eth0 -s 192.168.1.102 -j DROP
# iptables -A INPUT -p tcp -s 192.168.1.100 -j DROP
# iptables -A INPUT -p tcp -s 192.168.1.100/24 -j DROP
Drop traffic for a specific port(close port)
# iptables -A INPUT -p tcp --dport xxx -j DROP
# iptables -A INPUT -p tcp --dport 22 -j DROP
Drop all invalid network packets on incoming
# iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
Allow traffic(incoming and outgoing) on SSH
# iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
– Allow traffic on HTTP and HTTPS(incoming and outgoing)
# iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
– Multiport config
# iptables -A INPUT -p tcp -m multiport -- dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED
-j ACCEPT
# iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED
-j ACCEPT
Allow MySQL traffic to a specific network interface
# iptables -A INPUT -i eth1 -p tcp --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth1 -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow PostgreSQL traffic to a specific network interface
# iptables -A INPUT -i eth1 -p tcp --dport 5432 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -o eth1 -p tcp --sport 5432 -m conntrack --ctstate ESTABLISHED -j ACCEPT
How to configure port forwarding in IPtables
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 2525
Block incoming ping requests
# iptables -A INPUT -p icmp -i eth0 -j DROP
Block or allow access for a specific mac address
# iptables -A INPUT -m mac --mac-source 00:00:00:00:00:00 -j DROP
# iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:00:00:00:00:00 -j ACCEPT
Limit the number of concurrent connections per IP address
# iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
Iptables commands to prevent more advanced cyber attacks – How to block network flooding on http port
# iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT
Configure port scanning protection – Brute force protection for SSH # iptables -L INPUT -v -n | grep 192.168.0.100
# iptables -A INPUT -p tcp --dport 80 -m limit --limit 100/minute --limit-burst 200 -j ACCEPT
IP config
Restart
# systemctl restart networking.service
dhcp
# vim /etc/network/interfaces
iface eth0 inet dhcp
static
# vim /etc/network/interfaces
iface eth0 inet static
address 192.168.1.83/24
gateway 192.168.1.1
dns-nameservers 192.168.1.20 192.168.1.1
dns-domain local.culturelinux.lanProxmox
NAT
New NIC NAT
auto vmbr2
iface vmbr2 inet static
address 192.168.77.1
netmask 255.255.255.0
bridge_ports none
bridge_stp off
bridge_fd 0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up iptables -t nat -A POSTROUTING -s '192.168.77.0/24' -o vmbr0 -j MASQUERADE
post-down iptables -t nat -D POSTROUTING -s '192.168.77.0/24' -o vmbr0 -j MASQUERADE
SSH Jump
ssh -J jumper@proxmox user@vm
SSH config jump
Host jumper-proxmox
HostName proxmox
User jumper
Host vm-behind-nat-rebuild
HostName vm-nated-ip
ProxyJump jumper-proxmox
User root
IdentityFile ~/.ssh/id_ed25519
PAT ssh to VM
iptables -t nat -A PREROUTING -p tcp --dport 122 -j DNAT --to-destination 192.168.77.121:22
Build template
get qcow image
cd /tmp && wget https://cloud.debian.org/images/cloud/bookworm/20231013-1532/debian-12-genericcloud-amd64-20231013-1532.qcow2
build template vm
qm create 1000 --memory 1024 --core 1 --name debian12-temp --net0 virtio,bridge=vmbr0 --description "Debian 12 cloud template"
qm importdisk 1000 /tmp/debian-12-genericcloud-amd64-20231013-1532.qcow2 local-lvm
qm set 1000 --scsihw virtio-scsi-pci --scsi0 local-lvm:vm-1000-disk-0
qm set 1000 --boot c --bootdisk scsi0
qm set 1000 --ide2 local-lvm:cloudinit
qm set 1000 --serial0 socket --vga serial0
rm -f /tmp/debian-12-genericcloud-amd64-20231013-1532.qcow2
Extend HD
Gui
VM > Hardware > HD > Disk Action > Resize
Cli
qm resize VMID DISKNAME +5G
Guest
growpart /dev/sda 1
resize2fs /dev/sda1
Cli management
List storage
# pvesm status
List disk in storage
# pvesm list local
List disk in storage
# pvesm free STORAGE:DISK
List vm
# qm list
List disk
# qm config $VMID
Remove disk
# qm set 106 --delete unused0
Create VM
qm create 200 --memory 4096 --core 3 --name vm-cli --net0 virtio,bridge=vmbr0 --scsihw virtio-scsi-single --description "VM via qm" --numa 0 --onboot 1 --ostype l26 --cpu "cputype=x86-64-v2-AES"
qm set 200 --ide2 local:iso/Rocky-9.3-x86_64-minimal.iso,media=cdrom
qm set 200 --scsi0 local-lvm:10 #,format=qcow2
qm set 200 --boot order='scsi0;ide2;net0'
Delete vm
qm stop 200
qm destroy 200
Snapshot vm
qm snapshot 200 test_snap
qm snapshot 200 test_snap_with_ram --vmstate 1
qm listsnapshot 200
qm delsnapshot 200 test_snap
Rollback vm
qm rollback 200 test_snap
qm rollback 200 test_snap --start 1
qm rollback 200 test_snap_with_ram
Storage
SMB
Gui
Attention la version du protocole est 3 Datacenter > Storage > SMB/CIFS
Cli
pvesm add cifs syno --server $(IP/DNS) --share $(SHARE NAME) --username $(USERNAME
No comments:
Post a Comment