Iptables samples. Very good ways to filter network traffic.

Posted: August 3, 2017. At: 9:33 AM. This was 2 weeks ago. Post ID: 10999

Sample Iptables configurations

A sample iptables output that I am using on an OpenVPN server to allow Internet traffic to be passed through it.

ubuntu ~ $ sudo iptables-save
# Generated by iptables-save v1.4.21 on Wed Aug  2 22:19:48 2017
*filter
:INPUT ACCEPT [2654934:1228315333]
:FORWARD ACCEPT [31023:17433690]
:OUTPUT ACCEPT [2475842:555885003]
COMMIT
# Completed on Wed Aug  2 22:19:48 2017
# Generated by iptables-save v1.4.21 on Wed Aug  2 22:19:48 2017
*nat
:PREROUTING ACCEPT [158530:8949443]
:INPUT ACCEPT [157573:8893618]
:OUTPUT ACCEPT [229941:19218532]
:POSTROUTING ACCEPT [229941:19218532]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 192.45.123.100
COMMIT
# Completed on Wed Aug  2 22:19:48 2017

Accept traffic incoming on port 80 and accept ICMP pings. Drop all other TCP traffic.

# Generated by iptables-save v1.4.18 on Tue Oct  7 16:41:03 2014
*filter
:INPUT ACCEPT [3291:241024]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3067:171885]
-A INPUT -d 0.0.0.0/32 -p tcp -m tcp -j DROP
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 --dport 80 -j ACCEPT
COMMIT
# Completed on Tue Oct  7 16:41:03 2014

How to block a website with iptables on Linux.

ubuntu ~ $ sudo iptables -A OUTPUT -p tcp -m string --string "smh.com.au" --algo kmp -j REJECT

This matches the string “smh.com.au” and will not prevent pinging the site, but will stop loading it in a web browser. Although a proxy setup to block various sites would work better. This can be bypassed with a VPN. But this will block wget from downloading the index.html from the site.

This iptables ruleset will force a 30 second wait between connection attempts from the same IP address.

sudo iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 30 -j DROP
sudo iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT

This would be useful to slow someone down who is trying to brute force the SSH password. Although using SSH keys would be more secure.

No comments have been made. Use this form to start the conversation :)

Leave a Reply