Sample Iptables configurations
A sample iptables output that I am using on an OpenVPN server to allow Internet traffic to be passed through it.
ubuntu ~ $ sudo iptables-save # Generated by iptables-save v1.4.21 on Wed Aug 2 22:19:48 2017 *filter :INPUT ACCEPT [2654934:1228315333] :FORWARD ACCEPT [31023:17433690] :OUTPUT ACCEPT [2475842:555885003] COMMIT # Completed on Wed Aug 2 22:19:48 2017 # Generated by iptables-save v1.4.21 on Wed Aug 2 22:19:48 2017 *nat :PREROUTING ACCEPT [158530:8949443] :INPUT ACCEPT [157573:8893618] :OUTPUT ACCEPT [229941:19218532] :POSTROUTING ACCEPT [229941:19218532] -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source 126.96.36.199 COMMIT # Completed on Wed Aug 2 22:19:48 2017
Accept traffic incoming on port 80 and accept ICMP pings. Drop all other TCP traffic.
# Generated by iptables-save v1.4.18 on Tue Oct 7 16:41:03 2014 *filter :INPUT ACCEPT [3291:241024] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3067:171885] -A INPUT -d 0.0.0.0/32 -p tcp -m tcp -j DROP -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT -A INPUT -p tcp -m tcp --sport 80 --dport 80 -j ACCEPT COMMIT # Completed on Tue Oct 7 16:41:03 2014
How to block a website with iptables on Linux.
ubuntu ~ $ sudo iptables -A OUTPUT -p tcp -m string --string "smh.com.au" --algo kmp -j REJECT
This matches the string “smh.com.au” and will not prevent pinging the site, but will stop loading it in a web browser. Although a proxy setup to block various sites would work better. This can be bypassed with a VPN. But this will block wget from downloading the index.html from the site.
This iptables ruleset will force a 30 second wait between connection attempts from the same IP address.
sudo iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 30 -j DROP sudo iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT
This would be useful to slow someone down who is trying to brute force the SSH password. Although using SSH keys would be more secure.