Posted: 3 August 2017.
Iptables samples. Very good ways to filter network traffic.

Sample Iptables configurations

A sample iptables output that I am using on an OpenVPN server to allow Internet traffic to be passed through it.

ubuntu ~ $ sudo iptables-save
# Generated by iptables-save v1.4.21 on Wed Aug  2 22:19:48 2017
:INPUT ACCEPT [2654934:1228315333]
:FORWARD ACCEPT [31023:17433690]
:OUTPUT ACCEPT [2475842:555885003]
# Completed on Wed Aug  2 22:19:48 2017
# Generated by iptables-save v1.4.21 on Wed Aug  2 22:19:48 2017
:PREROUTING ACCEPT [158530:8949443]
:INPUT ACCEPT [157573:8893618]
:OUTPUT ACCEPT [229941:19218532]
:POSTROUTING ACCEPT [229941:19218532]
-A POSTROUTING -s -j SNAT --to-source
# Completed on Wed Aug  2 22:19:48 2017

Accept traffic incoming on port 80 and accept ICMP pings. Drop all other TCP traffic.

# Generated by iptables-save v1.4.18 on Tue Oct  7 16:41:03 2014
:INPUT ACCEPT [3291:241024]
:OUTPUT ACCEPT [3067:171885]
-A INPUT -d -p tcp -m tcp -j DROP
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 --dport 80 -j ACCEPT
# Completed on Tue Oct  7 16:41:03 2014

How to block a website with iptables on Linux.

ubuntu ~ $ sudo iptables -A OUTPUT -p tcp -m string --string "" --algo kmp -j REJECT

This matches the string “” and will not prevent pinging the site, but will stop loading it in a web browser. Although a proxy setup to block various sites would work better. This can be bypassed with a VPN. But this will block wget from downloading the index.html from the site.

This iptables ruleset will force a 30 second wait between connection attempts from the same IP address.

sudo iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 30 -j DROP
sudo iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT

This would be useful to slow someone down who is trying to brute force the SSH password. Although using SSH keys would be more secure.

