iptables

|
Operating system/ Linux
| Linux

iptables

List firewall rule

1
2
# iptables -L -n -v
# iptables-save

Flush or remove all iptables rules

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# filter (default), nat, mangle, raw, security
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
iptables -t security -F
iptables -t security -X

NAT

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
sysctl net.ipv4.tcp_fin_timeout=15
sysctl net.ipv4.tcp_keepalive_intvl=75
sysctl net.ipv4.ip_forward=1
sysctl net.ipv4.conf.ens3.forwarding=1
sysctl net.ipv6.conf.ens3.forwarding=1

cat | iptables-restore << EOF
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A POSTROUTING -p esp -j RETURN
-A POSTROUTING -s 10.20.30.0/24  -o ens3 -j MASQUERADE
-A POSTROUTING -s 10.20.40.0/24  -o ens3 -j MASQUERADE
-A POSTROUTING -s 192.168.0.0/16 -o ens3 -j MASQUERADE
COMMIT
EOF

NFS

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
iptables -I INPUT 1 -m tcp -p tcp --dport 111 -j DROP
iptables -I INPUT 1 -m udp -p udp --dport 111 -j DROP

iptables -A INPUT -s 127.0.0.0/8 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 2049 -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 2049 -j ACCEPT

iptables -A INPUT -s 10.0.0.0/8 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 2049 -j ACCEPT
iptables -A INPUT -s 10.0.0.0/8 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 2049 -j ACCEPT

iptables -A INPUT -s 172.16.0.0/12 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 2049 -j ACCEPT
iptables -A INPUT -s 172.16.0.0/12 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 2049 -j ACCEPT

iptables -A INPUT -s 192.168.0.0/16 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 2049 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/16 -p udp -m state --state NEW,ESTABLISHED -m udp --dport 2049 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 2049 -j DROP
iptables -A INPUT -p udp -m udp --dport 2049 -j DROP