# Filter for SSH Traffic (Example)
## Precaution Command Before DROP Policy (LAB)
Do this before you change the policy in a LAB ENVIRONMENT to ensure that you do not lock yourself out of the box:
#### Before changing the policy to DROP
run the following command:
```bash
sudo shutdown -r 5
```
This will tell the system to reboot `-r` in 5 minutes
#### Change your policy to DROP
```bash
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP
```
If changing the policy to DROP locked you out of your system then the system will reboot within 5 minutes which will clear out your rules.
If you did not get locked out, then run the following command to cancel the reboot:
```bash
sudo shutdown -c
```
## Examples
### Without using Multiport
Host A:
{% code overflow="wrap" %}
```bash
iptables -t filter -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
```
{% endcode %}
Host B:
{% code overflow="wrap" %}
```bash
iptables -t filter -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
```
{% endcode %}
### Using Multiport
Host A:
{% code overflow="wrap" %}
```bash
iptables -t filter -A INPUT -p tcp -m multiport --ports 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -m multiport --ports 22 -m state --state NEW,ESTABLISHED -j ACCEPT
```
{% endcode %}
Host B:
{% code overflow="wrap" %}
```bash
iptables -t filter -A INPUT -p tcp -m multiport --ports 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A OUTPUT -p tcp -m multiport --ports 22 -m state --state NEW,ESTABLISHED -j ACCEPT
```
{% endcode %}
## NAT, PAT, and Port Forward (Examples)
Enable IP Forwarding:
```bash
| echo 1 > /proc/sys/net/ipv4/ip_forward
```
1-to-1 NAT (for the servers if you have extra IP's)
```bash
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.10 -j SNAT --to 100.1.1.10
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.11 -j SNAT --to 100.1.1.11
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.12 -j SNAT --to 100.1.1.12
```
PAT (for the clients)
```bash
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
```
Port Forward (for the servers if you don't have extra IP's)
```bash
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.0.0.10:80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j DNAT --to 10.0.0.11:21
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 23 -j DNAT --to 10.0.0.12:23
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://www.shellspells.net/network/traffic-manipulation/iptables/filter-for-ssh-traffic-example.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.