Filter for SSH Traffic (Example)

Precaution Command Before DROP Policy (LAB)

Do this before you change the policy in a LAB ENVIRONMENT to ensure that you do not lock yourself out of the box:

Before changing the policy to DROP

run the following command:

sudo shutdown -r 5

This will tell the system to reboot -r in 5 minutes

Change your policy to DROP

iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP

If changing the policy to DROP locked you out of your system then the system will reboot within 5 minutes which will clear out your rules.

If you did not get locked out, then run the following command to cancel the reboot:

sudo shutdown -c

Examples

Without using Multiport

Host A:

iptables -t filter -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -t filter -A INPUT -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -t filter -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -t filter -A OUTPUT -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

Host B:

iptables -t filter -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -t filter -A OUTPUT -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -t filter -A OUTPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -t filter -A INPUT -p tcp --sport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

Using Multiport

Host A:

iptables -t filter -A INPUT -p tcp -m multiport --ports 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -t filter -A OUTPUT -p tcp -m multiport --ports 22 -m state --state NEW,ESTABLISHED -j ACCEPT

Host B:

iptables -t filter -A INPUT -p tcp -m multiport --ports 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -t filter -A OUTPUT -p tcp -m multiport --ports 22 -m state --state NEW,ESTABLISHED -j ACCEPT

NAT, PAT, and Port Forward (Examples)

Enable IP Forwarding:

| echo 1 > /proc/sys/net/ipv4/ip_forward

1-to-1 NAT (for the servers if you have extra IP's)

iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.10 -j SNAT --to 100.1.1.10
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.11 -j SNAT --to 100.1.1.11
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.12 -j SNAT --to 100.1.1.12

PAT (for the clients)

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Port Forward (for the servers if you don't have extra IP's)

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 10.0.0.10:80
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 21 -j DNAT --to 10.0.0.11:21
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 23 -j DNAT --to 10.0.0.12:23
PreviousMangleNextnftables

Last updated

Was this helpful?