ShellSpells
  • 🧙‍♂️Welcome!
    • ShellSpells
    • FAQs
    • License & Disclaimer
  • 🐧Linux
    • System Ops
      • Transcripts
      • Help
      • System Info
        • Date/Time
        • System Details
        • Patches & Updates
        • Init System Identification
        • Hostname / Host ID
        • Variables
        • Hardware & Resources
      • Filesystem
        • Traverse & Enumerate
        • Drives & Partitions
        • Shares
        • Packages
        • Connected Devices
        • Kernel Modules (Drivers)
      • Users & Groups
        • Enumerate
        • Modify
      • Network
        • Enumerate
        • Modify
      • Scheduled Jobs
        • Enumerate
        • Modify
      • Processes
        • Enumerate
        • Modify
        • Custom Script and Shared Object
        • Process I/O Redirection
      • Services
        • Enumerate
        • Modify
        • Create a Service
      • Startup/Boot Scripts
        • Enumerate
        • Modify
      • Security
        • Antivirus
        • Firewall
        • SSH Keys
      • History & Logs
        • History
        • Logs
    • File Ops
      • Search
        • Filename
        • Content
        • Users (Owners)
        • Time
        • Size
        • Permission
        • Hidden Files
        • Inode
        • Find + Exec
        • Notes
      • Enumerate Metadata
      • Modify Metadata
      • Read Content
      • Modify Content
      • Extract Content
      • Sort / Compare / Count
      • Move
      • Copy
      • Execute
      • Hash
      • Encode/Decode
      • Compress/Decompress
      • Working With Weird Filenames
    • Terminal Ops
      • Keyboard Shortcuts
      • Tmux Shortcuts
  • 🪟Windows
    • System Ops
      • Transcripts
      • Help
      • System Info
        • One-liners
        • Date/Time
        • System Details
        • Hotfixes
        • Domain or Workgroup
        • Data Execution Prevention
        • Variables
        • Hardware & Resources
      • Filesystem
        • Traverse & Enumerate
        • Drives & Partitions
        • Installed Software
        • Drivers
        • Shares
      • Registry
        • Enumerate
        • Modify
        • Forensically Relevant Keys
      • Users & Groups
        • Enumerate
        • Modify
      • Network
        • Enumerate
        • Modify
      • Scheduled Tasks
      • Processes
        • Enumerate
        • Modify
      • Services
        • Enumerate
        • Modify
      • Autorun / Startup
        • Enumerate
        • Modify
      • Security
        • Permissions
          • Enumerate
          • Page
        • Antivirus
        • Firewall
          • Enumerate
          • Modify
        • Audit Policies
        • Remoting
          • Enumerate
          • Modify
          • Registry Locations
        • Stored Credentials
      • Remote Command Execution
      • Active Directory
        • Enumerate
        • Modify
      • History & Logs
        • History
        • Logs
      • PowerShell Config
      • Scripting
      • WMIC Notes
    • File Ops
      • Search
        • Filename
        • Time
        • Size
        • Permissions
        • Attributes
        • Wildcarding
      • Enumerate Metadata
        • One Liners
        • Users (Owners)
        • Timestamps
        • Size
        • Permissions
        • Attributes
      • Modify Metadata
        • Change Owner
        • Timestamps
        • Size
        • Attributes
      • Read Content
      • Modify Content
        • Overwrite
        • Insert
        • Append
        • Replace / Remove
        • Convert Case
        • Alternate Data Streams
      • Extract Content
      • Sort / Compare / Count
        • Sort
        • Count
        • Compare
      • Move
      • Copy
      • Execute
      • Hash
      • Encode/Decode
      • Compress/Decompress
      • Working With Weird Filenames
      • Output Formatting / Filtering
      • File Formatting
      • Operators
  • ⛓️Network
    • Traffic Manipulation
      • iptables
        • Option List
        • General Commands
        • Filter Tables
        • NAT
        • Mangle
        • Filter for SSH Traffic (Example)
      • nftables
    • Packet Capture
      • Syntax
      • TCPDump Examples
    • Packet Analysis
      • Wireshark
  • 🚗Maneuver
    • SSH
    • Control Sockets
    • RDP
    • Windows Port Proxy
  • 🛩️Data Transfer
    • SCP
    • FTP
    • Netcat
      • Netcat Relays
    • Server Interactions
    • Alternate Methods
  • 🪄REGEX
    • Examples
Powered by GitBook
On this page
  • Chains
  • Actions
  • Examples by Chain
  • INPUT/OUTPUT
  • FORWARD
  • Examples by Match Statements
  • Multiport
  • State/Conntrack
  • iprange
  • icmp

Was this helpful?

  1. Network
  2. Traffic Manipulation
  3. iptables

Filter Tables

Default table and is primarily used for packet filtering.

Chains

INPUT

Examined when packets ARRIVE at the system.

OUTPUT

Applied as packets are SENT FROM the system.

FORWARD

Checked as packets are ROUTED THROUGH the system.

Actions

ACCEPT

REJECT

DROP

Examples by Chain

INPUT/OUTPUT

Allow loopback traffic

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT

Allow established and related connections INCOMING and OUTGOING

sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Allow incoming SSH traffic from a specific IP range

sudo iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT

Allow incoming ICMP (ping) traffic

sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

Allow incoming FTP traffic

sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT
sudo iptables -A INPUT -p tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT

Allow incoming and outgoing DNS traffic

sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT
sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

Allow incoming and outgoing NTP traffic

sudo iptables -A INPUT -p udp --dport 123 -j ACCEPT
sudo iptables -A OUTPUT -p udp --dport 123 -j ACCEPT

Allow outgoing SMTP (email) traffic

sudo iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT

Allow outgoing IMAP and IMAPS (email) traffic

sudo iptables -A OUTPUT -p tcp --dport 143 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 993 -j ACCEPT

Allow outgoing HTTP and HTTPS traffic

sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

Allow outgoing FTP traffic

sudo iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT

Allow INCOMING traffic by PORT:

sudo iptables -t filter -A INPUT -p TCP -m multiport --ports 22,23,3389,6001:6030 -j ACCEPT

Allow OUTGOING traffic by PORT:

sudo iptables -t filter -A OUTPUT -p TCP -m multiport --ports 22,23,3389,6001:6030 -j ACCEPT

Limit incoming SSH connections per minute and block brute-force attacks

sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set

sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Log and drop invalid packets

sudo iptables -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "INVALID_PACKET: " --log-ip-options --log-tcp-options

sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

iptables -t filter -A INPUT -i lo -j ACCEPT

Append rule to accept all INCOMING traffic on the loopback interface

iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT

Append a rule to accept SSH traffic (port 22) in the INPUT chain.

iptables -t filter -A INPUT -p icmp -j DROP

Append a rule to drop all ICMP traffic in the INPUT chain.

iptables -t filter -I INPUT 1 -s 192.168.1.1 -j DROP

Insert a rule at the top of the INPUT chain to drop traffic from IP 192.168.1.1.

iptables -t filter -R INPUT 1 -p tcp --dport 80 -j ACCEPT

Replace the first rule in the INPUT chain with a new one to accept HTTP traffic (port 80).

iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Append a rule to accept all established and related connections in the INPUT chain.

FORWARD

Allow all forwarded traffic (not secure, but useful for open forwarding)

iptables -A FORWARD -j ACCEPT

Drop all forwarded traffic (default policy for a secure stance)

iptables -A FORWARD -j DROP

Allow forwarded traffic from a specific source IP

iptables -A FORWARD -s 192.168.1.100 -j ACCEPT

Allow forwarded traffic to a specific destination IP

iptables -A FORWARD -d 192.168.2.100 -j ACCEPT

Allow forwarded traffic from a specific subnet to another subnet

iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT

Drop forwarded traffic from a specific subnet to any destination

iptables -A FORWARD -s 10.10.0.0/16 -j DROP

Allow forwarded traffic on a specific port (e.g., HTTP)

iptables -A FORWARD -p tcp --dport 80 -j ACCEPT

Log and then drop forwarded packets from a specific IP

iptables -A FORWARD -s 10.10.10.10 -j LOG --log-prefix "Dropped by iptables: "
iptables -A FORWARD -s 10.10.10.10 -j DROP

Limiting forwarded traffic rate from a specific source (e.g., 5 packets per second)

iptables -A FORWARD -s 192.168.1.100 -m limit --limit 5/sec -j ACCEPT
iptables -A FORWARD -s 192.168.1.100 -j DROP

Reject forwarded traffic to a specific port with a custom TCP reset

iptables -A FORWARD -p tcp --dport 22 -j REJECT --reject-with tcp-reset

Allow forwarded traffic but ensure stateful inspection (connection tracking)

iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state NEW -i eth1 -o eth0 -j ACCEPT

Examples by Match Statements

Multiport

Block Incoming Traffic on Multiple Ports:

iptables -A INPUT -p tcp -m multiport --dports 80,443,8080 -j DROP

Allow Outgoing Traffic on Multiple Ports:

iptables -A OUTPUT -p tcp -m multiport --sports 21,22,25 -j ACCEPT

Restricting Access to Specific IP Addresses on Multiple Ports:

iptables -A INPUT -p tcp -s 192.168.1.100 -m multiport --dports 80,443 -j ACCEPT

Block Outgoing Traffic to Multiple Ports Except for a Specific IP Address:

iptables -A OUTPUT -p tcp ! -d 192.168.1.50 -m multiport --dports 25,465,587 -j REJECT

Logging Packets That Match Multiport Rules:

iptables -A INPUT -p tcp -m multiport --dports 80,443,8080 -j LOG --log-prefix "Dropped Packet: "

iptables -A INPUT -p tcp -m multiport --dports 80,443,8080 -j DROP

State/Conntrack

Allow Established and Related Incoming Connections

Allows incoming packets that are part of an established connection or are related to an established connection.

Useful for ensuring that once a connection is initiated, its packets can continue to flow:

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Drop Invalid Packets:

iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

Allow New, Established, and Related Outgoing Connections:

iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

Allow New SSH Connections From a Specific IP Address:

iptables -A INPUT -p tcp --dport 22 -s 192.168.1.100 -m conntrack --ctstate NEW -j ACCEPT

Block New Incoming Connections on a Specific Port

Allows established and related connections.

It's a common security measure to prevent unauthorized access while allowing ongoing SSH sessions:

iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j DROP

Logging New Incoming Connections:

iptables -A INPUT -m conntrack --ctstate NEW -j LOG --log-prefix "New Connection: "

Limiting New Connections Per Second From a Single Source:

iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 5 -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j DROP

iprange

Allow Traffic to a Specific Port from a Range of IP Addresses:

iptables -A INPUT -p tcp --dport 80 -m iprange --src-range 10.0.0.1-10.0.0.255 -j ACCEPT

Block Outgoing Traffic to a Specific IP Range:

iptables -A OUTPUT -m iprange --dst-range 203.0.113.0-203.0.113.255 -j DROP

Limiting Forward Traffic from a Specific IP Range:

iptables -A FORWARD -m iprange --src-range 172.16.0.0-172.16.255.255 -j ACCEPT

Rejecting Incoming Connections to a Range of IP Addresses:

iptables -A INPUT -m iprange --dst-range 10.10.10.1-10.10.10.100 -j REJECT

icmp

Block All Incoming ICMP Echo Requests (Ping Requests)

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
```bash

Allow ICMP Echo Replies
```bash
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Limit Incoming ICMP Echo Requests

iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 4 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP

Allow ICMP Destination Unreachable

iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

Block ICMP Timestamp Requests

iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP

Allow ICMP Fragmentation Needed for Path MTU Discovery

iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT
PreviousGeneral CommandsNextNAT

Last updated 1 year ago

Was this helpful?

⛓️