# Filter Tables Default table and is primarily used for packet filtering. ## Chains

Command	Description
`INPUT`	Examined when packets ARRIVE at the system.
`OUTPUT`	Applied as packets are SENT FROM the system.
`FORWARD`	Checked as packets are ROUTED THROUGH the system.

## Actions `ACCEPT` `REJECT` `DROP` ## Examples by Chain ### INPUT/OUTPUT Allow loopback traffic ```bash sudo iptables -A INPUT -i lo -j ACCEPT sudo iptables -A OUTPUT -o lo -j ACCEPT ``` Allow established and related connections INCOMING and OUTGOING ```bash sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ``` Allow incoming SSH traffic from a specific IP range ```bash sudo iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT ``` Allow incoming ICMP (ping) traffic ```bash sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT ``` Allow incoming FTP traffic {% code overflow="wrap" %} ```bash sudo iptables -A INPUT -p tcp --dport 21 -j ACCEPT sudo iptables -A INPUT -p tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT ``` {% endcode %} Allow incoming and outgoing DNS traffic ```bash sudo iptables -A INPUT -p udp --dport 53 -j ACCEPT sudo iptables -A OUTPUT -p udp --dport 53 -j ACCEPT ``` Allow incoming and outgoing NTP traffic ```bash sudo iptables -A INPUT -p udp --dport 123 -j ACCEPT sudo iptables -A OUTPUT -p udp --dport 123 -j ACCEPT ``` Allow outgoing SMTP (email) traffic ```bash sudo iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT ``` Allow outgoing IMAP and IMAPS (email) traffic ```bash sudo iptables -A OUTPUT -p tcp --dport 143 -j ACCEPT sudo iptables -A OUTPUT -p tcp --dport 993 -j ACCEPT ``` Allow outgoing HTTP and HTTPS traffic ```bash sudo iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT sudo iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT ``` Allow outgoing FTP traffic {% code overflow="wrap" %} ```bash sudo iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT sudo iptables -A OUTPUT -p tcp --sport 20 -m state --state RELATED,ESTABLISHED -j ACCEPT ``` {% endcode %} Allow INCOMING traffic by PORT: {% code overflow="wrap" %} ```bash sudo iptables -t filter -A INPUT -p TCP -m multiport --ports 22,23,3389,6001:6030 -j ACCEPT ``` {% endcode %} Allow OUTGOING traffic by PORT: {% code overflow="wrap" %} ```bash sudo iptables -t filter -A OUTPUT -p TCP -m multiport --ports 22,23,3389,6001:6030 -j ACCEPT ``` {% endcode %} Limit incoming SSH connections per minute and block brute-force attacks {% code overflow="wrap" %} ```bash sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 4 -j DROP sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT ``` {% endcode %} Log and drop invalid packets {% code overflow="wrap" %} ```bash sudo iptables -A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "INVALID_PACKET: " --log-ip-options --log-tcp-options sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP ``` {% endcode %}

Command	Description
`iptables -t filter -A INPUT -i lo -j ACCEPT`	Append rule to accept all INCOMING traffic on the loopback interface
`iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT`	Append a rule to accept SSH traffic (port 22) in the INPUT chain.
`iptables -t filter -A INPUT -p icmp -j DROP`	Append a rule to drop all ICMP traffic in the INPUT chain.
`iptables -t filter -I INPUT 1 -s 192.168.1.1 -j DROP`	Insert a rule at the top of the INPUT chain to drop traffic from IP 192.168.1.1.
`iptables -t filter -R INPUT 1 -p tcp --dport 80 -j ACCEPT`	Replace the first rule in the INPUT chain with a new one to accept HTTP traffic (port 80).
`iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT`	Append a rule to accept all established and related connections in the INPUT chain.

### FORWARD Allow all forwarded traffic (not secure, but useful for open forwarding) ```bash iptables -A FORWARD -j ACCEPT ``` Drop all forwarded traffic (default policy for a secure stance) ```bash iptables -A FORWARD -j DROP ``` Allow forwarded traffic from a specific source IP ```bash iptables -A FORWARD -s 192.168.1.100 -j ACCEPT ``` Allow forwarded traffic to a specific destination IP ```bash iptables -A FORWARD -d 192.168.2.100 -j ACCEPT ``` Allow forwarded traffic from a specific subnet to another subnet ```bash iptables -A FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT ``` Drop forwarded traffic from a specific subnet to any destination ```bash iptables -A FORWARD -s 10.10.0.0/16 -j DROP ``` Allow forwarded traffic on a specific port (e.g., HTTP) ```bash iptables -A FORWARD -p tcp --dport 80 -j ACCEPT ``` Log and then drop forwarded packets from a specific IP ```bash iptables -A FORWARD -s 10.10.10.10 -j LOG --log-prefix "Dropped by iptables: " iptables -A FORWARD -s 10.10.10.10 -j DROP ``` Limiting forwarded traffic rate from a specific source (e.g., 5 packets per second) ```bash iptables -A FORWARD -s 192.168.1.100 -m limit --limit 5/sec -j ACCEPT iptables -A FORWARD -s 192.168.1.100 -j DROP ``` Reject forwarded traffic to a specific port with a custom TCP reset ```bash iptables -A FORWARD -p tcp --dport 22 -j REJECT --reject-with tcp-reset ``` Allow forwarded traffic but ensure stateful inspection (connection tracking) ```bash iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -m state --state NEW -i eth1 -o eth0 -j ACCEPT ``` ## Examples by Match Statements ### Multiport Block Incoming Traffic on Multiple Ports: ```bash iptables -A INPUT -p tcp -m multiport --dports 80,443,8080 -j DROP ``` Allow Outgoing Traffic on Multiple Ports: ```bash iptables -A OUTPUT -p tcp -m multiport --sports 21,22,25 -j ACCEPT ``` Restricting Access to Specific IP Addresses on Multiple Ports: ```bash iptables -A INPUT -p tcp -s 192.168.1.100 -m multiport --dports 80,443 -j ACCEPT ``` Block Outgoing Traffic to Multiple Ports Except for a Specific IP Address: {% code overflow="wrap" %} ```bash iptables -A OUTPUT -p tcp ! -d 192.168.1.50 -m multiport --dports 25,465,587 -j REJECT ``` {% endcode %} Logging Packets That Match Multiport Rules: {% code overflow="wrap" %} ```bash iptables -A INPUT -p tcp -m multiport --dports 80,443,8080 -j LOG --log-prefix "Dropped Packet: " iptables -A INPUT -p tcp -m multiport --dports 80,443,8080 -j DROP ``` {% endcode %} ### State/Conntrack Allow Established and Related Incoming Connections Allows incoming packets that are part of an established connection or are related to an established connection. Useful for ensuring that once a connection is initiated, its packets can continue to flow: ```bash iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT ``` Drop Invalid Packets: ```bash iptables -A INPUT -m conntrack --ctstate INVALID -j DROP ``` Allow New, Established, and Related Outgoing Connections: ```bash iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ``` Allow New SSH Connections From a Specific IP Address: {% code overflow="wrap" %} ```bash iptables -A INPUT -p tcp --dport 22 -s 192.168.1.100 -m conntrack --ctstate NEW -j ACCEPT ``` {% endcode %} Block New Incoming Connections on a Specific Port Allows established and related connections. It's a common security measure to prevent unauthorized access while allowing ongoing SSH sessions: ```bash iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j DROP ``` Logging New Incoming Connections: ```bash iptables -A INPUT -m conntrack --ctstate NEW -j LOG --log-prefix "New Connection: " ``` Limiting New Connections Per Second From a Single Source:

iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 1/s --limit-burst 5 -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j DROP

### iprange Allow Traffic to a Specific Port from a Range of IP Addresses: {% code overflow="wrap" %} ```bash iptables -A INPUT -p tcp --dport 80 -m iprange --src-range 10.0.0.1-10.0.0.255 -j ACCEPT ``` {% endcode %} Block Outgoing Traffic to a Specific IP Range: ```bash iptables -A OUTPUT -m iprange --dst-range 203.0.113.0-203.0.113.255 -j DROP ``` Limiting Forward Traffic from a Specific IP Range: ```bash iptables -A FORWARD -m iprange --src-range 172.16.0.0-172.16.255.255 -j ACCEPT ``` Rejecting Incoming Connections to a Range of IP Addresses: ```bash iptables -A INPUT -m iprange --dst-range 10.10.10.1-10.10.10.100 -j REJECT ``` ### icmp Block All Incoming ICMP Echo Requests (Ping Requests) ````bash iptables -A INPUT -p icmp --icmp-type echo-request -j DROP ```bash Allow ICMP Echo Replies ```bash iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT ```` Limit Incoming ICMP Echo Requests {% code overflow="wrap" %} ```bash iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 4 -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j DROP ``` {% endcode %} Allow ICMP Destination Unreachable ```bash iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT ``` Block ICMP Timestamp Requests ```bash iptables -A INPUT -p icmp --icmp-type timestamp-request -j DROP ``` Allow ICMP Fragmentation Needed for Path MTU Discovery ```bash iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.shellspells.net/network/traffic-manipulation/iptables/filter-tables.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.