Documentation

Appearance

Return to top
On this page

Iptables

This documentation assumes that you have configured iptables restoring and service as according here

Show rules

Show all chains and their rules or for single if given

bash
iptables -vL [CHAIN]

iptables -vL [CHAIN]
1

Dump the contents of an IP Table to STDOUT with command below. It won't actually save anything it just dumps the table.

iptables-save

iptables-save
1

Update rules

Iptables rules should only be managed from /etc/iptables/rules.v4 files.

To update rules set to rules file run:

bash
systemctl restart iptables

systemctl restart iptables
1

Rule format

bash
iptable parameters

-p	--protocol		The protocol of the rule or of the packet to check.
					Possible values: tcp, udp, icmp, or all (default)
-s	--source		Source specification.
-d	--destination	Destination specification.
-i	--in-interface	Name of a network interface via which a packet was received.
-m	--match			Extended packet matching modules.
					Possible values: udp, tcp, multiport and many others
-j	--jump			What to do if the packet matches it.
					Possible values: user-defined chain, ACCEPT, DROP, ...

# TCP options
--sport				Source port or port range specification.
					Possible values: ssh, 443, 4100:4200, ...
--dport				Destination port or port range specification.
					Possible values: ssh, 443, 4100:4200, ...

iptable parameters

-p	--protocol		The protocol of the rule or of the packet to check.
					Possible values: tcp, udp, icmp, or all (default)
-s	--source		Source specification.
-d	--destination	Destination specification.
-i	--in-interface	Name of a network interface via which a packet was received.
-m	--match			Extended packet matching modules.
					Possible values: udp, tcp, multiport and many others
-j	--jump			What to do if the packet matches it.
					Possible values: user-defined chain, ACCEPT, DROP, ...

# TCP options
--sport				Source port or port range specification.
					Possible values: ssh, 443, 4100:4200, ...
--dport				Destination port or port range specification.
					Possible values: ssh, 443, 4100:4200, ...
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

Manual

Allow connections to certain ports

bash
# Allow access to single port
-A <CHAIN> -p tcp -m tcp --dport <PORT> -j ACCEPT

# Allow access to single port from certain IP
-A <CHAIN> -p tcp -m tcp --dport <PORT> -s <ALLOWED IP> -j ACCEPT

# Range of ports
-A <CHAIN> -p tcp -m tcp --dport <FROM PORT>:<TO PORT> -j ACCEPT

# Allow access to single port
-A <CHAIN> -p tcp -m tcp --dport <PORT> -j ACCEPT

# Allow access to single port from certain IP
-A <CHAIN> -p tcp -m tcp --dport <PORT> -s <ALLOWED IP> -j ACCEPT

# Range of ports
-A <CHAIN> -p tcp -m tcp --dport <FROM PORT>:<TO PORT> -j ACCEPT
1
2
3
4
5
6
7
8

Block access to certain ports

If using docker and reverse proxy take a look here.

bash
# Drop connections to signal port
-A <CHAIN> -p tcp -m tcp --dport <PORT> -j DROP

# Drop connections to signal port
-A <CHAIN> -p tcp -m tcp --dport <PORT> -j DROP
1
2