My-Tiny.Net :: Networking with Virtual Machines

iptables Quick Reference

See the man page for full details.

Note that INPUT, FORWARD, and OUTPUT are separate: a packet will only hit one of the three chains.

If the destination is to this server, it hits the INPUT chain
If the source is from this server, it hits the OUTPUT chain
If the source and destination are both other machines, it hits the FORWARD chain
(It is a common mistake to think FORWARD rules apply to multiple interfaces when
net.ipv4.conf.all.forwarding=1 - They Do Not)

Help yourself out with something like this when writing rules to see how packets traverse the iptables rules and chains:

    iptables -I INPUT 1 -j LOG --log-prefix="INPUT chain-"
    iptables -I OUTPUT 1 -j LOG --log-prefix="OUTPUT chain-"
    iptables -I FORWARD 1 -j LOG --log-prefix="FORWARD chain-"

-L List the current filter rules

-v --verbose Display more information in the output

--line-numbers add line numbers corresponding to that rule's position in the chain when listing rules

Best practice: iptables -L --line-numbers

-A Add this rule to the end of the specified rule chain

-I Takes two arguments, the chain and the rule number. -I INPUT 5 would insert the rule into the INPUT chain as the 5th rule in the list.

-D Deletes a rule in a chain by number. -D INPUT 5 would delete the 5th rule in the INPUT chain.

-R Replaces a rule in a chain by number. -R INPUT 5 would replace the 5th rule in the INPUT chain.

-j

Jump to the specified target. Default targets can be:
ACCEPT	Accept the packet and stop processing rules in this chain.
DROP	Silently ignore the packet, and stop processing rules in this chain.
LOG	Log the packet, and continue processing more rules in this chain. LOG is a "non-terminating target", so if you want to log the packets you refuse, use two separate rules with the same matching criteria, first using target LOG then DROP.
The LOG target has some additional options:
‑‑log‑prefix	Places a string of up to 29 characters before the log line when it is written. Use double quotes around the text.
‑‑log‑level	Log using the specified syslog level (priority). The syslog facility is always kern.
‑‑log‑ip‑options	Log options from the IP packet header.
‑‑log‑tcp‑options	Log options from the TCP packet header.
‑‑log‑tcp‑sequence	Log TCP sequence numbers. This is a security risk if the log is readable by users.

-s --source address[/mask] specification

-d --destination address[/mask] specification

-i --in-interface INPUT, FORWARD chains: Match if the packet is coming in on the specified interface

-o --out-interface OUTPUT, FORWARD chains: Name of an interface by which a packet is going to be sent

-p --protocol One of tcp, udp, icmp, or all (the default when none are specified). A ! before the protocol inverts the test.

Extended packet matching modules are loaded in two ways: implicitly, when -p or --protocol is specified, or with the -m or --match options, followed by the matching module name. These make extra command line options available, depending on the specific module. You can specify multiple extended match modules in one line, and you can use -h or --help after the module has been specified to get help specific to that module.

-p --protocol udp

provides these extended options

--sport Source port, either a service name or a port number.
An inclusive range can be specified using the format port:port.

--dport Destination port or port range specification.

-p --protocol tcp

provides --sport and --dport like udp, and

--tcp-option Match if TCP option number specified is set. A ! before the number inverts the test.

--tcp-flags Match when the TCP flags are as specified. The first argument is a comma-separated list of flags to examine, and the second argument is the list of flags which must be set. The two lists are separated by a single space, so look closely. Flags are: SYN ACK FIN RST URG PSH ALL NONE

--syn Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits cleared.
Equivalent to --tcp-flags SYN,RST,ACK,FIN SYN

  # Rules for things that no proper TCP stack should be processing
    # Null Scan:
      iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP	
    # Contrary:
      iptables -A INPUT -p tcp --tcp-flags ALL FIN,SYN -j DROP
      iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST -j DROP
      iptables -A INPUT -p tcp --tcp-flags ALL FIN,RST -j DROP
    # FIN Scan:
      iptables -A INPUT -p tcp --tcp-flags FIN,ACK FIN -j DROP 
    # Xmas Scan:
      iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP

-p --protocol icmp

provides

--icmp-type Allows specification of the ICMP type, which can be a numeric ICMP type, or one of the ICMP type names shown by the command iptables -p icmp -h. A ! before the number inverts the test.

-m --match state

allows access to the connection tracking state for this packet.

--state

A comma separated list of the connection states to match. Possible states are:
NEW	the packet has started a new connection, or otherwise associated with a connection which has not seen packets in both directions
ESTABLISHED	the packet is associated with a connection which has seen packets in both directions
RELATED	the packet is starting a new connection that is associated with an existing connection, such as an FTP data transfer or an ICMP error
INVALID	the packet could not be identified for some reason, which might be ICMP errors which don't correspond to any known connection, or iptables running out of memory.

# Two rules that should be at the top of the INPUT chain
# 1. Allow all traffic from the localhost interface
  iptables -A INPUT -i lo -j ACCEPT
# 2. Once an approved connection is up, go no further than this rule
  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-m --match limit

Require the rule to match only a limited number of times.

--limit Sets the number on matches for a given time period. A rule using this extension will match until this limit is reached. Specified as a number followed by "/second", "/minute", "/hour", or "/day". If -m limit is used without this option, the limit is "3/hour".

--limit-burst Sets a limit on the number of packets that can match a rule at one time. This option should be used with --limit. If no number is specified, the default is 5.

This can sound confusing, an analogy can help.

Suppose there is a bucket that has some tokens in it, and a packet can only pass through the rule if it takes a token out of this bucket. Initially the bucket is full. Every so often, a new token is added to the bucket if it is not full: --limit gives the rate, the default is every 20 minutes (3 per hour). The capacity of the bucket is specified with --limit‑burst, the default is 5 tokens.

So, given iptables [...rule...] -m limit -j [target], if 5 packets pass through the rule (‑‑limit 5) in less than 20 minutes (‑‑limit‑burst 3/hour), no tokens are available and the next packet will pass only after 20 minutes have elapsed. If no more packets test this rule for 5*20=100 minutes, the bucket will be full again.

The actual limits should be set based upon the resources available on the server. In addition to controlling "flood" and "smurf" attacks, this type of rule is often used to control logging, for example

# Log only once per minute no matter how frequently the rule is tested
  iptables -I INPUT [...rule...] -m limit --limit 1/minute --limit-burst 1 -j LOG --log-prefix "iptables limit 1/min: " --log-level 4
  iptables -I INPUT [...rule...] -j DROP

-m --match mac

--mac-source Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. A ! before the address inverts the test. Only makes sense for packets entering the INPUT or FORWARD chains from an Ethernet device.