Common iptables tasks
Just few recent things about iptables.
Blocking IPs with iptables:
iptables -A INPUT -s 192.168.1.100/32 -i eth0 -j REJECT
- You may have different network interfaces ‘eth1′, ‘rtl0′, etc…
- If you have multiple network interfaces on your system you can use “eth+” instead of putting multiple lines for each of eth0, eth1, eth2, etc.
Port forwarding with iptables:
iptables -t nat -A PREROUTING -d 192.168.1.1 -i eth0 -p tcp -m tcp –dport 80 -j DNAT –to-destination 192.168.1.1:9999
It will forward port 80 to port 9999 on 192.168.1.1
Preventing SSH bruteforce attack with iptables:
iptables -A INPUT -i eth0 -p tcp -m state –state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m state –state NEW –dport 22 -m recent –name sshattack –set
iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –name sshattack –rcheck –seconds 360 –hitcount 3 -j LOG –log-prefix ‘SSH REJECT: ‘
iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –name sshattack –rcheck –seconds 360 –hitcount 3 -j REJECT –reject-with tcp-reset
PS. Add “-s ! $IP/32” to exclude $IP from blocking, if you need.
Saving the rules added from the command shell:
iptables-save > /etc/sysconfig/iptables