Iptables

Install iptables

emerge -av net-firewall/iptables

Iptables control commands

Check status

/etc/init.d/iptables status

Start service

/etc/init.d/iptables start

Stop service

/etc/init.d/iptables stop

Restart service

/etc/init.d/iptables restart

Add to autostart

rc-update add iptables default

If the rules are added manually, you have to save the current rules at /var/lib/iptables/rules-save for them to be applied at system start:

/etc/init.d/iptables save

Create a script with iptables rules

Tip We recommend using a settings script for faster parameter editing and a better visibility of the new configuration.

Create the iptables.sh script anywhere you like on your disk and fill it with the necessary parameters:

/root/iptables.sh

#!/bin/bash
# Clear all iptables chains
iptables -F
iptables -X
iptables -Z
# Policies for traffic that does not comply to any rule
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Enable Ping
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
# Miscellaneous settings
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset
# ssh access
iptables -A INPUT -p TCP --dport 22 -j ACCEPT
# Access to webserver via http and https
iptables -A INPUT -p TCP --dport 80 -j ACCEPT
iptables -A INPUT -p TCP --dport 443 -j ACCEPT
# Save the rules
# Calculate/Gentoo saves the iptables rules at /var/lib/iptables/rules-save
rc-service iptables save

The command at the end of the script saves the settings.

Give the script the right to be executed:

chmod +x /root/iptables.sh

Run the script now:

sh /root/iptables.sh

View information on iptables rules

On the absence of rules:

iptables -L -v -n

...
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination

On currently valid rules:

iptables -L -v -n

...
Chain INPUT (policy DROP 31 packets, 2260 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    6   504 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
   91  8220 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 12
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:113 flags:0x17/0x02 reject-with tcp-reset
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 80 packets, 9864 bytes)
 pkts bytes target     prot opt in     out     source               destination

On parameters to be applied at startup:

/var/lib/iptables/rules-save

# iptables-save
# Generated by iptables-save v1.4.21 on Tue Dec  5 01:15:23 2017
*filter
:INPUT DROP [3:172]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [897:354826]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10050 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9980 -j ACCEPT
-A DOCKER-ISOLATION -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Tue Dec  5 01:15:23 2017
# Generated by iptables-save v1.4.21 on Tue Dec  5 01:15:23 2017
*nat
:PREROUTING ACCEPT [48:2828]
:INPUT ACCEPT [40:2444]
:OUTPUT ACCEPT [9:540]
:POSTROUTING ACCEPT [9:540]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 9980 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
-A DOCKER -d 127.0.0.1/32 ! -i docker0 -p tcp -m tcp --dport 9980 -j DNAT --to-destination 172.17.0.2:9980
COMMIT
# Completed on Tue Dec  5 01:15:23 2017
# Generated by iptables-save v1.4.21 on Tue Dec  5 01:15:23 2017
*mangle
:PREROUTING ACCEPT [25186740:78903988813]
:INPUT ACCEPT [25137767:78901761780]
:FORWARD ACCEPT [48:4224]
:OUTPUT ACCEPT [16725801:4605075841]
:POSTROUTING ACCEPT [16725849:4605080065]
COMMIT
# Completed on Tue Dec  5 01:15:23 2017