iptables Cheatsheet

📋 Kopie Alle iptables Commands PDF Guide generieren

iptables ist ein Benutzer-Raum-Dienstprogramm, mit dem Systemadministratoren die IP-Paketfilterregeln der Linux Kernel Firewall konfigurieren können. Es ist die am weitesten verbreitete Firewall-Lösung auf Linux-Systemen, bietet leistungsstarke Paketfilterung, Netzwerk-Adress-Übersetzung (NAT), und Paket-Mangling-Funktionen.

Grundkonzepte

Tische und Ketten

```bash

Tables

filter # Default table for packet filtering nat # Network Address Translation mangle # Packet alteration raw # Connection tracking exemption security # Mandatory Access Control rules

Built-in Chains

INPUT # Incoming packets to local system OUTPUT # Outgoing packets from local system FORWARD # Packets routed through the system PREROUTING # Packets before routing decision POSTROUTING # Packets after routing decision ```_

Artikelstruktur

```bash

Basic syntax

iptables -t table -A chain -m match --match-options -j target

Components

-t table # Specify table (default: filter) -A chain # Append rule to chain -I chain # Insert rule at beginning -D chain # Delete rule from chain -m match # Match module -j target # Jump target (action) ```_

Grundlegende Befehle

Regeln anzeigen

```bash

List all rules

iptables -L

List rules with line numbers

iptables -L --line-numbers

List rules in specific table

iptables -t nat -L

List rules with packet/byte counters

iptables -L -v

List rules in numeric format

iptables -L -n

List rules with detailed output

iptables -L -v -n --line-numbers

Show rules as commands

iptables-save ```_

Grundregelverwaltung

```bash

Append rule to chain

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Insert rule at specific position

iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT

Delete rule by specification

iptables -D INPUT -p tcp --dport 22 -j ACCEPT

Delete rule by line number

iptables -D INPUT 3

Replace rule at line number

iptables -R INPUT 1 -p tcp --dport 443 -j ACCEPT

Flush all rules in chain

iptables -F INPUT

Flush all rules in all chains

iptables -F ```_

Kettenmanagement

```bash

Create new chain

iptables -N CUSTOM_CHAIN

Delete empty chain

iptables -X CUSTOM_CHAIN

Rename chain

iptables -E OLD_CHAIN NEW_CHAIN

Set default policy

iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT

Zero packet counters

iptables -Z iptables -Z INPUT ```_

Filterregeln

Protokollbasierte Filterung

```bash

TCP traffic

iptables -A INPUT -p tcp -j ACCEPT

UDP traffic

iptables -A INPUT -p udp -j ACCEPT

ICMP traffic

iptables -A INPUT -p icmp -j ACCEPT

All protocols

iptables -A INPUT -p all -j ACCEPT

Specific protocol by number

iptables -A INPUT -p 6 -j ACCEPT # TCP ```_

Portbasierte Filterung

```bash

Single port

iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --sport 80 -j ACCEPT

Port range

iptables -A INPUT -p tcp --dport 1000:2000 -j ACCEPT

Multiple ports

iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT iptables -A INPUT -p tcp -m multiport --sports 80,443 -j ACCEPT

Exclude port

iptables -A INPUT -p tcp ! --dport 22 -j DROP ```_

IP Adresse Filtern

```bash

Single IP address

iptables -A INPUT -s 192.168.1.100 -j ACCEPT iptables -A INPUT -d 192.168.1.100 -j ACCEPT

IP range (CIDR notation)

iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT

IP range (explicit)

iptables -A INPUT -m iprange --src-range 192.168.1.10-192.168.1.20 -j ACCEPT

Multiple IP addresses

iptables -A INPUT -s 192.168.1.100,192.168.1.101,192.168.1.102 -j ACCEPT

Exclude IP address

iptables -A INPUT -s ! 192.168.1.100 -j ACCEPT ```_

Schnittstellenbasierte Filterung

```bash

Specific interface

iptables -A INPUT -i eth0 -j ACCEPT iptables -A OUTPUT -o eth0 -j ACCEPT

Interface pattern

iptables -A INPUT -i eth+ -j ACCEPT iptables -A INPUT -i wlan+ -j ACCEPT

Loopback interface

iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT ```_

Erweiterte Anpassung

Verbindungsstaat

```bash

Connection tracking

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -j ACCEPT iptables -A INPUT -m state --state INVALID -j DROP

Connection tracking (newer syntax)

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m conntrack --ctstate NEW -j ACCEPT iptables -A INPUT -m conntrack --ctstate INVALID -j DROP ```_

Zeitbasierte Regeln

```bash

Time range

iptables -A INPUT -m time --timestart 09:00 --timestop 17:00 -j ACCEPT

Specific days

iptables -A INPUT -m time --weekdays Mon,Tue,Wed,Thu,Fri -j ACCEPT

Date range

iptables -A INPUT -m time --datestart 2023-01-01 --datestop 2023-12-31 -j ACCEPT

Combined time restrictions

iptables -A INPUT -m time --timestart 09:00 --timestop 17:00 --weekdays Mon,Tue,Wed,Thu,Fri -j ACCEPT ```_

Grenzwerte

```bash

Limit connection rate

iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j ACCEPT

Limit by recent connections

iptables -A INPUT -p tcp --dport 22 -m recent --set --name SSH iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

Hashlimit (per-source limiting)

iptables -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-above 10/min --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name http -j DROP ```_

String Matching

```bash

Match string in packet payload

iptables -A INPUT -p tcp --dport 80 -m string --string "GET /admin" --algo bm -j DROP

Case-insensitive string matching

iptables -A INPUT -p tcp --dport 80 -m string --string "admin" --algo bm --icase -j DROP

Hex string matching

| iptables -A INPUT -p tcp -m string --hex-string " | 47 45 54 | " --algo bm -j DROP | ```_

Verpackung Länge

```bash

Packet length matching

iptables -A INPUT -m length --length 64 -j ACCEPT iptables -A INPUT -m length --length 64:128 -j ACCEPT iptables -A INPUT -m length --length :64 -j ACCEPT iptables -A INPUT -m length --length 1500: -j DROP ```_

NAT Konfiguration

Quelle NAT (SNAT)

```bash

Basic SNAT

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 203.0.113.1

SNAT with port range

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 203.0.113.1:1024-65535

SNAT for specific source

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 203.0.113.1

Masquerading (dynamic SNAT)

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Masquerading with port range

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE --to-ports 1024-65535 ```_

Bestimmung NAT (DNAT)

```bash

Basic DNAT

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100

DNAT with port change

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.100:80

DNAT with port range

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100-192.168.1.110

Load balancing DNAT

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m statistic --mode nth --every 3 --packet 0 -j DNAT --to-destination 192.168.1.100 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination 192.168.1.101 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.102 ```_

Port Redirection

```bash

Redirect to local port

iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8080

Redirect incoming traffic

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

Transparent proxy

iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner proxy -j REDIRECT --to-port 8080 ```_

Sicherheitsregeln

Grundsicherung

```bash

Drop invalid packets

iptables -A INPUT -m state --state INVALID -j DROP

Allow loopback

iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT

Allow established connections

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Drop all other input

iptables -P INPUT DROP ```_

Anti-DDoS Regeln

```bash

SYN flood protection

iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT iptables -A INPUT -p tcp --syn -j DROP

Ping flood protection

iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 2 -j ACCEPT

Port scan protection

iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP iptables -A INPUT -m recent --name portscan --remove iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:" iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

Connection limit per IP

iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT ```_

Brute Force Protection

```bash

SSH brute force protection

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force: " iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

HTTP brute force protection

iptables -A INPUT -p tcp --dport 80 -m string --string "POST /login" --algo bm -m recent --set --name HTTP_LOGIN iptables -A INPUT -p tcp --dport 80 -m string --string "POST /login" --algo bm -m recent --update --seconds 300 --hitcount 5 --name HTTP_LOGIN -j DROP ```_

Geoblocking

```bash

Block specific countries (requires geoip module)

iptables -A INPUT -m geoip --src-cc CN,RU -j DROP

Allow only specific countries

iptables -A INPUT -m geoip ! --src-cc US,CA,GB -j DROP

Log blocked countries

iptables -A INPUT -m geoip --src-cc CN,RU -j LOG --log-prefix "GeoBlock: " iptables -A INPUT -m geoip --src-cc CN,RU -j DROP ```_

Protokollierung und Überwachung

Logging Konfiguration

```bash

Basic logging

iptables -A INPUT -j LOG --log-prefix "INPUT: "

Detailed logging

iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: " --log-level 4 --log-tcp-options --log-ip-options

Log with rate limiting

iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "INPUT_LIMITED: "

Custom log target

iptables -A INPUT -j ULOG --ulog-nlgroup 1 --ulog-prefix "FIREWALL: " ```_

Überwachungsregeln

```bash

Monitor specific ports

iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "SSH_ACCESS: " iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Monitor failed connections

iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j LOG --log-prefix "CONNECTION_RESET: "

Monitor port scans

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NULL_SCAN: " iptables -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "XMAS_SCAN: " ```_

Statistiken und Zähler

```bash

View packet counters

iptables -L -v -n

Reset counters

iptables -Z

Per-rule statistics

iptables -L INPUT -v -n --line-numbers

Export statistics

iptables -L -v -n -x > /tmp/iptables_stats.txt ```_

Persistenz und Management

Sparregeln

```bash

Debian/Ubuntu

iptables-save > /etc/iptables/rules.v4 ip6tables-save > /etc/iptables/rules.v6

Red Hat/CentOS

service iptables save systemctl enable iptables

Manual save/restore

iptables-save > /etc/iptables.rules iptables-restore < /etc/iptables.rules ```_

Automatische Belastung

```bash

Systemd service

cat > /etc/systemd/system/iptables-restore.service << EOF [Unit] Description=Restore iptables rules After=network.target

[Service] Type=oneshot ExecStart=/sbin/iptables-restore /etc/iptables.rules RemainAfterExit=yes

[Install] WantedBy=multi-user.target EOF

systemctl enable iptables-restore

Network interface script

cat > /etc/network/if-up.d/iptables << EOF

!/bin/bash

iptables-restore < /etc/iptables.rules EOF chmod +x /etc/network/if-up.d/iptables ```_

Konfigurationsmanagement

```bash

Backup current rules

iptables-save > /backup/iptables-$(date +%Y%m%d).rules

Test rules temporarily

iptables-restore < /tmp/test-rules.txt

Rules will be lost on reboot if not saved

Atomic rule replacement

iptables-restore --test < new-rules.txt && iptables-restore < new-rules.txt ```_

Fehlerbehebung

Gemeinsame Themen

```bash

Check if iptables is running

systemctl status iptables systemctl status netfilter-persistent

Verify kernel modules

lsmod|grep ip_tables lsmod|grep iptable_filter lsmod|grep iptable_nat

Load required modules

modprobe ip_tables modprobe iptable_filter modprobe iptable_nat modprobe ip_conntrack

Check for rule conflicts

iptables -L -v -n --line-numbers ```_

Debugging Rules

```bash

Trace packet path

iptables -t raw -A PREROUTING -p tcp --dport 80 -j TRACE iptables -t raw -A OUTPUT -p tcp --dport 80 -j TRACE

Monitor logs

tail -f /var/log/kern.log|grep iptables tail -f /var/log/messages|grep kernel

Test connectivity

nc -zv target_ip port telnet target_ip port nmap -p port target_ip

Packet capture

tcpdump -i any -n port 80 tcpdump -i any -n host 192.168.1.100 ```_

Leistungsfragen

```bash

Check connection tracking

cat /proc/net/nf_conntrack|wc -l cat /proc/sys/net/netfilter/nf_conntrack_max

Optimize connection tracking

echo 65536 > /proc/sys/net/netfilter/nf_conntrack_max echo 300 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established

Monitor rule performance

| iptables -L -v -n | grep -E "pkts | Chain" | ```_

Erweiterte Funktionen

Kundenspezifische Ketten

```bash

Create custom chain

iptables -N CUSTOM_INPUT

Add rules to custom chain

iptables -A CUSTOM_INPUT -p tcp --dport 22 -j ACCEPT iptables -A CUSTOM_INPUT -p tcp --dport 80 -j ACCEPT iptables -A CUSTOM_INPUT -j DROP

Jump to custom chain

iptables -A INPUT -j CUSTOM_INPUT

Return from custom chain

iptables -A CUSTOM_INPUT -p tcp --dport 443 -j RETURN ```_

Verpackung Kennzeichnung

```bash

Mark packets

iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -j MARK --set-mark 1

Match marked packets

iptables -A FORWARD -m mark --mark 1 -j ACCEPT

Copy marks

iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark ```_

Integration von Traffic Shaping

```bash

Mark traffic for QoS

iptables -t mangle -A POSTROUTING -p tcp --sport 22 -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -p tcp --sport 80 -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -p tcp --sport 443 -j MARK --set-mark 2

Classify traffic

iptables -t mangle -A POSTROUTING -p tcp --sport 22 -j CLASSIFY --set-class 1:10 iptables -t mangle -A POSTROUTING -p tcp --sport 80 -j CLASSIFY --set-class 1:20 ```_

Best Practices

Sicherheit Best Practices

```bash

Default deny policy

iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP

Allow only necessary traffic

iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT

Log dropped packets

iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: " iptables -A INPUT -j DROP

Regular rule review

Document all rules

Remove unused rules

Test rule changes

```_

Performance Best Practices

```bash

Order rules by frequency

Most common rules first

Specific rules before general rules

Use connection tracking

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Minimize rule complexity

Use custom chains for complex logic

Avoid unnecessary string matching

Optimize connection tracking

echo 'net.netfilter.nf_conntrack_max = 131072' >> /etc/sysctl.conf echo 'net.netfilter.nf_conntrack_tcp_timeout_established = 300' >> /etc/sysctl.conf ```_

Management Best Practices

```bash

Version control

git init /etc/iptables git add /etc/iptables/rules.v4 git commit -m "Initial iptables configuration"

Testing procedures

Test in staging environment

Use iptables-restore --test

Have rollback plan ready

Documentation

Document rule purposes

Maintain change log

Include contact information

Monitoring

Set up log monitoring

Monitor rule hit counts

Alert on policy violations

```_

Ressourcen

• (LINK_5)
• Netfilter Dokumentation
• (__LINK_5___)
• Linux Firewall Tutorial
• (LINK_5)