iptables Cheatsheet

_ 📋 Kopie Alle iptables Commands_ 📄 Generieren Sie iptables PDF Guide_

_

iptables ist ein Benutzer-Raum-Dienstprogramm, mit dem Systemadministratoren die IP-Paketfilterregeln der Linux Kernel Firewall konfigurieren können. Es ist die am weitesten verbreitete Firewall-Lösung auf Linux-Systemen, bietet leistungsstarke Paketfilterung, Netzwerk-Adress-Übersetzung (NAT), und Paket-Mangling-Funktionen.

oder Grundkonzepte

Tabellen und Ketten

# Tables
filter    # Default table for packet filtering
nat       # Network Address Translation
mangle    # Packet alteration
raw       # Connection tracking exemption
security  # Mandatory Access Control rules

# Built-in Chains
INPUT     # Incoming packets to local system
OUTPUT    # Outgoing packets from local system
FORWARD   # Packets routed through the system
PREROUTING   # Packets before routing decision
POSTROUTING  # Packets after routing decision

Regelstruktur

# Basic syntax
iptables -t table -A chain -m match --match-options -j target

# Components
-t table     # Specify table (default: filter)
-A chain     # Append rule to chain
-I chain     # Insert rule at beginning
-D chain     # Delete rule from chain
-m match     # Match module
-j target    # Jump target (action)

oder Grundlegende Befehle

Viewing Rules

# List all rules
iptables -L

# List rules with line numbers
iptables -L --line-numbers

# List rules in specific table
iptables -t nat -L

# List rules with packet/byte counters
iptables -L -v

# List rules in numeric format
iptables -L -n

# List rules with detailed output
iptables -L -v -n --line-numbers

# Show rules as commands
iptables-save

Grundregelverwaltung

# Append rule to chain
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Insert rule at specific position
iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT

# Delete rule by specification
iptables -D INPUT -p tcp --dport 22 -j ACCEPT

# Delete rule by line number
iptables -D INPUT 3

# Replace rule at line number
iptables -R INPUT 1 -p tcp --dport 443 -j ACCEPT

# Flush all rules in chain
iptables -F INPUT

# Flush all rules in all chains
iptables -F

Kettenmanagement

# Create new chain
iptables -N CUSTOM_CHAIN

# Delete empty chain
iptables -X CUSTOM_CHAIN

# Rename chain
iptables -E OLD_CHAIN NEW_CHAIN

# Set default policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Zero packet counters
iptables -Z
iptables -Z INPUT

Filterregeln

Protokollbasierte Filterung

# TCP traffic
iptables -A INPUT -p tcp -j ACCEPT

# UDP traffic
iptables -A INPUT -p udp -j ACCEPT

# ICMP traffic
iptables -A INPUT -p icmp -j ACCEPT

# All protocols
iptables -A INPUT -p all -j ACCEPT

# Specific protocol by number
iptables -A INPUT -p 6 -j ACCEPT  # TCP

Port-based Filtering

# Single port
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -j ACCEPT

# Port range
iptables -A INPUT -p tcp --dport 1000:2000 -j ACCEPT

# Multiple ports
iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --sports 80,443 -j ACCEPT

# Exclude port
iptables -A INPUT -p tcp ! --dport 22 -j DROP

IP Adresse Filtern

# Single IP address
iptables -A INPUT -s 192.168.1.100 -j ACCEPT
iptables -A INPUT -d 192.168.1.100 -j ACCEPT

# IP range (CIDR notation)
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT

# IP range (explicit)
iptables -A INPUT -m iprange --src-range 192.168.1.10-192.168.1.20 -j ACCEPT

# Multiple IP addresses
iptables -A INPUT -s 192.168.1.100,192.168.1.101,192.168.1.102 -j ACCEPT

# Exclude IP address
iptables -A INPUT -s ! 192.168.1.100 -j ACCEPT

Schnittstellenbasierte Filterung

# Specific interface
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A OUTPUT -o eth0 -j ACCEPT

# Interface pattern
iptables -A INPUT -i eth+ -j ACCEPT
iptables -A INPUT -i wlan+ -j ACCEPT

# Loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

In den Warenkorb

Verbindungsstaat

# Connection tracking
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP

# Connection tracking (newer syntax)
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

Zeitbasierte Regeln

# Time range
iptables -A INPUT -m time --timestart 09:00 --timestop 17:00 -j ACCEPT

# Specific days
iptables -A INPUT -m time --weekdays Mon,Tue,Wed,Thu,Fri -j ACCEPT

# Date range
iptables -A INPUT -m time --datestart 2023-01-01 --datestop 2023-12-31 -j ACCEPT

# Combined time restrictions
iptables -A INPUT -m time --timestart 09:00 --timestop 17:00 --weekdays Mon,Tue,Wed,Thu,Fri -j ACCEPT

Rate Limiting

# Limit connection rate
iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j ACCEPT

# Limit by recent connections
iptables -A INPUT -p tcp --dport 22 -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP

# Hashlimit (per-source limiting)
iptables -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-above 10/min --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name http -j DROP

String Matching

# Match string in packet payload
iptables -A INPUT -p tcp --dport 80 -m string --string "GET /admin" --algo bm -j DROP

# Case-insensitive string matching
iptables -A INPUT -p tcp --dport 80 -m string --string "admin" --algo bm --icase -j DROP

# Hex string matching
iptables -A INPUT -p tcp -m string --hex-string "|47 45 54|" --algo bm -j DROP

Paketlänge

# Packet length matching
iptables -A INPUT -m length --length 64 -j ACCEPT
iptables -A INPUT -m length --length 64:128 -j ACCEPT
iptables -A INPUT -m length --length :64 -j ACCEPT
iptables -A INPUT -m length --length 1500: -j DROP

(NAT) Konfiguration

Quelle NAT (SNAT)

# Basic SNAT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 203.0.113.1

# SNAT with port range
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 203.0.113.1:1024-65535

# SNAT for specific source
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 203.0.113.1

# Masquerading (dynamic SNAT)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Masquerading with port range
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE --to-ports 1024-65535

Bestimmung NAT (DNAT)

# Basic DNAT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100

# DNAT with port change
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.100:80

# DNAT with port range
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100-192.168.1.110

# Load balancing DNAT
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m statistic --mode nth --every 3 --packet 0 -j DNAT --to-destination 192.168.1.100
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination 192.168.1.101
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.102

Port Redirection

# Redirect to local port
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8080

# Redirect incoming traffic
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

# Transparent proxy
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner proxy -j REDIRECT --to-port 8080

Sicherheitsregeln

Basic Security

# Drop invalid packets
iptables -A INPUT -m state --state INVALID -j DROP

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drop all other input
iptables -P INPUT DROP

Anti-DDoS Regeln

# SYN flood protection
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --syn -j DROP

# Ping flood protection
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 2 -j ACCEPT

# Port scan protection
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
iptables -A INPUT -m recent --name portscan --remove
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:"
iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP

# Connection limit per IP
iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT

Brute Force Protection

# SSH brute force protection
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force: "
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

# HTTP brute force protection
iptables -A INPUT -p tcp --dport 80 -m string --string "POST /login" --algo bm -m recent --set --name HTTP_LOGIN
iptables -A INPUT -p tcp --dport 80 -m string --string "POST /login" --algo bm -m recent --update --seconds 300 --hitcount 5 --name HTTP_LOGIN -j DROP

Geoblocking

# Block specific countries (requires geoip module)
iptables -A INPUT -m geoip --src-cc CN,RU -j DROP

# Allow only specific countries
iptables -A INPUT -m geoip ! --src-cc US,CA,GB -j DROP

# Log blocked countries
iptables -A INPUT -m geoip --src-cc CN,RU -j LOG --log-prefix "GeoBlock: "
iptables -A INPUT -m geoip --src-cc CN,RU -j DROP

Protokollierung und Überwachung

Logging Configuration

# Basic logging
iptables -A INPUT -j LOG --log-prefix "INPUT: "

# Detailed logging
iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: " --log-level 4 --log-tcp-options --log-ip-options

# Log with rate limiting
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "INPUT_LIMITED: "

# Custom log target
iptables -A INPUT -j ULOG --ulog-nlgroup 1 --ulog-prefix "FIREWALL: "

Monitoring Rules

# Monitor specific ports
iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "SSH_ACCESS: "
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

# Monitor failed connections
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j LOG --log-prefix "CONNECTION_RESET: "

# Monitor port scans
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NULL_SCAN: "
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "XMAS_SCAN: "

Statistiken und Zähler

# View packet counters
iptables -L -v -n

# Reset counters
iptables -Z

# Per-rule statistics
iptables -L INPUT -v -n --line-numbers

# Export statistics
iptables -L -v -n -x > /tmp/iptables_stats.txt

Persistenz und Management

Saving Rules

# Debian/Ubuntu
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

# Red Hat/CentOS
service iptables save
systemctl enable iptables

# Manual save/restore
iptables-save > /etc/iptables.rules
iptables-restore < /etc/iptables.rules

Automatisches Laden

# Systemd service
cat > /etc/systemd/system/iptables-restore.service << EOF
[Unit]
Description=Restore iptables rules
After=network.target

[Service]
Type=oneshot
ExecStart=/sbin/iptables-restore /etc/iptables.rules
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target
EOF

systemctl enable iptables-restore

# Network interface script
cat > /etc/network/if-up.d/iptables << EOF
#!/bin/bash
iptables-restore < /etc/iptables.rules
EOF
chmod +x /etc/network/if-up.d/iptables

Konfigurationsmanagement

# Backup current rules
iptables-save > /backup/iptables-$(date +%Y%m%d).rules

# Test rules temporarily
iptables-restore < /tmp/test-rules.txt
# Rules will be lost on reboot if not saved

# Atomic rule replacement
iptables-restore --test < new-rules.txt && iptables-restore < new-rules.txt

Fehlerbehebung

Häufige Fragen

# Check if iptables is running
systemctl status iptables
systemctl status netfilter-persistent

# Verify kernel modules
lsmod|grep ip_tables
lsmod|grep iptable_filter
lsmod|grep iptable_nat

# Load required modules
modprobe ip_tables
modprobe iptable_filter
modprobe iptable_nat
modprobe ip_conntrack

# Check for rule conflicts
iptables -L -v -n --line-numbers

Debugging Rules

# Trace packet path
iptables -t raw -A PREROUTING -p tcp --dport 80 -j TRACE
iptables -t raw -A OUTPUT -p tcp --dport 80 -j TRACE

# Monitor logs
tail -f /var/log/kern.log|grep iptables
tail -f /var/log/messages|grep kernel

# Test connectivity
nc -zv target_ip port
telnet target_ip port
nmap -p port target_ip

# Packet capture
tcpdump -i any -n port 80
tcpdump -i any -n host 192.168.1.100

Performance Issues

# Check connection tracking
cat /proc/net/nf_conntrack|wc -l
cat /proc/sys/net/netfilter/nf_conntrack_max

# Optimize connection tracking
echo 65536 > /proc/sys/net/netfilter/nf_conntrack_max
echo 300 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established

# Monitor rule performance
iptables -L -v -n|grep -E "pkts|Chain"

Erweiterte Eigenschaften

Custom Chains

# Create custom chain
iptables -N CUSTOM_INPUT

# Add rules to custom chain
iptables -A CUSTOM_INPUT -p tcp --dport 22 -j ACCEPT
iptables -A CUSTOM_INPUT -p tcp --dport 80 -j ACCEPT
iptables -A CUSTOM_INPUT -j DROP

# Jump to custom chain
iptables -A INPUT -j CUSTOM_INPUT

# Return from custom chain
iptables -A CUSTOM_INPUT -p tcp --dport 443 -j RETURN

Packet Marking

# Mark packets
iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -j MARK --set-mark 1

# Match marked packets
iptables -A FORWARD -m mark --mark 1 -j ACCEPT

# Copy marks
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark
iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark

Traffic Shaping Integration

# Mark traffic for QoS
iptables -t mangle -A POSTROUTING -p tcp --sport 22 -j MARK --set-mark 1
iptables -t mangle -A POSTROUTING -p tcp --sport 80 -j MARK --set-mark 2
iptables -t mangle -A POSTROUTING -p tcp --sport 443 -j MARK --set-mark 2

# Classify traffic
iptables -t mangle -A POSTROUTING -p tcp --sport 22 -j CLASSIFY --set-class 1:10
iptables -t mangle -A POSTROUTING -p tcp --sport 80 -j CLASSIFY --set-class 1:20

oder Best Practices

Security Best Practices

# Default deny policy
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# Allow only necessary traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT

# Log dropped packets
iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "
iptables -A INPUT -j DROP

# Regular rule review
# Document all rules
# Remove unused rules
# Test rule changes

Performance Best Practices

# Order rules by frequency
# Most common rules first
# Specific rules before general rules

# Use connection tracking
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Minimize rule complexity
# Use custom chains for complex logic
# Avoid unnecessary string matching

# Optimize connection tracking
echo 'net.netfilter.nf_conntrack_max = 131072' >> /etc/sysctl.conf
echo 'net.netfilter.nf_conntrack_tcp_timeout_established = 300' >> /etc/sysctl.conf

Management Best Practices

# Version control
git init /etc/iptables
git add /etc/iptables/rules.v4
git commit -m "Initial iptables configuration"

# Testing procedures
# Test in staging environment
# Use iptables-restore --test
# Have rollback plan ready

# Documentation
# Document rule purposes
# Maintain change log
# Include contact information

# Monitoring
# Set up log monitoring
# Monitor rule hit counts
# Alert on policy violations

Ressourcen

• (https://linux.die.net/man/8/iptables)
• Netfilter Dokumentation
• Tutorial (https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html)
• Linux Firewall Tutorial_ -(https://ipset.netfilter.org/iptables-extensions.man.html)_