iptables Cheatsheet¶
iptables ist ein Benutzer-Raum-Dienstprogramm, mit dem Systemadministratoren die IP-Paketfilterregeln der Linux Kernel Firewall konfigurieren können. Es ist die am weitesten verbreitete Firewall-Lösung auf Linux-Systemen, bietet leistungsstarke Paketfilterung, Netzwerk-Adress-Übersetzung (NAT), und Paket-Mangling-Funktionen.
Grundkonzepte¶
Tische und Ketten¶
```bash
Tables¶
filter # Default table for packet filtering nat # Network Address Translation mangle # Packet alteration raw # Connection tracking exemption security # Mandatory Access Control rules
Built-in Chains¶
INPUT # Incoming packets to local system OUTPUT # Outgoing packets from local system FORWARD # Packets routed through the system PREROUTING # Packets before routing decision POSTROUTING # Packets after routing decision ```_
Artikelstruktur¶
```bash
Basic syntax¶
iptables -t table -A chain -m match --match-options -j target
Components¶
-t table # Specify table (default: filter) -A chain # Append rule to chain -I chain # Insert rule at beginning -D chain # Delete rule from chain -m match # Match module -j target # Jump target (action) ```_
Grundlegende Befehle¶
Regeln anzeigen¶
```bash
List all rules¶
iptables -L
List rules with line numbers¶
iptables -L --line-numbers
List rules in specific table¶
iptables -t nat -L
List rules with packet/byte counters¶
iptables -L -v
List rules in numeric format¶
iptables -L -n
List rules with detailed output¶
iptables -L -v -n --line-numbers
Show rules as commands¶
iptables-save ```_
Grundregelverwaltung¶
```bash
Append rule to chain¶
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Insert rule at specific position¶
iptables -I INPUT 1 -p tcp --dport 80 -j ACCEPT
Delete rule by specification¶
iptables -D INPUT -p tcp --dport 22 -j ACCEPT
Delete rule by line number¶
iptables -D INPUT 3
Replace rule at line number¶
iptables -R INPUT 1 -p tcp --dport 443 -j ACCEPT
Flush all rules in chain¶
iptables -F INPUT
Flush all rules in all chains¶
iptables -F ```_
Kettenmanagement¶
```bash
Create new chain¶
iptables -N CUSTOM_CHAIN
Delete empty chain¶
iptables -X CUSTOM_CHAIN
Rename chain¶
iptables -E OLD_CHAIN NEW_CHAIN
Set default policy¶
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT
Zero packet counters¶
iptables -Z iptables -Z INPUT ```_
Filterregeln¶
Protokollbasierte Filterung¶
```bash
TCP traffic¶
iptables -A INPUT -p tcp -j ACCEPT
UDP traffic¶
iptables -A INPUT -p udp -j ACCEPT
ICMP traffic¶
iptables -A INPUT -p icmp -j ACCEPT
All protocols¶
iptables -A INPUT -p all -j ACCEPT
Specific protocol by number¶
iptables -A INPUT -p 6 -j ACCEPT # TCP ```_
Portbasierte Filterung¶
```bash
Single port¶
iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p tcp --sport 80 -j ACCEPT
Port range¶
iptables -A INPUT -p tcp --dport 1000:2000 -j ACCEPT
Multiple ports¶
iptables -A INPUT -p tcp -m multiport --dports 22,80,443 -j ACCEPT iptables -A INPUT -p tcp -m multiport --sports 80,443 -j ACCEPT
Exclude port¶
iptables -A INPUT -p tcp ! --dport 22 -j DROP ```_
IP Adresse Filtern¶
```bash
Single IP address¶
iptables -A INPUT -s 192.168.1.100 -j ACCEPT iptables -A INPUT -d 192.168.1.100 -j ACCEPT
IP range (CIDR notation)¶
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
IP range (explicit)¶
iptables -A INPUT -m iprange --src-range 192.168.1.10-192.168.1.20 -j ACCEPT
Multiple IP addresses¶
iptables -A INPUT -s 192.168.1.100,192.168.1.101,192.168.1.102 -j ACCEPT
Exclude IP address¶
iptables -A INPUT -s ! 192.168.1.100 -j ACCEPT ```_
Schnittstellenbasierte Filterung¶
```bash
Specific interface¶
iptables -A INPUT -i eth0 -j ACCEPT iptables -A OUTPUT -o eth0 -j ACCEPT
Interface pattern¶
iptables -A INPUT -i eth+ -j ACCEPT iptables -A INPUT -i wlan+ -j ACCEPT
Loopback interface¶
iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT ```_
Erweiterte Anpassung¶
Verbindungsstaat¶
```bash
Connection tracking¶
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -j ACCEPT iptables -A INPUT -m state --state INVALID -j DROP
Connection tracking (newer syntax)¶
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m conntrack --ctstate NEW -j ACCEPT iptables -A INPUT -m conntrack --ctstate INVALID -j DROP ```_
Zeitbasierte Regeln¶
```bash
Time range¶
iptables -A INPUT -m time --timestart 09:00 --timestop 17:00 -j ACCEPT
Specific days¶
iptables -A INPUT -m time --weekdays Mon,Tue,Wed,Thu,Fri -j ACCEPT
Date range¶
iptables -A INPUT -m time --datestart 2023-01-01 --datestop 2023-12-31 -j ACCEPT
Combined time restrictions¶
iptables -A INPUT -m time --timestart 09:00 --timestop 17:00 --weekdays Mon,Tue,Wed,Thu,Fri -j ACCEPT ```_
Grenzwerte¶
```bash
Limit connection rate¶
iptables -A INPUT -p tcp --dport 22 -m limit --limit 3/min --limit-burst 3 -j ACCEPT
Limit by recent connections¶
iptables -A INPUT -p tcp --dport 22 -m recent --set --name SSH iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP
Hashlimit (per-source limiting)¶
iptables -A INPUT -p tcp --dport 80 -m hashlimit --hashlimit-above 10/min --hashlimit-burst 20 --hashlimit-mode srcip --hashlimit-name http -j DROP ```_
String Matching¶
```bash
Match string in packet payload¶
iptables -A INPUT -p tcp --dport 80 -m string --string "GET /admin" --algo bm -j DROP
Case-insensitive string matching¶
iptables -A INPUT -p tcp --dport 80 -m string --string "admin" --algo bm --icase -j DROP
Hex string matching¶
iptables -A INPUT -p tcp -m string --hex-string "|47 45 54|" --algo bm -j DROP ```_
Verpackung Länge¶
```bash
Packet length matching¶
iptables -A INPUT -m length --length 64 -j ACCEPT iptables -A INPUT -m length --length 64:128 -j ACCEPT iptables -A INPUT -m length --length :64 -j ACCEPT iptables -A INPUT -m length --length 1500: -j DROP ```_
NAT Konfiguration¶
Quelle NAT (SNAT)¶
```bash
Basic SNAT¶
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 203.0.113.1
SNAT with port range¶
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 203.0.113.1:1024-65535
SNAT for specific source¶
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 203.0.113.1
Masquerading (dynamic SNAT)¶
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Masquerading with port range¶
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE --to-ports 1024-65535 ```_
Bestimmung NAT (DNAT)¶
```bash
Basic DNAT¶
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100
DNAT with port change¶
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.100:80
DNAT with port range¶
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.100-192.168.1.110
Load balancing DNAT¶
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m statistic --mode nth --every 3 --packet 0 -j DNAT --to-destination 192.168.1.100 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -m statistic --mode nth --every 2 --packet 0 -j DNAT --to-destination 192.168.1.101 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.102 ```_
Port Redirection¶
```bash
Redirect to local port¶
iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 8080
Redirect incoming traffic¶
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
Transparent proxy¶
iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner ! --uid-owner proxy -j REDIRECT --to-port 8080 ```_
Sicherheitsregeln¶
Grundsicherung¶
```bash
Drop invalid packets¶
iptables -A INPUT -m state --state INVALID -j DROP
Allow loopback¶
iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
Allow established connections¶
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Drop all other input¶
iptables -P INPUT DROP ```_
Anti-DDoS Regeln¶
```bash
SYN flood protection¶
iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT iptables -A INPUT -p tcp --syn -j DROP
Ping flood protection¶
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 2 -j ACCEPT
Port scan protection¶
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP iptables -A INPUT -m recent --name portscan --remove iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "portscan:" iptables -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
Connection limit per IP¶
iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT ```_
Brute Force Protection¶
```bash
SSH brute force protection¶
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force: " iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
HTTP brute force protection¶
iptables -A INPUT -p tcp --dport 80 -m string --string "POST /login" --algo bm -m recent --set --name HTTP_LOGIN iptables -A INPUT -p tcp --dport 80 -m string --string "POST /login" --algo bm -m recent --update --seconds 300 --hitcount 5 --name HTTP_LOGIN -j DROP ```_
Geoblocking¶
```bash
Block specific countries (requires geoip module)¶
iptables -A INPUT -m geoip --src-cc CN,RU -j DROP
Allow only specific countries¶
iptables -A INPUT -m geoip ! --src-cc US,CA,GB -j DROP
Log blocked countries¶
iptables -A INPUT -m geoip --src-cc CN,RU -j LOG --log-prefix "GeoBlock: " iptables -A INPUT -m geoip --src-cc CN,RU -j DROP ```_
Protokollierung und Überwachung¶
Logging Konfiguration¶
```bash
Basic logging¶
iptables -A INPUT -j LOG --log-prefix "INPUT: "
Detailed logging¶
iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: " --log-level 4 --log-tcp-options --log-ip-options
Log with rate limiting¶
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "INPUT_LIMITED: "
Custom log target¶
iptables -A INPUT -j ULOG --ulog-nlgroup 1 --ulog-prefix "FIREWALL: " ```_
Überwachungsregeln¶
```bash
Monitor specific ports¶
iptables -A INPUT -p tcp --dport 22 -j LOG --log-prefix "SSH_ACCESS: " iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Monitor failed connections¶
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -j LOG --log-prefix "CONNECTION_RESET: "
Monitor port scans¶
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NULL_SCAN: " iptables -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "XMAS_SCAN: " ```_
Statistiken und Zähler¶
```bash
View packet counters¶
iptables -L -v -n
Reset counters¶
iptables -Z
Per-rule statistics¶
iptables -L INPUT -v -n --line-numbers
Export statistics¶
iptables -L -v -n -x > /tmp/iptables_stats.txt ```_
Persistenz und Management¶
Sparregeln¶
```bash
Debian/Ubuntu¶
iptables-save > /etc/iptables/rules.v4 ip6tables-save > /etc/iptables/rules.v6
Red Hat/CentOS¶
service iptables save systemctl enable iptables
Manual save/restore¶
iptables-save > /etc/iptables.rules iptables-restore < /etc/iptables.rules ```_
Automatische Belastung¶
```bash
Systemd service¶
cat > /etc/systemd/system/iptables-restore.service << EOF [Unit] Description=Restore iptables rules After=network.target
[Service] Type=oneshot ExecStart=/sbin/iptables-restore /etc/iptables.rules RemainAfterExit=yes
[Install] WantedBy=multi-user.target EOF
systemctl enable iptables-restore
Network interface script¶
cat > /etc/network/if-up.d/iptables << EOF
!/bin/bash¶
iptables-restore < /etc/iptables.rules EOF chmod +x /etc/network/if-up.d/iptables ```_
Konfigurationsmanagement¶
```bash
Backup current rules¶
iptables-save > /backup/iptables-$(date +%Y%m%d).rules
Test rules temporarily¶
iptables-restore < /tmp/test-rules.txt
Rules will be lost on reboot if not saved¶
Atomic rule replacement¶
iptables-restore --test < new-rules.txt && iptables-restore < new-rules.txt ```_
Fehlerbehebung¶
Gemeinsame Themen¶
```bash
Check if iptables is running¶
systemctl status iptables systemctl status netfilter-persistent
Verify kernel modules¶
lsmod|grep ip_tables lsmod|grep iptable_filter lsmod|grep iptable_nat
Load required modules¶
modprobe ip_tables modprobe iptable_filter modprobe iptable_nat modprobe ip_conntrack
Check for rule conflicts¶
iptables -L -v -n --line-numbers ```_
Debugging Rules¶
```bash
Trace packet path¶
iptables -t raw -A PREROUTING -p tcp --dport 80 -j TRACE iptables -t raw -A OUTPUT -p tcp --dport 80 -j TRACE
Monitor logs¶
tail -f /var/log/kern.log|grep iptables tail -f /var/log/messages|grep kernel
Test connectivity¶
nc -zv target_ip port telnet target_ip port nmap -p port target_ip
Packet capture¶
tcpdump -i any -n port 80 tcpdump -i any -n host 192.168.1.100 ```_
Leistungsfragen¶
```bash
Check connection tracking¶
cat /proc/net/nf_conntrack|wc -l cat /proc/sys/net/netfilter/nf_conntrack_max
Optimize connection tracking¶
echo 65536 > /proc/sys/net/netfilter/nf_conntrack_max echo 300 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established
Monitor rule performance¶
iptables -L -v -n|grep -E "pkts|Chain" ```_
Erweiterte Funktionen¶
Kundenspezifische Ketten¶
```bash
Create custom chain¶
iptables -N CUSTOM_INPUT
Add rules to custom chain¶
iptables -A CUSTOM_INPUT -p tcp --dport 22 -j ACCEPT iptables -A CUSTOM_INPUT -p tcp --dport 80 -j ACCEPT iptables -A CUSTOM_INPUT -j DROP
Jump to custom chain¶
iptables -A INPUT -j CUSTOM_INPUT
Return from custom chain¶
iptables -A CUSTOM_INPUT -p tcp --dport 443 -j RETURN ```_
Verpackung Kennzeichnung¶
```bash
Mark packets¶
iptables -t mangle -A PREROUTING -s 192.168.1.0/24 -j MARK --set-mark 1
Match marked packets¶
iptables -A FORWARD -m mark --mark 1 -j ACCEPT
Copy marks¶
iptables -t mangle -A PREROUTING -j CONNMARK --restore-mark iptables -t mangle -A POSTROUTING -j CONNMARK --save-mark ```_
Integration von Traffic Shaping¶
```bash
Mark traffic for QoS¶
iptables -t mangle -A POSTROUTING -p tcp --sport 22 -j MARK --set-mark 1 iptables -t mangle -A POSTROUTING -p tcp --sport 80 -j MARK --set-mark 2 iptables -t mangle -A POSTROUTING -p tcp --sport 443 -j MARK --set-mark 2
Classify traffic¶
iptables -t mangle -A POSTROUTING -p tcp --sport 22 -j CLASSIFY --set-class 1:10 iptables -t mangle -A POSTROUTING -p tcp --sport 80 -j CLASSIFY --set-class 1:20 ```_
Best Practices¶
Sicherheit Best Practices¶
```bash
Default deny policy¶
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP
Allow only necessary traffic¶
iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
Log dropped packets¶
iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: " iptables -A INPUT -j DROP
Regular rule review¶
Document all rules¶
Remove unused rules¶
Test rule changes¶
```_
Performance Best Practices¶
```bash
Order rules by frequency¶
Most common rules first¶
Specific rules before general rules¶
Use connection tracking¶
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Minimize rule complexity¶
Use custom chains for complex logic¶
Avoid unnecessary string matching¶
Optimize connection tracking¶
echo 'net.netfilter.nf_conntrack_max = 131072' >> /etc/sysctl.conf echo 'net.netfilter.nf_conntrack_tcp_timeout_established = 300' >> /etc/sysctl.conf ```_
Management Best Practices¶
```bash
Version control¶
git init /etc/iptables git add /etc/iptables/rules.v4 git commit -m "Initial iptables configuration"
Testing procedures¶
Test in staging environment¶
Use iptables-restore --test¶
Have rollback plan ready¶
Documentation¶
Document rule purposes¶
Maintain change log¶
Include contact information¶
Monitoring¶
Set up log monitoring¶
Monitor rule hit counts¶
Alert on policy violations¶
```_
Ressourcen¶
- (LINK_5)
- Netfilter Dokumentation
- (LINK_5_)
- Linux Firewall Tutorial
- (LINK_5)