Tag: iptables

  • How to list iptables rules

    How to list iptables rules

    To view all rules in iptables, run

    iptables -L

    Or

    iptables --list

    To list iptables rules without resolving IP to hostname

    iptables -L -n

    To show the line number

    iptables -L -n --line-number

    To list NAT rules

    iptables -t nat -L -n --line-number
iptables -t nat -L -n -v

    If you run iptables-save command, it will list all iptables rules

    iptables-save

    You can redirect the result of the iptables-save command to a file. You can restore with iptables-restore command.

    Back to iptables

  • How to redirect traffic to another IP using iptables

    How to redirect traffic to another IP using iptables

    After migrating websites to a new server, you need to point domains to the new server by changing the name server or editing DNS. DNS propagation can take a few hours, during this time visitors to the website still see the website from the OLD server IP. If visitor signup or make a purchase on the OLD server after the migration, this data will be lost. To avoid this, you can use iptables to forward all traffic to the new server IP address.

    The following steps need to be done on the OLD server. First, enable IP forwarding

    vi /etc/sysctl.conf

    Add

    net.ipv4.ip_forward=1

    Make it active with command

    sysctl -p

    If you only needed for the current session, you can run the command

    echo 1 > /proc/sys/net/ipv4/ip_forward

    For forwarding all incoming traffic on Port 80 and 443 to the new server IP, use

    iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination NEW_SERVER_IP_HERE:80
iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination NEW_SERVER_IP_HERE:443
iptables -t nat -A POSTROUTING -j MASQUERADE

    NEW_SERVER_IP_HERE = replace with IP address of the new server.

    Now any traffic coming to the OLD server on ports 80 and 443 will be forwarded to the new server IP address. If you need to forward any port, just duplicate the command and change the port number as required.

    If you want to remove the rules, you can flush iptables NAT rules with

    iptables -t nat -F

    To View iptables NAT rules

    iptables -t nat -L

    To make the iptables rules permanent on RHEL based Linux, run

    iptables-save > /etc/sysconfig/iptables

    To restore iptabes

    iptables-restore < /etc/sysconfig/iptables

    See iptables

  • Port forward using iptables

    To forward all requests from port 80 to port 8080, run

    iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

    Here is another command that specify network interface and forward traffic on port 80 to port 5000

    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 5000

    Back to iptables

  • Block an IP using iptables

    To block an IP using iptables, use

    iptables -A INPUT -s IPADDR -j DROP

    Replace IPADDR with IP address you need to block.

    To block an IP range

    iptables -A INPUT -s IP_IN_CIDR_FORMAT -j DROP

    Example, bock IP range 159.138.0.0/16

    iptables -A INPUT -s 159.138.0.0/16 -j DROP

    Unblock an IP address

    To unblock an IP address, first find the rule number, you can do it with the command

    iptables --list  INPUT -n --line-number | grep IP_ADDR_HERE

    Once you find the number of rule to be removed, you can run

    iptables --delete INPUT RULE_NUMBER_HERE

    Example

    iptables delete a rule

    See iptables

  • Open MySQL Port 3306 in CentOS 7

    To allow MySQL to connect from remote server on CentOS 7 server, you need to enable port 3306 in firewall.

    To do this, edit file

    vi /etc/sysconfig/iptables

    Find 

    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

    Add above

    -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT

    Restart server.

  • firewall

    https://opnsense.org

  • Unban an IP from CSF Firewall

    Unban an IP from CSF Firewall

    To unban an IP from CSF firewall, run

    csf -dr IP_ADDR

    Here i have an IP blocked in firewall.

    [root@server22 ~]# iptables -L -n | grep 13.224.29.193
DROP       all  --  13.224.29.193        0.0.0.0/0           
LOGDROPOUT  all  --  0.0.0.0/0            13.224.29.193       
[root@server22 ~]#

    To see if CSF is blocking the IP, run

    csf -g IP_ADDR

    Example

    This command also give reason for why the IP is blocked.

    Lets unban the IP address with command

    csf -dr IP_ADDR

    Now IP should not be listed in iptables, verify it with

    iptables -L -n | grep IP_ADDR

    csf

  • iptables

    To list current rules, run

    iptables -S

    Or

    iptables -L

    To list rules in numeric format, run

    iptables -nvL

    Or

    iptables -L -n

    To view nat rules

    iptables -t nat -L -n --line-number

    To see rules with counter, use

    iptables -L -n -v

    Open port 80

    iptables -A INPUT -p tcp --dport 80 -j ACCEPT

    To open port 8080 in iptables firewall, run

    iptables -A INPUT -m state --state NEW -p tcp --dport 8080 -j ACCEPT

    Open Port Range

    iptables -A INPUT -p tcp --match multiport --dports 50000:60000 -j ACCEPT

    Whitelist an IP

    iptables --append INPUT --protocol tcp --source 64.57.102.34 --jump ACCEPT

    Forward a Port to Another

    All request on port 80 will get forwarded to port 7080

    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination :7080

    Saving IP tables

    Above IP table commands take effect immediatly, but they get lost when you reboot the PC. To make it permanent, run

    service save iptables

    You can also use

    iptables-save > /etc/sysconfig/iptables

    Related config are saved in

    /etc/sysconfig/iptables
/etc/iptables/iptables.rules

    Before Flush

    Make sure all Chains are set to ACCEPT, if DROP, run

    iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F

  • iptables -F lock me out

    After i type

    iptables -F

    server goes down. Can’t connect to web or ssh, seems all connection is locked by iptables.

    SOLUTION

    This is because the chain policy for the firewall input chain was set to DROP

    check with “iptables –list” you will see “Chain INPUT (policy DROP)”.

    [root@server52 ~]# iptables -L |grep Chain
Chain INPUT (policy DROP)
Chain FORWARD (policy DROP)
Chain OUTPUT (policy DROP)
Chain GALLOW (2 references)
Chain INVALID (2 references)
Chain INVDROP (10 references)
Chain LOGDROPIN (1 references)
Chain LOGDROPOUT (1 references)
[root@server52 ~]#

    If this is the case, before you run a flush, ensure you set the input chain policy to ACCEPT by running.

    iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
service iptables save

    Then you will be able to run iptables -F without any problem.

    When you try modifying firewall rules, better set a cronjob with following commands that run every 5 or 10 minutes, so if you get locked out, you will be able to get access again after the cronjob runs.

    iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F

    See iptables