To list rules in iptables
#ipables -L
Allow multiple ports to a netowrk.
# iptables -A INPUT -s 123.176.0.0/255.255.0.0 -p tcp -m multiport --dport 22,1521,80 -j ACCEPT
To restrict ping
# iptables -A INPUT -p tcp --syn -m limit --limit 5/s -i eth0 -j ACCEPT
#ping -c 3 -i .005 ipaddress
#iptables -A INPUT -s 192.168.1.80 -p icmp --icmp-type echo-request -j REJECT/DROP/ACCEPT (only one ip restriction for ping)
#iptables -A INPUT -s 0.0.0.0/0.0.0.0 -p icmp --icmp-type echo-request -j REJECT/DROP/ACCEPT (restrict entire network)
#iptables -A INPUT -s 192.168.0.0/255.255.0.0 -p icmp --icmp-type echo-request -j DROP (only to specific network segment)
To flush rules:
#iptables -F :flush chain...
Allow or reject ports to specific ipaddresses
#iptables -A input -s 192.168.1.80 -j reject/drop/accept
#iptables -A input -s 192.168.1.80 -p tcp --dport 80 -j REJECT
#iptables -A input -s 192.168.1.0/24 -p tcp --dport 22 -j REJECT
#iptables -A INPUT -s 123.176.47.0/255.255.255.0 -p tcp --dport 22 -j ACCEPT
To delete the rule in iptables chain
#iptables -D input 5
To block specific IP address
#iptables -A OUTPUT -D 67.215.241.234 -j DROP
#iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#iptables -A INPUT -f -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
#iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
Rule to route ip address:
#iptables –t nat –A POSTROUTING –s 192.168.1.0/24 –j SNAT –-to 1.2.3.1
#iptables –t nat –A POSTROUTING –s 10.10.0.0/24 –j SNAT --to 123.176.40.60
#iptables –t nat –A POSTROUTING –s 192.168.1.0/24 –j SNAT –-to 1.2.3.1:1-1024
#iptables –t nat –A PREROUTING –d 1.2.4.1 –j DNAT –-to 192.168.1.50
#iptables –t nat –A PREROUTING –s 1.2.5.17 –d 1.2.4.2 –p tcp –-dport 80 –j DNAT -–to 192.168.1.100
#iptables –t nat –A PREROUTING –d 1.2.4.2 –p tcp –-dport 65521 –j DNAT –-to 192.168.1.100:22
#iptables –t nat –A PREROUTING –d 1.2.4.5 –p tcp –-dport 80 –j DNAT –-to 192.168.1.200
Transparent proxy is a way to force users to use a proxy server, even if their browsers are configured not to. You probably know about the benefits of using a proxy server bandwidth saving for cached pages and access control implementation (e.g. deny downloads of files that have dangerous extensions).
We can perform transparent proxy for all or some users to prevent them from bypassing the proxy whenever they want. This is especially good for children's computers to deny them access to sexually explicit sites, for example.
On our Linux router, we installed a Squid proxy server to cache some content from the Web. Also, we want to deny access to sex sites or malicious downloads for users. The users are not very pleased about using our proxy server, and they usually remove it from their browser configuration. We can force them to use the proxy server anyway. If the proxy server listens on port 3128 we will do the following:
# iptables –t nat –A PREROUTING –s 192.168.1.0/24 –p tcp –-dport 80 –j REDIRECT –-to-port 3128
If we want to allow the manager (who has the IP address 192.168.1.50) to bypass the proxy server, we do so like this:
# iptables –t nat –I PREROUTING –s 192.168.1.50 –p tcp –-dport 80 –j ACCEPT
So this rule will be matched in the PREROUTING chain, and she will be SNATed in the POSTROUTING chain