iptables notes

finally getting round to remembering iptables

iptables basics

FILTER is the default table, traffic passes through 1 of 3 chains { INPUT, FORWARD, OUTPUT } (most of the time)

container traffic passes through FORWARD

PREROUTING, POSTROUTING only available on RAW, MANGLE

1PREROUTING ─┬──── FORWARD ────┬─ POSTROUTING
2            │                 │
3      INPUT │                 │ OUTPUT
4            │                 │
5            └─ local process ─┘

filter traffic

chain modifiers:

-P: set chain default policy
-F: flush all rules
-A: append rule
-D: delete rule

selectors:

-i: interface
-s / -d: source/destination address range
-p: protocol
--sport / --dport: source/destination port (for tcp/udp)

actions:

-j: jump to target
ACCEPT: allow packet to pass
DROP: drop packet
RETURN: continue processing from last jump
REJECT: reject packet, ex: host/network unreachable

1iptables -P FORWARD ACCEPT
2iptables -A FORWARD -s 0.0.0.0/0 -d 1.2.3.4/32 -p tcp --dport 80 -j ACCEPT

allow established connections through

-m: match using an extension module

1iptables -A INPUT -m conntrack --cstate RELATED,ESTABLISHED -j ACCEPT
2iptables -A OUTPUT -m conntrack --cstate RELATED,ESTABLISHED -j ACCEPT
3iptables -A FORWARD -m conntrack --cstate RELATED,ESTABLISHED -j ACCEPT