iptables notes

finally getting round to remembering iptables

iptables notes

finally getting round to remembering iptables

iptables basics

FILTER is the default table, traffic passes through 1 of 3 chains { INPUT, FORWARD, OUTPUT } (most of the time)

container traffic passes through FORWARD

PREROUTING, POSTROUTING only available on RAW, MANGLE

PREROUTING ─┬──── FORWARD ────┬─ POSTROUTING
            │                 │
      INPUT │                 │ OUTPUT
            │                 │
            └─ local process ─┘

filter traffic

chain modifiers:

• -P: set chain default policy
• -F: flush all rules
• -A: append rule
• -D: delete rule

selectors:

• -i: interface
• -s / -d: source/destination address range
• -p: protocol
• --sport / --dport: source/destination port (for tcp/udp)

actions:

• -j: jump to target
• ACCEPT: allow packet to pass
• DROP: drop packet
• RETURN: continue processing from last jump
• REJECT: reject packet, ex: host/network unreachable

iptables -P FORWARD ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -d 1.2.3.4/32 -p tcp --dport 80 -j ACCEPT

allow established connections through

• -m: match using an extension module

iptables -A INPUT -m conntrack --cstate RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m conntrack --cstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m conntrack --cstate RELATED,ESTABLISHED -j ACCEPT