xtables - bunnyamin/bunnix GitHub Wiki

The X-tables is a legacy framework and NFTables should be preferred for most cases. X-tables could become relevant for special cases where only an older Linux kernel is available.

SystemD

Debian

  • Package iptables-persistent
  • systemctl start netfilter-persistent
  • The files that are reloaded on system start:
    • /etc/iptables/rules.v4
    • /etc/iptables/rules.v6

arptables

ebtables

iptables

  • What's the difference between iptables "state" and "ctstate"?

  • Comment rule iptables-legacy -m comment --comment "..."

  • Append input iptables-legacy -A INPUT ...

  • Replace rule at line 3 iptables-legacy -R INPUT 3 ...

  • Insert before second row iptables-legacy -I INPUT 2

  • List rules with line numbers iptables-legacy -L -nv --line-numbers

  • Delete rule at line 3 iptables-legacy -D INPUT 3

  • Save changes iptables-legacy-save -f /obj/bunnix/fhs/etc/iptables.rules

  • Define protocol -p <PROTOCOL>

  • Define source -s <SOURCE IP> or --source <SOURCE IP>

  • Define source -d, <DESTINATION IP> or --destination <DESTINATION IP>

  • Define destination port -p TCP --dport <PORT>

  • Define connection state -m state --state NEW,ESTABLISHED,RELATED

  • Define interface -i <IF> or --in-interface <IF>

  • Define interface -o <IF> or --out-interface <IF>

  • Reset package counters iptables -Z

LOG

FORWARD

# Allow traffic from internal to external
iptables-legacy -A FORWARD -i <LAN_IF> -o <WAN_IF> -j ACCEPT

# Allow returning traffic from external to internal
iptables-legacy -A FORWARD -i <WAN_IF> -o <LAN_IF> -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables-legacy -I FORWARD 3 -i wlan0 -o wlan0 -d 192.168.0.101 -p TCP --dport 49999 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

# Drop all other traffic that shouldn't be forwarded
iptables-legacy -A FORWARD -j DROP

INPUT

iptables-legacy [-p --policy] INPUT DROP
iptables-legacy -A INPUT -i lo -j ACCEPT
iptables-legacy -A INPUT -i <WAN_IF> -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables-legacy -A INPUT -i <VPN_IF> -m state --state ESTABLISHED,RELATED -j ACCEPT

NAT

iptables-legacy -t nat -A POSTROUTING -d 192.162.2.102 -o wlan0 -j MASQUERADE
  • Append post-routing NAT rule iptables-legacy -t nat -A POSTROUTING --out-interface <VPN_IF> -s <SOURCE IP> -j MASQUERADE
  • Delete rule at line 3 iptables-legacy -t nat -D POSTROUTING 3
  • Show created rules for NAT iptables-legacy -L -nvt nat --line-numbers

Port

iptables-legacy -A INPUT -p tcp -m tcp -i <LAN_IF> --dport 49999 -j ACCEPT

ip6tables

Forward SSH

NordVPN capturing all requests?

Tunnel from OPZ2 to u1f430

iptables-legacy -t nat -A PREROUTING -p tcp -i wlan0 --dport 59735 -j DNAT --to-destination 192.168.2.102:59735

iptables-legacy -A INPUT -i wlan0 -o wlan0 -p tcp --dport 59735 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables-legacy -t nat -A POSTROUTING -s <LAN IP> -o <IF> -j MASQUERADE
iptables-legacy -t nat -I POSTROUTING 1 -p tcp --dport 59735 -j MASQUERADE

iptables-legacy -t nat -D POSTROUTING 2
iptables-legacy -L -nvt nat --line-numbers


iptables-legacy -I FORWARD 3 -i wlan0 -o wlan0 -d 192.168.2.102 -p TCP --dport 59735 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

[back to top]

⚠️ **GitHub.com Fallback** ⚠️