Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [iptables]

iptables is the userspace command line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset. It is targeted towards system administrators. Please, when asking a question about iptables, add the output from the following command: iptables -L -v -n

iptables is userspace utility complementary to Linux kernel-level Netfilter firewall.

When seeking help in regards of the firewall configuration it's advisable to supply iptables-save output to give a readable ruleset listing possibly appending it with iptables -L -v -n — to give matching ruleset information.

6626 questions
67
votes
4 answers

Windows equivalent of iptables?

Dumb question: Is there an equivalent of iptables on Windows? Could I install one via cygwin? The real question: how can I accomplish on Windows what I can accomplish via iptables? Just looking for basic firewall functionality (e.g. blocking certain…
Aaron F.
  • 895
  • 2
  • 8
  • 9
65
votes
11 answers

Denyhosts vs fail2ban vs iptables- best way to prevent brute force logons?

I'm setting up a LAMP server and need to prevent SSH/FTP/etc. brute-force logon attempts from succeeding. I've seen many recommendations for both denyhosts and fail2ban, but few comparisons of the two. I also read that an IPTables rule can fill the…
spiffytech
  • 1,063
  • 2
  • 11
  • 17
62
votes
5 answers

I accidentaly forbid SSH connection to a remote server... What's next?

Let's say it again, we all make mistakes, and I have just made one. A brief history: I was doing some stuff on a VPS (Debian) I'm renting, when I noticed some strange behaviour. Using the netstat command I saw an non-authorized connection through…
tomatoGuy
  • 621
  • 5
  • 3
62
votes
18 answers

iptables Tips & Tricks

I'm sure Linux sysadmins are quite familiar with iptables, the userland interface to the netfilter packet-filtering framework. Now, this "Question" is meant to be a Community Wiki for collecting together various bits-n-pieces of iptables wisdom.…
pepoluan
  • 5,038
  • 4
  • 47
  • 72
60
votes
5 answers

iptables port redirect not working for localhost

I want to redirect all traffic from port 443 to the internal port 8080. I'm using this config for iptables: iptables -t nat -I PREROUTING --source 0/0 --destination 0/0 -p tcp \ --dport 443 -j REDIRECT --to-ports 8080 This works for all…
Chris
  • 601
  • 1
  • 6
  • 3
59
votes
3 answers

iptables -L pretty slow. Is this normal?

Quick question but Gooling has not revealed an answer. When I do iptables -L, it seems to lag on displaying items in where I have limited the source to internal ips 192.168.0.0/24 The whole listing takes about 30 seconds to display. I just want to…
Bartek
  • 799
  • 2
  • 8
  • 12
58
votes
10 answers

Why not block ICMP?

I think I almost have my iptables setup complete on my CentOS 5.3 system. Here is my script... # Establish a clean slate iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -F # Flush all rules iptables -X # Delete…
Agvorth
  • 2,459
  • 4
  • 29
  • 29
57
votes
6 answers

Where does UFW (uncomplicated firewall) save command-line rules to?

You add a rule like this: ufw allow 22/tcp The rule is saved, and is applied even after reboot. But it's not written anywhere in /etc/ufw. Where is it saved to? (Ubuntu, using ufw as pre-installed.)
Steve Bennett
  • 5,750
  • 12
  • 47
  • 59
53
votes
6 answers

iptables error: unknown option --dport

The command iptables no longer recognizes one of the most commonly used options when defining rules: --dport. I get this error: [root@dragonweyr /home/calyodelphi]# iptables -A INPUT --dport 7777 -j ACCEPT_TCP_UDP iptables v1.4.7: unknown option…
Calyo Delphi
  • 641
  • 1
  • 5
  • 6
53
votes
1 answer

iptables forwarding between two interface

So I have a linux box with two wireless interfaces, one is a station and the other an AP. wlan0 (station) - Connected to the internet connection wlan1 (AP) - Other clients connect to it. I would like for clients connected to wlan1 to be able to…
broody
  • 643
  • 1
  • 7
  • 8
52
votes
6 answers

Debugger for Iptables

I'm looking for an easy way to follow a packet through the iptables rules. This is not so much about logging, because I don't want to log all traffic (and I only want to have LOG targets for very few rules). Something like Wireshark for Iptables. Or…
Chris Lercher
  • 4,152
  • 9
  • 35
  • 41
51
votes
3 answers

Ubuntu ufw: set a rule on a per interface basis

I want to create a rule that allows anyone on eth1 to access port 80. Can UFW do this or should I go back to using Shorewall? To clarify: this is a capabilties question, can ufw handle interfaces as a target?
Antonius Bloch
  • 4,680
  • 6
  • 29
  • 41
50
votes
5 answers

Why is tampering with the TTL of IP dangerous?

I've been reading the iptables man-page (light bedtime reading) and i came across the 'TTL' target, but it warns: Setting or incrementing the TTL field can potentially be very dangerous and Don't ever set or increment the value on packets that…
Robbie Mckennie
  • 1,123
  • 1
  • 8
  • 21
50
votes
3 answers

Iptables, what's the difference between -m state and -m conntrack?

What's the practical difference between: iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT and iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT Which one is best to use? Thank you.
Bourne
  • 1,039
  • 5
  • 18
  • 24
49
votes
2 answers

iptables and multiple ports

This doesn't work for me: # iptables -A INPUT -p tcp --dports 110,143,993,995 -j ACCEPT iptables v1.4.7: unknown option `--dports' Try `iptables -h' or 'iptables --help' for more information. However in the man page, there is an option --dports...…
Zenet
  • 928
  • 5
  • 10
  • 15
1
2
3
99 100