Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [iptables]

iptables is the userspace command line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset. It is targeted towards system administrators. Please, when asking a question about iptables, add the output from the following command: iptables -L -v -n

iptables is userspace utility complementary to Linux kernel-level Netfilter firewall.

When seeking help in regards of the firewall configuration it's advisable to supply iptables-save output to give a readable ruleset listing possibly appending it with iptables -L -v -n — to give matching ruleset information.

6626 questions
23
votes
6 answers

Use IPtables or null route for blacklisting about 1 million IP addresses?

I've come across a situation where a client needs to blacklist a set of just under 1 million individual IP addresses (no subnets), and network performance is a concern. While I would conjecture that IPTables rules would have less of a performance…
tylerl
  • 15,055
  • 7
  • 51
  • 72
23
votes
8 answers

How to make iptables rules expire?

Someone told me this is possible, but I can't find anything on google or man pages. I need to ban IPs for a certain amount of time, and then have them unbanned automatically.
HappyDeveloper
  • 325
  • 1
  • 3
  • 7
23
votes
5 answers

iptables rules to allow HTTP traffic to one domain only

I need to configure my machine as to allow HTTP traffic to/from serverfault.com only. All other websites, services ports are not accessible. I came up with these iptables rules: #drop everything iptables -P INPUT DROP iptables -P OUTPUT DROP #Now,…
Zenet
  • 928
  • 5
  • 10
  • 15
23
votes
4 answers

Iptables: "-p udp --state ESTABLISHED"

let's look at these two iptables rules which are often used to allow outgoing DNS: iptables -A OUTPUT -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -m…
Chris Lercher
  • 4,152
  • 9
  • 35
  • 41
22
votes
4 answers

Iptables management with ansible in huge environment

What is the best way to manage iptables from one point and have the ability to edit something on local server. We need to add some rules centralized on all servers, but we have specific servers with specific requirements which should have their own…
Navern
  • 1,619
  • 1
  • 10
  • 14
22
votes
3 answers

iftop - how to generate text file with its output?

iftop is great tool to view almost live bandwidth usage distinguished by source-ip source-port destination-ip destination port. I'm using it to see which client's ip is using most bandwidth. Now I would like to store output somewhere. iftop uses…
mickula
  • 342
  • 1
  • 2
  • 10
22
votes
4 answers

Ping: sendmsg: operation not permitted error after installing iptables on Arch GNU/Linux

Yesterday I got a new computer as my homeserver, a HP Proliant Microserver. Installed Arch Linux on it, with kernel version 3.2.12. After installing iptables (1.4.12.2 - the current version AFAIK) and changing the net.ipv4.ip_forward key to 1, and…
estol
  • 381
  • 2
  • 4
  • 10
22
votes
3 answers

Node.js is not accessible from external IPs on Ubuntu

I'm sure this is very noobish, so forgive me. I'm trying to run a node.js server on port 8080 of my ubuntu 10.04. Here's the result of iptables -L on the server: Chain INPUT (policy ACCEPT) target prot opt source destination …
Mikael Gramont
  • 323
  • 1
  • 2
  • 4
21
votes
3 answers

How to log the ip addresses trying to connect to a port?

Is it possible to log all IP addresses that trying to connect or connected to port "5901" in Linux Debian? How can i do that?
Gihan Lasita
  • 387
  • 1
  • 4
  • 9
21
votes
2 answers

How can I block all but three ports in Ubuntu?

How can I block all ports except for 1962, 999, 12020? One port for SSH and two others for a kind of script. So, it's necessary to allow outgoing on these ports, right? My iptables: # Generated by iptables-save v1.4.4 on Sat Feb 25 17:25:21…
okapa
  • 313
  • 1
  • 2
  • 4
21
votes
4 answers

Enable iptables on one interface

I want iptables to filter only one interface, eth0, which is facing WAN. How can this be done? And I want to keep ftp and ssh ports open on eth0.
nixnotwin
  • 1,543
  • 5
  • 35
  • 55
21
votes
1 answer

Should I be using iptables or ufw?

I know of iptables. I know of ufw. I've been using ufw in the past just because it's easier to setup and use. However, which one should I be using? Is iptables more secure? Is ufw more stable? I have no idea, hence why I'm asking here.
Piers Karsenbarg
  • 548
  • 3
  • 12
  • 24
21
votes
3 answers

Difference beetween DNAT and REDIRECT in IPTABLES

Okay, it may be because I am dense or maybe just not finding the right source, but I can't understand why one of these IPTABLES setups would be better than the other. Here is my setup: I have a box that is serving as a transparent proxy and a router…
QWade
  • 917
  • 1
  • 11
  • 17
20
votes
2 answers

Why is our firewall (Ubuntu 8.04) rejecting the final packet (FIN, ACK, PSH) with a RST

Background, for a long time we have had problems with our firewall that sometimes keep HTTP requests hanging partially loaded until TCP times out. After tracing the traffic on the firewall I noticed that it occurs only during certain timing…
ernelli
  • 307
  • 1
  • 5
  • 15
20
votes
1 answer

How to open a 8080 port for an application, with iptables

I am a total newbie concerning servers so excuse my humble question :-) Someone developed for me a python application that acts as a web serveur. This TCP application needs to listen to port 8080. [root@blabla jll]# netstat -tanpu | grep ":8080" tcp…
user74828
1 2 3
99 100