Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [iptables]

iptables is the userspace command line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset. It is targeted towards system administrators. Please, when asking a question about iptables, add the output from the following command: iptables -L -v -n

iptables is userspace utility complementary to Linux kernel-level Netfilter firewall.

When seeking help in regards of the firewall configuration it's advisable to supply iptables-save output to give a readable ruleset listing possibly appending it with iptables -L -v -n — to give matching ruleset information.

6626 questions
20
votes
3 answers

How to turn iptables stateless?

I'm running a Linux server that - from time to time - faces heavy load and the conntrack table overflows. Since it's iptables firewall ruleset is very simple I'd like to turn it to stateless mode. I know that iptables can operate in stateful…
tex
  • 889
  • 1
  • 9
  • 19
19
votes
1 answer

Why is ping working when all incoming and outgoing connections are blocked in the firewall?

I have DENIED both incoming and outgoing connections using ufw on Debian VPS. There is only one rule defined, which is to allow connection to SSH port. ufw is enabled and working. Yet I am still able to ping from my laptop to server using its…
Frank Martin
  • 741
  • 2
  • 12
  • 24
19
votes
2 answers

Reduce firewall rules by half - one iptables rule for tcp and udp

I have a number of iptables rules on my firewall that look like this: iptables -A zone_lan_forward -p tcp -d 1.2.3.0/24 -j ACCEPT iptables -A zone_lan_forward -p udp -d 1.2.3.0/24 -j ACCEPT Is there a shortcut for having two rules - one for tcp and…
Big McLargeHuge
  • 393
  • 3
  • 4
  • 14
19
votes
1 answer

With iptables, match packets arrived via IPSEC tunnel

I'm using IPSEC in a tunnel mode. How to make an iptables rule that will match only packets which arrived via IPSEC tunnel (i.e. after IPSEC decrypted them - not the IPSEC packets when they arrive and before decryption). The point is to have a…
Sandman4
  • 4,077
  • 2
  • 21
  • 27
19
votes
2 answers

iptables NEW connections vs. --syn

What's the difference between: iptables ... -m state --state NEW and iptables ... --syn The first one should select NEW connections, but AFAIK new connections are made by sending a TCP syn flag. The other one means just that - packets with a syn…
wanson
  • 457
  • 1
  • 4
  • 11
18
votes
2 answers

Will iptables rules continue to work if an interface has been deleted and created again?

My server connects to some strange resources via OpenVPN, and every time the OpenVPN client starts up, an ovpn interface is brought up. I want to expose only selected ports (say, MySQL) to this interface, so I have this rule in my iptables: iptables…
iBug
  • 1,212
  • 2
  • 13
  • 23
18
votes
1 answer

Youtube not blocked by iptables

On our Ubuntu machine I have attempted to block internet access to one of the user accounts by adding the following line to /etc/network/interfaces: pre-up iptables -A OUTPUT -p tcp -m owner --uid-owner 1001 -j DROP This works well except somehow…
spencerrecneps
  • 299
  • 2
  • 5
18
votes
4 answers

How to configure a custom NAT for use in Amazon VPC

I have an Ubuntu box I wish to use as NAT instance (among other things). I would prefer to avoid using the NAT AMIs provided by Amazon, and instead configuring NAT myself. Currently, my host has a single network interface (as shown in…
jjmontes
  • 3,387
  • 2
  • 19
  • 27
18
votes
2 answers

iptables -p all --dport

iptables doesn't seem to recognize --dport with -p all. iptables -A INPUT -p all --dport www -j ACCEPT yields: iptables v1.4.4: unknown option `--dport' Try `iptables -h' or 'iptables --help' for more information. --destination-port doesn't work…
darkfeline
  • 313
  • 1
  • 3
  • 7
18
votes
11 answers

Using Linux IPTables, How to block torrents or any P2P protocols?

At our institution we had connected 300+ computers to different LAN's with Internet. Included here are Officies LAN, and Internet Laboratory for students. And we want to Control Torrents or any P2P Protocols. Previous solution to our problem is…
Nathaniel Varona
  • 758
  • 2
  • 9
  • 22
17
votes
1 answer

Create a multi-homed linux load balancer with two internet connections and one LAN connection

OK,... this has possibly been answered, unfortunately, I have not found anything that looks like it might be the resolution. Ive looked at these pages and they have some useful information, but not complete resolutions: Load balancing & NAT-ing…
John Schultz
  • 383
  • 1
  • 2
  • 12
17
votes
2 answers

Docker - Exposed ports accessible from outside - iptables rules ignored

I have a docker container running like: docker run --name some_container_1 -p 8080:80 -d some_image Which works fine. The container exposes it's port 80 to 8080 and is accessible from localhost. For some reason however it's ignoring the…
binaryanomaly
  • 406
  • 1
  • 4
  • 14
17
votes
2 answers

Ubuntu: How to add an iptables rule that UFW can't create

UFW is working really well for me except in the cases where it doesn't... I want to be able to add another rule manually that will be applied on boot? where should i put this rule? how should I make it start at boot? how do I make it play nicely…
Arthur Ulfeldt
  • 3,249
  • 9
  • 33
  • 40
17
votes
3 answers

What is the difference between securing a linux box using hosts.[allow|deny] vs iptables?

As the title states, I have a linux box. As far as I can tell I can use hosts.allow / hosts.deny or iptables to secure. What's the difference? Is there another mechanism that can be used?
Tree77
  • 273
  • 2
  • 6
17
votes
4 answers

Iptables - Bridge and Forward chain

I have setup ethernet bridge br0 that contains two interfaces eth0 and tap0 brctl addbr br0 brctl addif eth0 brctl addif tap0 ifconfig eth0 0.0.0.0 promisc up ifconfig tap0 0.0.0.0 promisc up ifconfig br0 10.0.1.1 netmask 255.255.255.0 broadcast…
Dariusz Bacinski
  • 273
  • 1
  • 2
  • 6
1 2 3
99 100