| Prefix | # - run command as root or by use of sudo command |
$ - run command in regular user-context |
The order of iptables rules matters. Traffic is filtered by first applicable rule. If a rule accept SSH traffic, followed by a rule to deny SSH traffic, iptables will always allow the traffic because allow comes before deny rule in the chain. You can change the rule order by specifying a rule number in your command.
Ruleset only allowing current outgoing and established traffic. Needed when you are logged in to a server via ssh.
# iptables -F OUTPUT
# iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -j REJECTRuleset rejecting all incoming traffic
# iptables -F INPUT
# iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
# iptables -A INPUT -j REJECTRuleset to drop and block all network traffic whether incoming or outgoing.
This will also include current ongoing established traffic and it will break your traffic if remote.
# iptables -F
# iptables -A INPUT -j REJECT
# iptables -A OUTPUT -j REJECT
# iptables -A FORWARD -j REJECTDrop all incoming ping requests. It is possible to use REJECT instead of DROP. The difference between DROP vs REJECT is that DROP silently discards the incoming package, whereas REJECT will result in ICMP error being returned.
# iptables -A INPUT -p icmp --icmp-type echo-request -j DROPReject all outgoing traffic coming from a local port 22 (ssh).
# iptables -A OUTPUT -p tcp --dport ssh -j REJECTReject all incoming traffic to a local port 22 (ssh).
# iptables -A INPUT -p tcp --dport ssh -j REJECTRuleset rejecting all incoming traffic to system except port 22 (SSH). It will also accept traffic on the loopback interface.
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# iptables -A INPUT -j REJECTRuleset blocking all incoming traffic to port 22 (ssh) except host address 1.3.5.7. Only allow host IP 1.3.5.7 to access ssh.
# iptables -A INPUT -p tcp -s 1.3.5.7 --dport ssh -j ACCEPT
# iptables -A INPUT -p tcp --dport ssh -j REJECTRuleset blocking all incoming port (ssh) except host with MAC address 11:22:33:aa:bb:cc. Only allow host with MAC address 11:22:33:aa:bb:cc to access ssh.
# iptables -A INPUT -m mac --mac-source 11:22:33:aa:bb:cc -p tcp --dport ssh -j ACCEPT
# iptables -A INPUT -p tcp --dport ssh -j REJECTDrop all incoming traffic on TCP port 6000.
# iptables -A INPUT -p tcp --dport 6000 -j REJECTDrop incoming traffic on a interface coming from subnet 172.16.1.0/16. Useful in attempt to drop illegal IP addresses on wan interface. If enp3s1 is an external network interface, no incoming traffic originating from internal network should hit enp3s1 network interface.
# iptables -A INPUT -i enp3s1 -s 172.16.1.0/16 -j DROPCreate a simple IP Masquerading gateway to allow all host on the same subnet to access the Internet. The enp3s1 is the external interface connected to the Internet.
# echo "1" > /proc/sys/net/ipv4/ip\_forward
# iptables -t nat -A POSTROUTING -o enp3s1 -j MASQUERADEReject all incoming ssh (port 22) traffic except traffic request from IP 7.5.3.1
# iptables -A INPUT -t filter ! -s 7.5.3.1 -p tcp --dport 22 -j REJECTReject all incoming ssh (port 22) traffic except traffic request from IP address range 172.16.1.65 - 172.16.1.128.
Removing negator "!" from the below rule reject all ssh traffic originating from IP address range 172.16.1.65 - 172.16.1.128.
# iptables -A INPUT -t filter -m iprange ! --src-range 172.16.1.65 - 172.16.1.128 -p tcp --dport 22 -j REJECTReject all outgoing traffic to a remote host with an IP address 7.5.3.1
# iptables -A OUTPUT -d 7.5.3.1 -j REJECTBlock all incoming traffic from facebook.com where source port is www (port 80).
# iptables -A INPUT -s facebook.com -p tcp --sport www -j DROP