iptables

Creating 1:1 NAT using iptables

by

Its a POC where I needed a 1:1 NAT using  Linux iptables. I used 2 Debian 11 OS for this and here’s the machine IP plans-

  • VM-1: IPTables/NAT Router- 123.45.67.5/24, 123.45.67.6/24 and 192.168.10.5/24
  • VM-2: Backend Server- 192.168.10.6/24 (this VM’s gateway will be 192.168.10.5

On VM-1

Uninstall nftables and its Dependencies

IPtables is being replaced by nftables starting with Debian 10 Buster. Debian 11 comes with nftables framework. To install iptables first we need uninstall nftables and its dependencies. SSH into your server and run the next commands:

# apt-get remove --auto-remove nftables
# apt-get purge nftables

Install IPtables in Debian 11

# apt-get update
# apt-get install iptables

Now we can check the iptables status and list rules. For list all the rules we will use option -L.

Run command:

# iptables -L -v

You will see the output:

As you see on the screenshot just installed iptables firewall and it works. But all chains (INPUT, FORWARD, OUTPUT) are set to ACCEPT, and we have no security rules configured.

Read more

Share

INSTALL IPTABLES IN DEBIAN 11 (BULLSEYE)

by

In this article you will learn how to uninstall default nftables framework, install iptables Debian 11 (Bullseye) and basic rules initial configuration.

Uninstall nftables and its Dependencies

IPtables is being replaced by nftables starting with Debian 10 Buster. Debian 11 comes with nftables framework.

To install iptables first we need uninstall nftables and its dependencies.

SSH into your server and run the next commands:

# apt-get remove --auto-remove nftables
# apt-get purge nftables

Install IPtables in Debian 11

Read more

Share

Enable IPTables on Rocky Linux 8

by

Disabling firewalld

You can’t really run the old iptables utilities alongside firewalld. They’re just not compatible. The best way to get around this is to disable firewalld entirely (no need to uninstall it unless you want to) , and reinstall the iptables utilities. Disabling firewalld can be done using these commands:

Stop firewalld:

systemctl stop firewalld

Disable firewalld so it won’t start on boot:

Read more

Share

IPTables D-NAT Firewall Rule

by 
# Generated by iptables-save v1.3.5 on Tue Oct 28 23:57:58 2014
*filter
:INPUT ACCEPT [2590:547311]
:FORWARD ACCEPT [11426:731834]
:OUTPUT ACCEPT [3989:328501]
-A INPUT -i eth0 -j ACCEPT
COMMIT
# Completed on Tue Oct 28 23:57:58 2014
# Generated by iptables-save v1.3.5 on Tue Oct 28 23:57:58 2014
*mangle
:PREROUTING ACCEPT [24964:3178001]
:INPUT ACCEPT [9150:1450474]
:FORWARD ACCEPT [11426:731834]
:OUTPUT ACCEPT [4655:374193]
:POSTROUTING ACCEPT [15415:1060335]
COMMIT
# Completed on Tue Oct 28 23:57:58 2014
# Generated by iptables-save v1.3.5 on Tue Oct 28 23:57:58 2014
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -m state -i eth0 --state RELATED,ESTABLISHED -j ACCEPT
-A PREROUTING -p tcp -m tcp -d 123.45.67.89 --dport 80 -j DNAT --to-destination 172.16.5.113
-A POSTROUTING -j MASQUERADE
COMMIT
# Completed on Tue Oct 28 23:57:58 2014
Share

Flushing IPTables rule and allow all traffic for Debian or Ubuntu

by

Flushing all iptables chain rules shell script

#!/bin/sh
echo "Stopping IPv4 firewall and allowing everyone..."
ipt="/sbin/iptables"
## Failsafe - die if /sbin/iptables not found
[ ! -x "$ipt" ] && { echo "$0: \"${ipt}\" command not found."; exit 1; }
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -F
$ipt -X
$ipt -t nat -F
$ipt -t nat -X
$ipt -t mangle -F
$ipt -t mangle -X
$ipt -t raw -F
$ipt -t raw -X

Make sure you can execute the script using the chmod command:

Read more

Share

Postfix SMTP Rotating IP using IPTables

by

I got 5 Public IPs. i’m Gonna configure them, so Postfix can use multiple interfaces/ips for outgoing smtp connections.

First we need creating Interface aliases for those 5 public IPs.

In my system, using centos:

# cd /etc/sysconfig/network-scripts/
# cp ifcfg-eth0 ifcfg-eth0:1
Edit ifcfg-eth0:1
# vi ifcfg-eth0\:1
DEVICE=eth0 <-- default device
HWADDR=XX:XX:XX:XX:XX:XX
ONBOOT=yes
TYPE=Ethernet
BOOTPROTO=none
IPADDR=202.XXX.XX.2 <-- default eth0 IP address
PREFIX=24
GATEWAY=202.XXX.XX.1
DNS1=202.XXX.XX.XX

Change DEVICE and IPADDR parameters

Read more

Share

Install Iptables on CentOS 7

by

Disable FirewallD

To disable the FirewallD on your CentOS 7 system, follow these steps: Type the following command to stop the FirewallD service:

sudo systemctl stop firewalld

Disable the FirewallD service to start automatically on system boot:

sudo systemctl disable firewalld

Mask the FirewallD service to prevent it from being started by another services:

sudo systemctl mask --now firewalld

Install and Enable Iptables

Perform the following steps to install Iptables on a CentOS 7 system:

Run the following command to install the iptables-service package from the CentOS repositories:

Read more

Share

Disable FirewallD and Enable Iptables on CentOS 7

by

Download and Install the Iptables Service

To begin your server’s transition, you need to download and install the iptables-service package from the CentOS repositories. Download and install the service files by typing:

sudo yum install iptables-services

This will download and install the systemd scripts used to manage the iptables service. It will also write some default iptables and ip6tables configuration files to the /etc/sysconfig directory.

Construct your Iptables Firewall Rules

Next, you need to construct your iptables firewall rules by modifying the /etc/sysconfig/iptables and /etc/sysconfig/ip6tables files. These files hold the rules that will be read and applied when we start the iptables service.

How you construct your firewall rules depends on whether the system-config-firewall process is installed and being used to manage these files. Check the top of the /etc/sysconfig/iptables file to see whether it recommends against manual editing or not:

sudo head -2 /etc/sysconfig/iptables

If the output looks like this, feel free to manually edit the /etc/sysconfig/iptables and /etc/sysconfig/ip6tables files to implement the policies for your iptables firewall:

output
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall

Open and edit the files with sudo privileges to add your rules:

sudo nano /etc/sysconfig/iptables
sudo nano /etc/sysconfig/ip6tables

After you’ve made your rules, you can test your IPv4 and IPv6 rules using these commands:

sudo sh -c 'iptables-restore -t < /etc/sysconfig/iptables'
sudo sh -c 'ip6tables-restore -t < /etc/sysconfig/ip6tables'

If, on the other hand, the output from examining the /etc/sysconfig/iptables file looks like this, you should not manually edit the file:

Read more

Share

Stateful Load Balancer with iptables and NAT

by

Allow IP forwarding

(Note: if your testing this on the same box your doing this on it won’t work, you need at least 3 machines to test this out, virtual ones work nicely)

First we enable ipv4 forwarding or this will not work:

# echo "1" > /proc/sys/net/ipv4/ip_forward

XOR

# sysctl net.ipv4.ip_forward=1

next we add a filter that changes the packets destination ip and allows us to masquerade:

# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.3:80
# iptables -t nat -A POSTROUTING -j MASQUERADE

The above filter gets added to iptables PREROUTING chain. The packets first go through the filters in the PREROUTING chain before iptables decides where they go. The above filter says all packets input into eth0 that use tcp protocol and have a destination port 80 will have their destination address changed to 1.2.3.4 port 80. The DNAT target in this case is responsible for changing the packets Destination IP address. Variations of this might include mapping to a different port on the same machine or perhaps to another interface all together, that is how one could implement a simple stateful vlan (in theory).

Read more

Share

NFS Firewall

by

Dynamic ports cannot be protected by port filtering firewalls such as iptables. First, you need to configure NFS services to use fixed ports. Open /etc/sysconfig/nfs, enter:

# vi /etc/sysconfig/nfs

Modify config directive as follows to set TCP/UDP unused ports:

# TCP port rpc.lockd should listen on.
LOCKD_TCPPORT=lockd-port-number
# UDP port rpc.lockd should listen on.
LOCKD_UDPPORT=lockd-port-number 
# Port rpc.mountd should listen on.
MOUNTD_PORT=mountd-port-number
# Port rquotad should listen on.
RQUOTAD_PORT=rquotad-port-number
# Port rpc.statd should listen on.
STATD_PORT=statd-port-number
# Outgoing port statd should used. The default is port is random
STATD_OUTGOING_PORT=statd-outgoing-port-number

Read more

Share