Iptables usages

iptables will drop the packets from 111.111.111.0-111.111.111.255

the options list below:

add a rule to chain.

e.g 

iptables -A INPUT ... append a rule to INPUT chain.

delete a rule from chain

e.g

iptables -D INPUT 1 ... delete a rule which indicated by 1 from INPUT chain.

-R / --replace 

replace a rule in chain

e.g

iptables -R INPUT 1

iptables -R INPUT 1 -s 192.168.1.100 --dport 80 -j DROP

insert a rule to chain

e.g

iptables -I INPUT -s 1.2.3.4 -j DROP

show current rule list in chain

e.g

iptables -L INPUT

delete all rules in a chain

iptables -F INPUT

reset the packet counter

e.g iptables -Z INPUT

create a chain

e.g iptables -N allowed

delete a chain

e.g iptables -X allowed

define the rule policy. That means, the packets which unmatched the rule will do this rule.

e.g iptables -P INPUT DROP

rename a chain

e.g. iptables -E allowed disallowed

Indicate the protocol

e.g

iptables -A INPUT -p tcp

It can use operator, such as !, e.g iptables -A INPUT -p ! tcp, meaning that all protocol but TCP.

Indicate the source/distination packets

e.g iptables -A INPUT -s 1.2.3.0/24

Indicate which interface to match on.

e.g iptables -A INPUT -i eth0

Indicate which port to match on.

e.g iptables -A INPUT -p tcp --dport 80

Match the packet's TCP flag

e.g iptables -A INPUT --tcp-flags SYN,ACK,FIN

flag values: SYN, ACK, FIN, RST, URG, PSH

-j operator, values: 

ACCEPT,REJECT,DROP,REDIRECT,MASQUERADE,LOG,DNAT,SNAT,MIRROR,QUEUE,RETURN,MARK

Frequently used:

# iptables -A FORWARD -p tcp -syn -m limit -limit 1/s -j ACCEPT

# iptables -A FORWARD -p tcp -tcp-flags SYN,ACK,FIN,RST RST -m limit -limit 1/s -j ACCEPT

# iptables -A FORWARD -p icmp -icmp-type echo-request -m limit -limit 1/s -j ACCEPT