Iptables (Debian): Unterschied zwischen den Versionen
Aus Matts Wiki
Matt (Diskussion | Beiträge) Keine Bearbeitungszusammenfassung |
Matt (Diskussion | Beiträge) Keine Bearbeitungszusammenfassung |
||
| (12 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
Further reading: [[Nftables - nft]] | |||
== | == Commands == | ||
# | === General Commands === | ||
# | iptables-save > iptables.rules # Export iptables rules to iptables.rules | ||
# | iptables-restore < iptables.rules # Import iptables rules from iptables.rules | ||
# | iptables -L # List active iptables rules | ||
# iptables- | iptables -L [CHAIN] # List active iptables rules for given chain name | ||
iptables -L -v # List active iptables rules and show adapters | |||
iptables -S # List active in iptables-save-format | |||
iptables -F # Flush active rules | |||
In case of <code>iptables -L</code> being very slow try: | |||
iptables -L -n # List active iptables with numeric output | |||
Parameter <code>-n</code> leads to showing numeric values. This prevents reverse DNS lookup for IP Adresses possibly slowing the whole process. | |||
=== Create Blocking Rules Manually === | |||
Block individual IP address: | |||
sudo iptables -A INPUT -s 1.2.3.4 -j DROP | |||
Works with range of IP addresses as well: | |||
sudo iptables -A INPUT -s 1.2.3.0/24 -j DROP | |||
Make it permanent then: | |||
netfilter-persistent save | |||
iptables | === Checking How Many Packets Dropped === | ||
sudo iptables -L INPUT -v --line-numbers | |||
=== Deleting Iptables Rules === | |||
List the rules with line numbers: | |||
sudo iptables -L [CHAIN] –-line-numbers | |||
i.e.: | |||
sudo iptables -L INPUT –line-numbers | |||
Delete a rule by its number in a specific chain: | |||
sudo iptables -D [CHAIN] [number] | |||
i.e.: | |||
sudo iptables -D INPUT 4 | |||
Delete by rule specification: | |||
sudo iptables -D [CHAIN] -p [PROTOCOL] –dport [PORT] -j [TARGET] | |||
== iptables on Debian == | |||
=== Add iptables Rule File === | |||
Copy '''iptables.rules''' to '''/etc''' | |||
chown root:root iptables.rules | |||
chmod 600 iptables.rules | |||
iptables-restore < iptables.rules | |||
Check, if still works. | |||
=== Enable Automatic Load of Rules at Startup === | |||
Copy iptables-restore script to '''/etc/network/if-pre-up.d/''' | |||
Add execution permissions: | |||
chmod +x iptables | |||
The package '''iptables-persistent''' which also can be used for persisting iptables: | |||
# apt-get install iptables-persistent | # apt-get install iptables-persistent | ||
== Blacklisting with ipset with Automatic Updates == | |||
See: https://github.com/trick77/ipset-blacklist | |||
[[Category:Linux]] | |||
[[Category:Terminal]] | |||
Aktuelle Version vom 8. November 2025, 00:27 Uhr
Further reading: Nftables - nft
Commands
General Commands
iptables-save > iptables.rules # Export iptables rules to iptables.rules iptables-restore < iptables.rules # Import iptables rules from iptables.rules iptables -L # List active iptables rules iptables -L [CHAIN] # List active iptables rules for given chain name iptables -L -v # List active iptables rules and show adapters iptables -S # List active in iptables-save-format iptables -F # Flush active rules
In case of iptables -L being very slow try:
iptables -L -n # List active iptables with numeric output
Parameter -n leads to showing numeric values. This prevents reverse DNS lookup for IP Adresses possibly slowing the whole process.
Create Blocking Rules Manually
Block individual IP address:
sudo iptables -A INPUT -s 1.2.3.4 -j DROP
Works with range of IP addresses as well:
sudo iptables -A INPUT -s 1.2.3.0/24 -j DROP
Make it permanent then:
netfilter-persistent save
Checking How Many Packets Dropped
sudo iptables -L INPUT -v --line-numbers
Deleting Iptables Rules
List the rules with line numbers:
sudo iptables -L [CHAIN] –-line-numbers
i.e.:
sudo iptables -L INPUT –line-numbers
Delete a rule by its number in a specific chain:
sudo iptables -D [CHAIN] [number]
i.e.:
sudo iptables -D INPUT 4
Delete by rule specification:
sudo iptables -D [CHAIN] -p [PROTOCOL] –dport [PORT] -j [TARGET]
iptables on Debian
Add iptables Rule File
Copy iptables.rules to /etc
chown root:root iptables.rules chmod 600 iptables.rules iptables-restore < iptables.rules
Check, if still works.
Enable Automatic Load of Rules at Startup
Copy iptables-restore script to /etc/network/if-pre-up.d/
Add execution permissions:
chmod +x iptables
The package iptables-persistent which also can be used for persisting iptables:
# apt-get install iptables-persistent
