Configure Netfilter / iptables on Linux to block unwanted network traffic

Iptables enables you to block traffic entering, exiting, or being forwarded across your network. Iptables is extremely powerful, and with it's power comes complexity. This article discusses its installation and use on an Ubuntu Linux 12.04 machine.

Note: This article does not yet address nftables, but we are working on it.

Iptables, which is also known as the netfilter project (http://www.netfilter.org), enables you to block and log traffic entering, exiting, or being forwarded across your computer / network. Iptables is extremely powerful, and with its power comes complexity. The sections below walk through the basics of a netfilter script followed by a complete example.

An excellent book on this topic is reference not found. In fact, this book served as a starting point for the script provided below.

The configuration for our reference network takes avantage of the fact that the controller is behind an external firewall. Therefore, we can keep things relatively simple. If your Linux box is exposed directly to the Internet, then exercise extreme caution and error on the side of blocking too many ports.

For the purpose of limiting the traffic and content that can exit and enter our filtered network, we'll be performing the following tasks:

  • Block web traffic on ports 80 (http) and 443 (https) since we'll be relying on a squid proxy for caching and content filtering
  • Allow direct web traffic for certain devices
  • Block non web traffic for services that we don't wish to allow on our filtered network, such as Skype and file sharing.
  • Explicitly block ports to our controller from the outside world / blue zone for services that we don't intend to host on our Linux controller

Installation

Note that iptables is both a feature of the kernel and a set of user space tools. Many of the tracking features supported by iptables are implemented as kernel modules, which can be found in /lib/modules/<kernel release>/kernel/net. To install the user space tools on Ubuntu, enter the following:

	$ sudo apt-get install iptables

Anatomy of an iptables rule

An iptables policy is built from an ordered set of rules that describe to the kernel the actions that should be taken against certain classes of packets. Each rule is applied to a chain within a table. A chain is a collection of rules that are compared, in order, against packets that share a common characteristic, such as being input to the Linux system. A table is an iptables' construct that groups broad categories of functionality.

There are four tables:

  1. filter: filtering rules
  2. nat: NAT rules
  3. mangle: specialized rules that alter packet data
  4. raw: rules that should function independently of the netfilter connection-tracking subsystem

Each table has its own built in set of chains. For our needs, the most important built-in chains are the INPUT, OUTPUT, and FORWARD chains in the filter table.

An example rule:

	$ iptables --append INPUT --match state --state INVALID --jump DROP
  • --append INPUT: append this rule onto the end of the INPUT chain
  • --match state --state INVALID: utilize the state module to match on an INVALID state
  • --jump DROP: the target of this rule is DROP

The end result of this example rule is that all input packets that are part of an invalid state will be dropped.

Creating an iptables script

The next few sections describe some of the basics of putting together an iptables script. A complete script for the reference network is provided below.

Since we only need to accept incoming connection requests to the SSH daemon from the internal network, enable state tracking for locally generated network traffic, and finally log and drop unwanted packets (including spoofed packets from the internal network). Similar configurations apply to OUTPUT and FORWARD chains, as you'll see below.

We're first going to clear any existing rules in the Filter and NAT tables.

	$ iptables --flush
	$ iptables --flush --table nat

Delete every non-builtin chain in the filter table

	$ iptables --delete-chain

Set a default drop policy for the input, output, and forward chains respectively

	$ iptables --policy INPUT DROP
	$ iptables --policy OUTPUT DROP
	$ iptables --policy FORWARD DROP

Next allow loopback access on all ports

	$ iptables --append INPUT -i lo --protocol all --jump ACCEPT
	$ iptables --append OUTPUT -o lo --protocol all --jump ACCEPT

Specify that all invalid packets should be dropped and logged. Specify that all packets that are part of an already accepted connection or are related to an accepted connection should also be accepted. We'll specify which connections we want to accept later in the script.

	$ iptables --append INPUT --match state --state INVALID --jump LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
	$ iptables --append INPUT --match state --state INVALID --jump DROP
	$ iptables --append INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT

At this point, try pinging your machine or connecting to it with a secure shell (ssh). You should see that ping fails and an ssh connection times out.

Next, we set up rules to prevent spoofing. For our reference network, we want to drop any packets in our green zone that don't have a valid IP address. We can also do the same for the blue zone.

	$ iptables --append INPUT --in-interface eth0 ! --source $GREEN_NET --jump LOG --log-prefix "SPOOFED PKT "
	$ iptables --append INPUT --in-interface eth0 ! --source $GREEN_NET --jump DROP

Finally, we configure the INPUT chain to accept a ping and an ssh connection. Note, that we only accept ssh connections on eth0, which is from our green zone. Also, configure a default log rule for all other packets, which we'll drop.

	$ iptables --append INPUT --in-interface eth0 -p tcp --source $GREEN_NET --dport 22 --syn -m state --state NEW --jump ACCEPT
	$ iptables --append INPUT --protocol icmp --icmp-type echo-request --jump ACCEPT
	$ iptables --append INPUT ! --in-interface lo --jump LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

Again try to initiate an ssh connection or try pinging your machine. You might be surprised that neither work. This is because you haven't configured rules for the OUTPUT chain. Until you do, packets come in, but they don't go out.

Take a look at the example script below that includes rules for both the OUTPUT and FORWARD chains.

Regarding the FORWARD chain, in our example we have now blocked services like Skype, Facetime, and ftp. On our Linux system, we can get a list of known ports for various services at /etc/services.

	$ more /etc/services

Network Address Translation

Before we start testing, we also need to set up network address translation.

When we make web requests from our filtered network, we need our network controller to change the source IP address and port from our device on the filtered network to it's own address, which faces the external network. It will also keep track of each translated address and perform a reverse translation when a response is received. For example, a non-routable 192.168.1.0/24 internal addresse is translated to the routable external 71.157.X.X address.

NAT applies to both the inbound connections to our internal hosts from external clients, and also for outbound connections initiated from the devices on the internal network. For connections initiated from internal systems, we'll use the source NAT (SNAT) target, and for connections that are initiated from external systems, we'll use the destination NAT (DNAT) target.

The iptables nat table is dedicated to all NAT rules, and within this table there are two chains: PREROUTING and POSTROUTING. The PREROUTING chain is used to apply rules in the nat table to packets that have not yet gone through the routing algorithm in the kernel in order to determine the interface on which they should be transmitted. Packets that are processed in this chain have also not yet been compared against the INPUT or FORWARD chains in the filter table. The POSTROUTING chain is responsible for processing packets once they have gone through the routing algorithm in the kernel and are just about to be transmitted on the calculated physical interface. Packets processed by this chain have passed the requirements of the OUTPUT or FORWARD chains in the filter table (as well as requirements mandated by other tables that may be registered, such as the mangle table).

Enable Forwarding

By default, a Linux box will not forward packets between network interfaces. This is something we need to explicitly enable, as shown below for ipV4 traffic on Ubuntu.

	$ sudo sysctl -w net.ipv4.ip_forward=1

Executing the iptables script

Configure iptables by running your script:

	$ sudo ./<script>

Complete Example Script for Reference Network

#!/bin/bash
# iptables configuration script.  
# No warranty or statement of fitness is implied or conveyed.  
# notes:
# Sessions initiated from the internal network or locally should be statefully tracked by iptables
# SSH should be local only  
# log & drop on port scans and connection attempts 
# rememmber that iptables only filters layer 3(IP) and above.  
# ARP can't be filtered. For this, look at arptables

IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe

GREEN_NET=192.168.1.0/24
BLUE_NET=192.168.0.0/24

# MAC addresses for devices in our reference network
laptop=3c:7a:92:a3:b7:33
laptop_w=AC:71:22:16:EC:A0
android=f8:5b:3a:ac:38:32
ipad=A4:67:06:C1:2B:7E
iphone=F4:37:A7:2A:E8:D7
xbox=7c:1e:52:87:4E:54
cam_linksys_w=33:1d:53:9b:f1:54

# Notes on filter specifications:
# -A, --append
# -F, --flush
# -P, --policy
# -i, --in-interface (e.g, eth0)
# -o, --out-interfacee
# -d, --dst, --destination: destination IP addresss / canonical name / subnet
# -s, --src, --source: source IP address
# -p, --protocol: protocol number or name (e.g, tcp, udp, icmp)
# --sport, --source-port, --dport, --destination-port
# targets: DROP,ACCEPT,REJECT

### flush existing rules and set chain policy setting to DROP
echo "Flush existing rules" 
# -F: delete all rules in all chains (since no chain is specified)
$IPTABLES -F
$IPTABLES -F --table nat

# -X: delete all non built in chains 
$IPTABLES -X

# Set the policy for the chain to the given target.
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

### load connection-tracking modules
$MODPROBE ip_conntrack
$MODPROBE iptable_nat
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp

# Allow loopback access. This rule must come before the rules denying port access!!
iptables -A INPUT -i lo -p all -j ACCEPT  
iptables -A OUTPUT -o lo -p all -j ACCEPT

###### INPUT chain ######
echo "Configure Input Chain"
# The INVALID state applies to packets that cannot be identified as belonging to any existing connection
# The ESTABLISHED state triggers on packets only after the Netfilter connectiontracking subsystem has seen packets in both directions
#The RELATED state describes packets that are starting a new connection [4] in the Netfilter connection-tracking subsystem
### state tracking rules
$IPTABLES -A INPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### anti-spoofing rules
$IPTABLES -A INPUT -i eth0 ! -s $GREEN_NET -j LOG --log-prefix "SPOOFED PKT "
$IPTABLES -A INPUT -i eth0 ! -s $GREEN_NET -j DROP

### ACCEPT rules
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp -s $GREEN_NET --dport 20 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp -s $GREEN_NET --dport 21 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp -s $GREEN_NET --dport 22 --syn -m state --state NEW -j ACCEPT
# $IPTABLES -A INPUT -i eth1 -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp -s $GREEN_NET --dport 80 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp -s $GREEN_NET --dport 443 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp -s $GREEN_NET --dport 3128 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp -s $GREEN_NET --dport 69 -m state --state NEW -j ACCEPT

$IPTABLES -A INPUT -i eth1 -p tcp -s $BLUE_NET --dport 80 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p tcp -s $BLUE_NET --dport 443 --syn -m state --state NEW -j ACCEPT

# samba (NETBIOS) 137-139
$IPTABLES -A INPUT -p udp -i eth0 -s $GREEN_NET -m multiport --dports 137:139 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p udp -i eth0 -s $GREEN_NET --dport 445 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp -i eth0 -s $GREEN_NET -m multiport --dports 137:139 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp -i eth0 -s $GREEN_NET --dport 445 --syn -m state --state NEW -j ACCEPT

#printer
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 9100 --syn -m state --state NEW -j ACCEPT

#bonjour
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 1900 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 5350 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 5351 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 5353 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p udp -i eth0 -s $GREEN_NET --dport 1900 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p udp -i eth0 -s $GREEN_NET --dport 5350 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p udp -i eth0 -s $GREEN_NET --dport 5351 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p udp -i eth0 -s $GREEN_NET --dport 5353 -m state --state NEW -j ACCEPT

#facetime
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 443 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 5223 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp -i eth0 -s $GREEN_NET -m multiport --dports 3478:3497 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp -i eth0 -s $GREEN_NET -m multiport --dports 16384:16387 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp -i eth0 -s $GREEN_NET -m multiport --dports 16393:16402 -m state --state NEW -j ACCEPT

#shell
$IPTABLES -A INPUT -i eth0 -p tcp -s $GREEN_NET --dport 514 --syn -m state --state NEW -j ACCEPT
#rsh
$IPTABLES -A INPUT -i eth0 -p tcp -s $GREEN_NET --dport 544 --syn -m state --state NEW -j ACCEPT

### default INPUT LOG rule
$IPTABLES -A INPUT ! -i lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options


###### OUTPUT chain ######
echo "Configure Output Chain"
### state tracking rules
$IPTABLES -A OUTPUT -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

### rules for allowing connections out
# 7: echo 21: ftp; 22: ssh; 25: smtp; 43: whois; 80: http; 110 pop;  587 smtp
# 443: https; 4321: unkown?; 53: dns; 9100 printer 2222 sftp
$IPTABLES -A OUTPUT -p tcp --dport 7 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 20 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 21 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 25 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 43 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 80 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 110 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 443 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 587 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 1234 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 2628 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 2628 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 8000 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 9100 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 2222 --syn -m state --state NEW -j ACCEPT

# samba (NETBIOS) 137-139
$IPTABLES -A OUTPUT -p udp -m multiport --dports 137:139 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 445 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m multiport --dports 137:139 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 445 --syn -m state --state NEW -j ACCEPT

# gdbproxy & gdb
$IPTABLES -A OUTPUT -p tcp --dport 2000 --syn -m state --state NEW -j ACCEPT

# svn: 3690
$IPTABLES -A OUTPUT -p tcp --dport 3690 --syn -m state --state NEW -j ACCEPT

# git
$IPTABLES -A OUTPUT -p tcp --dport 9418 --syn -m state --state NEW -j ACCEPT

# cvs
$IPTABLES -A OUTPUT -p tcp --dport 2401 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 2401 -m state --state NEW -j ACCEPT

$IPTABLES -A OUTPUT -p tcp --dport 4321 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

# tftp todo: make this more restrictive, how about dhcp
$IPTABLES -A OUTPUT -p udp -j ACCEPT

### default OUTPUT LOG rule
$IPTABLES -A OUTPUT ! -o lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

###### FORWARD chain ######
echo "Configure Forward Chain"
### state tracking rules
$IPTABLES -A FORWARD -m state --state INVALID -j LOG --log-prefix "DROP INVALID " --log-ip-options --log-tcp-options
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

### anti-spoofing rules
$IPTABLES -A FORWARD -i eth0 ! -s $GREEN_NET -j LOG --log-prefix "SPOOFED PKT "
$IPTABLES -A FORWARD -i eth0 ! -s $GREEN_NET -j DROP

### ACCEPT rules
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 20 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 21 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 22 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 25 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 43 --syn -m state --state NEW -j ACCEPT

### Club Penguin!
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 3724 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 6112 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 6113 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 9875 --syn -m state --state NEW -j ACCEPT

# temp http allow
#$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 80 --syn -m state --state NEW -j ACCEPT

####### irc ##########
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 194 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 194 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 6667 --syn -m state --state NEW -j ACCEPT

#gnome xchat tried to connect with freenode at 8000
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 8000 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 8001 --syn -m state --state NEW -j ACCEPT

#irc over ssl
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 994 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 994 -m state --state NEW -j ACCEPT

#yocto autobuilder is on port 8010
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 8010 --syn -m state --state NEW -j ACCEPT

#rsync (added 10/7/13)
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 873 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 873 -s $GREEN_NET -m state --state NEW -j ACCEPT

# allow 80 to be forwarded into our internet
#$IPTABLES -A FORWARD -p tcp -i eth1 --dport 80 --syn -m state --state NEW -j ACCEPT

#ntp forward
$IPTABLES -A FORWARD -p tcp --dport 123 -s $GREEN_NET --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 123 -s $GREEN_NET -m state --state NEW -j ACCEPT

# allow laptop to bypass proxy
$IPTABLES -A FORWARD -p tcp --dport 80 -m mac --mac-source $laptop --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 443 -m mac --mac-source $laptop --syn -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 2222 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 4321 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 53 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT

# traceroute
$IPTABLES -A FORWARD -p udp -m multiport --dports 33434:33450  -m state --state NEW -j ACCEPT

# email: POP
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 110 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 993 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 995 --syn -m state --state NEW -j ACCEPT

# email: SMTP
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 25 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 465 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 587 --syn -m state --state NEW -j ACCEPT

# svn
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 3690 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp -i eth0 -s $GREEN_NET --dport 3690 -m state --state NEW -j ACCEPT

#git
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 9418 --syn -m state --state NEW -j ACCEPT

#Google Play
$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 5228 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp -i eth0 -s $GREEN_NET --dport 5228 -m state --state NEW -j ACCEPT

# xbox
$IPTABLES -A FORWARD -p tcp --dport 80 -m mac --mac-source $xbox --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 443 -m mac --mac-source $xbox --syn -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p udp --dport 88 -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 3074 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 3074 -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -p tcp -i eth0 -s $GREEN_NET --dport 53 --syn -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp --dport 53 -m state --state NEW -j ACCEPT


### default log rule
$IPTABLES -A FORWARD ! -i lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options

# port forwarding to camera
$IPTABLES --table nat -A PREROUTING -p tcp --dport 7000 -i eth1 -j DNAT --to 192.168.1.161:80

# source NAT
$IPTABLES --table nat -A POSTROUTING -s $GREEN_NET -o eth1 -j MASQUERADE


Help us improve this article by adding your comment or question:

email addresses are neither displayed nor shared