- Flush existing ruleset:
iptables -F
iptables -t nat -F
- Set reasonable policy defaults (that is, these are "reasonable" for an exposed firewall; you may decide that an input policy of ACCEPT is, well, acceptable in this particular scenario):
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
- You really don't want to stop loopback traffic with a DROP policy:
iptables -A INPUT -i lo -j ACCEPT
- Allow existing sessions for both local and routed traffic:
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
- If the INPUT policy is indeed DROP, add rules for relevant local services here; the example below handles SSH:
iptables -A INPUT -p tcp --dport 22 -m state --STATE NEW -j ACCEPT
- Forward TCP port 1912 to 192.168.0.58:3398
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 1912 -j DNAT --to-destination 192.168.0.58:3389
- Allow the forwarded packet through; remember to reference the translated IP address and portnumber, not the NATed ones:
iptables -A FORWARD -i eth1 -d 192.168.0.58 -p tcp --dport 3389 -j ACCEPT
- Preserve return path by NATing behind 192.168.0.2 (eth1):
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 192.168.0.58 -p tcp --dport 3389 -j SNAT --to-source 192.168.0.2
- Check NAT List Rules
iptables -t nat -v -L -n --line-number
- Delete NAT Rules
- Assume you want to delete
PREROUTING
chain and5
are number of rules line.
- Assume you want to delete
iptables -t nat --delete PREROUTING 5
- Check all list Rules
iptables -L --line-numbers
/sbin/iptables -L -n -v --line
- Delete Another Rules
- Assume you want to delete
FORWARD
chain and5
are number of rules line.
- Assume you want to delete
iptables --delete FORWARD 5
To make IPTables rules persistent, you can try :
-
Insert all Rules
-
Then :
sudo apt-get install iptables-persistent sudo netfilter-persistent save iptables-save ip6tables-save
-
You can delete your persistent rules with:
sudo apt-get remove --auto-remove iptables-persistent