iptables

administration tool for IPv4 packet filtering and NAT

copy
114
23
iptables -A INPUT -p sctp --dport 80 -j DROP

details |

copy
27
2
iptables -t nat -I PREROUTING -i eth0 -j LOG --log-prefix "incoming " --log-level 5Log every new connection comming into eth0

details |

copy
47
12
iptables -t mangle -A POSTROUTING -o eth0 -j RATEEST --rateest-name eth0 --rateest-interval 250ms --rateest-ewma 0.5sThis is what can be used to route outgoing data connections from an FTP server over two lines based on the available bandwidth at the time the data connection was started. Estimate outgoing rates:

details |

copy
38
5
iptables -A FORWARD -m recent --name badguy --rcheck --seconds 60 -j DROPCreate a badguy list out of people attempting to connect to port 139 on your firewall and then DROP all future packets from them without considering them.

details |

copy
41
4
iptables -L INPUTShow the default policy for all incoming packages

details |

copy
40
9
iptables -t mangle -A balance -m conntrack --ctstate NEW -m helper --helper ftp -m rateest --rateest-delta --rateest1 eth0 --rateest-bps1 2.5mbit --rateest-gt --rateest2 ppp0 --rateest-bps2 2mbit -j CONNMARK --set-mark 1This is what can be used to route outgoing data connections from an FTP server over two lines based on the available bandwidth at the time the data connection was started. Mark based on available bandwidth:

details |

copy
30
2
ip6tables -p tcp --syn --dport 80 -s fe80::/64 -m connlimit --connlimit-above 16 --connlimit-mask 64 -j REJECTLimit the number of parallel HTTP requests to 16 for the link local network (ipv6)

details |

copy
37
4
iptables -A INPUT -p tcp --dport 21 -j ACCEPTAllow anyone to connect to port 21, for ftp

details |

copy
33
5
iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 16 --connlimit-mask 24 -j REJECTLimit the number of parallel HTTP requests to 16 per class C sized network (24 bit netmask)

details |

copy
43
20
iptables -p icmp -hThis allows specification of the ICMP type, which can be a numeric ICMP type, or one of the ICMP type names shown by the command

details |

copy
28
5
iptables -A FORWARD -p tcp -i eth0 --dport 139 -m recent --name badguy --set -j DROPDynamically create a list of IP addresses and then match against that list

details |

copy
27
3
iptables -A INPUT -p sctp --chunk-types any DATA:Be -j ACCEPT

details |

copy
27
4
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPTAllow all outgoing connections that are originating from your computer

details |

copy
56
12
iptables -A OUTPUT -p tcp --sport ftp -j ACCEPTAllow ftp output

details |

copy
27
3
iptables -A INPUT -p tcp -s 123.123.123.123 -j REJECT --reject-with tcp-resetReject all packets from ip 123.123.123.123

details |

copy
24
2
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit --connlimit-above 2 -j REJECTallow 2 telnet connections per client host

details |

copy
24
4
iptables -A INPUT -p tcp --syn --dport 23 -m connlimit ! --connlimit-above 2 -j ACCEPTAccept 2 telnet connections per client host

details |

copy
24
2
iptables -t mangle -A balance -j CONNMARK --restore-markMark based on available bandwidth

details |