snipt

Ctrl+h for KB shortcuts

Bash

Completely flush iptables

1
2
3
4
5
# Source: https://serverfault.com/a/200642/88004

iptables-save | awk '/^[*]/ { print $1 } 
                     /^:[A-Z]+ [^-]/ { print $1 " ACCEPT" ; }
                     /COMMIT/ { print $0; }' | iptables-restore
https://snipt.net/embed/4255fdb928925407842a67e46c64fc17/
https://snipt.net/raw/4255fdb928925407842a67e46c64fc17/
4255fdb928925407842a67e46c64fc17
bash
Bash
5
2016-09-29T17:17:43
True
False
False
Jun 22, 2016 at 10:17 AM
/api/public/snipt/147274/
completely-flush-iptables
<table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><a href="#L-1">1</a> <a href="#L-2">2</a> <a href="#L-3">3</a> <a href="#L-4">4</a> <a href="#L-5">5</a></pre></div></td><td class="code"><div class="highlight"><pre><span id="L-1"><a name="L-1"></a><span class="c"># Source: https://serverfault.com/a/200642/88004</span> </span><span id="L-2"><a name="L-2"></a> </span><span id="L-3"><a name="L-3"></a>iptables-save <span class="p">|</span> awk <span class="s1">&#39;/^[*]/ { print $1 } </span> </span><span id="L-4"><a name="L-4"></a><span class="s1"> /^:[A-Z]+ [^-]/ { print $1 &quot; ACCEPT&quot; ; }</span> </span><span id="L-5"><a name="L-5"></a><span class="s1"> /COMMIT/ { print $0; }&#39;</span> <span class="p">|</span> iptables-restore </span></pre></div> </td></tr></table>
iptables

Bash

Block all SSH Access except one IP

1
2
3
4
5
#create access for specific IP:
iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED --source x.x.x.x -p tcp --dport 22 -j ACCEPT

#block all others
iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -j DROP
https://snipt.net/embed/6d66619c16e7b97c1c7506a381a6bce0/
https://snipt.net/raw/6d66619c16e7b97c1c7506a381a6bce0/
6d66619c16e7b97c1c7506a381a6bce0
bash
Bash
5
2016-09-30T01:42:26
True
False
False
Feb 27, 2013 at 01:35 PM
/api/public/snipt/56620/
block-all-ssh-access-except-one-ip
<table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><a href="#L-1">1</a> <a href="#L-2">2</a> <a href="#L-3">3</a> <a href="#L-4">4</a> <a href="#L-5">5</a></pre></div></td><td class="code"><div class="highlight"><pre><span id="L-1"><a name="L-1"></a><span class="c">#create access for specific IP:</span> </span><span id="L-2"><a name="L-2"></a>iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED --source x.x.x.x -p tcp --dport <span class="m">22</span> -j ACCEPT </span><span id="L-3"><a name="L-3"></a> </span><span id="L-4"><a name="L-4"></a><span class="c">#block all others</span> </span><span id="L-5"><a name="L-5"></a>iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport <span class="m">22</span> -j DROP </span></pre></div> </td></tr></table>
iptables

Bash

null/blackhole route

1
2
3
4
5
6
7
# network route that goes nowhere - blackhole filtering

# 1] available to almost every host implementing the ip module
# 2] almost 0 performance impact
# 3] can sustain higher throughput than conventional firewalls

route add -host 192.168.1.1 reject
https://snipt.net/embed/d88d78e7a1c92f2b7abcb2ca4eb8bf7b/
https://snipt.net/raw/d88d78e7a1c92f2b7abcb2ca4eb8bf7b/
d88d78e7a1c92f2b7abcb2ca4eb8bf7b
bash
Bash
7
2016-09-29T10:21:38
True
False
False
/api/public/snipt/34065/
nullblackhole-route
<table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><a href="#L-1">1</a> <a href="#L-2">2</a> <a href="#L-3">3</a> <a href="#L-4">4</a> <a href="#L-5">5</a> <a href="#L-6">6</a> <a href="#L-7">7</a></pre></div></td><td class="code"><div class="highlight"><pre><span id="L-1"><a name="L-1"></a><span class="c"># network route that goes nowhere - blackhole filtering</span> </span><span id="L-2"><a name="L-2"></a> </span><span id="L-3"><a name="L-3"></a><span class="c"># 1] available to almost every host implementing the ip module</span> </span><span id="L-4"><a name="L-4"></a><span class="c"># 2] almost 0 performance impact</span> </span><span id="L-5"><a name="L-5"></a><span class="c"># 3] can sustain higher throughput than conventional firewalls</span> </span><span id="L-6"><a name="L-6"></a> </span><span id="L-7"><a name="L-7"></a>route add -host 192.168.1.1 reject </span></pre></div> </td></tr></table>
bash, blackhole, drop, filtering, ip, iptables, packet, reject, route

Bash

Block all traffic from a specific IP

iptables -A INPUT -s 123.123.123.123 -j DROP
https://snipt.net/embed/3bc5ab7df9fe3190e9d9cab24da23ce2/
https://snipt.net/raw/3bc5ab7df9fe3190e9d9cab24da23ce2/
3bc5ab7df9fe3190e9d9cab24da23ce2
bash
Bash
1
2016-09-29T15:33:23
True
False
False
/api/public/snipt/33800/
block-all-traffic-from-a-specific-ip
<table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><a href="#L-1">1</a></pre></div></td><td class="code"><div class="highlight"><pre><span id="L-1"><a name="L-1"></a>iptables -A INPUT -s 123.123.123.123 -j DROP </span></pre></div> </td></tr></table>
bash, iptables, server

Bash

Block MySQL port for everyone except localhost and a single IP

1
2
3
iptables -A INPUT -i lo -p tcp --dport mysql -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport mysql -s 123.123.123.123 -j ACCEPT
iptables -A INPUT -p tcp --dport mysql -j DROP
https://snipt.net/embed/ece3362f17246adf5af553c7ccaca042/
https://snipt.net/raw/ece3362f17246adf5af553c7ccaca042/
ece3362f17246adf5af553c7ccaca042
bash
Bash
3
2016-09-29T20:12:07
True
False
False
/api/public/snipt/33768/
block-mysql-port-for-everyone-except-localhost-and-a-single-ip
<table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><a href="#L-1">1</a> <a href="#L-2">2</a> <a href="#L-3">3</a></pre></div></td><td class="code"><div class="highlight"><pre><span id="L-1"><a name="L-1"></a>iptables -A INPUT -i lo -p tcp --dport mysql -j ACCEPT </span><span id="L-2"><a name="L-2"></a>iptables -A INPUT -i eth0 -p tcp --dport mysql -s 123.123.123.123 -j ACCEPT </span><span id="L-3"><a name="L-3"></a>iptables -A INPUT -p tcp --dport mysql -j DROP </span></pre></div> </td></tr></table>
3306, bash, iptables, mysql, server

Bash

Iptables map port 8080 to privileged port 80

sudo iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
sudo iptables -t nat -A OUTPUT -p tcp -m tcp -d $HOST --dport 80 -j REDIRECT --to-ports 8080
https://snipt.net/embed/d35d44e9e9b2cd48611ec5068f81015d/
https://snipt.net/raw/d35d44e9e9b2cd48611ec5068f81015d/
d35d44e9e9b2cd48611ec5068f81015d
bash
Bash
2
2016-09-29T18:26:50
True
False
False
/api/public/snipt/17274/
map-port-8080-to-privileged-port-80
<table class="highlighttable"><tr><td class="linenos"><div class="linenodiv"><pre><a href="#L-1">1</a> <a href="#L-2">2</a></pre></div></td><td class="code"><div class="highlight"><pre><span id="L-1"><a name="L-1"></a>sudo iptables -t nat -A PREROUTING -p tcp -m tcp --dport <span class="m">80</span> -j REDIRECT --to-ports 8080 </span><span id="L-2"><a name="L-2"></a>sudo iptables -t nat -A OUTPUT -p tcp -m tcp -d <span class="nv">$HOST</span> --dport <span class="m">80</span> -j REDIRECT --to-ports 8080 </span></pre></div> </td></tr></table>
iptables, linux, nat
Copyrighted, illegal, or inappropriate content? Email support@snipt.net.