https://aznot.com/index.php?action=history&feed=atom&title=Linux%2Fiptables
Linux/iptables - Revision history
2026-05-06T11:06:36Z
Revision history for this page on the wiki
MediaWiki 1.41.0
https://aznot.com/index.php?title=Linux/iptables&diff=5359&oldid=prev
Kenneth: /* notes */
2020-03-13T20:40:25Z
<p><span dir="auto"><span class="autocomment">notes</span></span></p>
<p><b>New page</b></p><div>== Clear IP Tables ==<br />
<br />
reset_iptables.sh:<br />
<pre><br />
#!/bin/bash<br />
<br />
IPTABLES=/sbin/iptables<br />
<br />
if [ ! -x $IPTABLES ]; then<br />
die "iptables: can't execute $IPTABLES"<br />
fi<br />
<br />
$IPTABLES -P INPUT ACCEPT<br />
$IPTABLES -P OUTPUT ACCEPT<br />
$IPTABLES -P FORWARD ACCEPT<br />
$IPTABLES -F<br />
$IPTABLES -X<br />
<br />
for table in filter nat mangle; do<br />
$IPTABLES -t $table -F<br />
$IPTABLES -t $table -X<br />
$IPTABLES -t $table -Z<br />
done<br />
</pre><br />
<br />
Source: http://pikt.org/pikt/samples/reset_iptables.html<br />
* (with the modification of DROP to ACCEPT and iptables path)<br />
<br />
== General ==<br />
<br />
[http://linux-ip.net/html/nat-dnat.html Destination NAT with netfilter (DNAT)]<br />
<br />
Using DNAT for all protocols (and ports) on one IP<br />
iptables -t nat -A PREROUTING -d 10.10.20.99 -j DNAT --to-destination 10.10.14.2<br />
<br />
Using DNAT for a single port<br />
iptables -t nat -A PREROUTING -p tcp -d 10.10.20.99 --dport 80 -j DNAT --to-destination 10.10.14.2<br />
<br />
Log event:<br />
iptables -A INPUT ... -j LOG --log-level 4<br />
iptables -A INPUT ... -j LOG --log-level 4 --log-prefix "** BLOCKED **"<br />
<br />
Simulating full NAT with SNAT and DNAT: [http://lists.debian.org/debian-user/2002/09/msg00313.html] [http://www.webmasterworld.com/forum40/940.htm]<br />
iptables -t nat -A PREROUTING -d 205.254.211.17 -j DNAT --to-destination 192.168.100.17<br />
iptables -t nat -A POSTROUTING -s 192.168.100.17 -j SNAT --to-destination 205.254.211.17<br />
<br />
Block DHCP: [http://openvpn.net/archive/openvpn-users/2005-03/msg00487.html]<br />
# block UDP ports 67 and 68<br />
-A RH-Firewall-1-INPUT -p udp --dport 67:68 -j DROP<br />
<br />
Ports:<br />
22 TCP - SSH<br />
80 TCP - HTTP<br />
443 TCP - HTTPS<br />
<br />
Port forwarding: [http://www.hackorama.com/network/portfwd.shtml] [http://www.debian-administration.org/article/Port_forwarding_for_iptables_DMZ]<br />
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx<br />
--dport 8888 -j DNAT --to 192.168.0.2:80<br />
/sbin/iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 80 -j ACCEPT<br />
<br />
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.50:80<br />
iptables -A INPUT -p tcp -m state --state NEW --dport 80 -i eth1 -j ACCEPT<br />
<br />
== ip_conntrack ==<br />
<br />
[http://rackerhacker.com/2008/01/24/ip_conntrack-table-full-dropping-packet/ ip_conntrack: table full, dropping packet | Racker Hacker]<br />
<br />
dmesg:<br />
ip_conntrack: table full, dropping packet<br />
<br />
Generally, the ip_conntrack_max is set to the total MB of RAM installed multiplied by 16. However, this server had 4GB of RAM, but ip_conntrack_max was set to 65536. I’m not sure if this is a known Red Hat issue, or if it’s just set to a standard value out of the box.<br />
# cat /proc/sys/net/ipv4/ip_conntrack_max<br />
65536<br />
<br />
If you want to check your server’s current tracked connections, just run the following:<br />
cat /proc/sys/net/ipv4/netfilter/ip_conntrack_count<br />
<br />
If you want to adjust it (as I did), just run the following as root:<br />
echo 131072 > /proc/sys/net/ipv4/ip_conntrack_max<br />
<br />
To make this persistent you have to add a line like<br />
net.ipv4.ip_conntrack_max=131072′ to /etc/sysctl.conf<br />
<br />
== NAT ==<br />
<br />
[http://linuxadministration.wordpress.com/2007/09/02/secure-your-linux-box-iptables-nat-masquerading/#more-16 Linux Firewall – iptables and NAT « Sachin’s Weblog]<br />
<br />
NAT, Network Address translation basically is of two types SNAT and DNAT.<br />
<br />
SNAT, Source NAT is when you alter the source address of the first packet: i.e. you are changing where the connection is coming from. Source NAT is always done post-routing, just before the packet goes out onto the wire. Masquerading is a specialized form of SNAT.<br />
<br />
DNAT, Destination NAT is when you alter the destination address of the first packet: i.e. you are changing where the connection is going to. Destination NAT is always done before routing, when the packet first comes off the wire. Port forwarding, load sharing, and transparent proxying are all forms of DNAT.<br />
<br />
---<br />
<br />
echo 1 > /proc/sys/net/ipv4/ip_forward<br />
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br />
# /sbin/iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT<br />
# /sbin/iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT<br />
<br />
iptables-save > /etc/sysconfig/iptables<br />
service iptables restart<br />
<br />
/etc/sysctl.conf<br />
net.ipv4.ip_forward = 1<br />
<br />
Source: HOWTO: Linux NAT in Four Steps using iptables - http://www.revsys.com/writings/quicktips/nat.html<br />
<br />
== transparent firewall ==<br />
<br />
Securing Debian Manual - Setting up a bridge firewall - http://www.debian.org/doc/manuals/securing-debian-howto/ap-bridge-fw.en.html<br />
<br />
== RedHat sysconfig iptables ==<br />
<br />
iptables-save > /etc/sysconfig/iptables<br />
<br />
iptables-restore<br />
<br />
service iptables restart<br />
<br />
Example /etc/sysconfig/iptables:<br />
<pre><br />
*filter<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:RH-INPUT - [0:0]<br />
-A INPUT -j RH-INPUT<br />
-A FORWARD -j RH-INPUT<br />
-A RH-INPUT -i lo -j ACCEPT<br />
-A RH-INPUT -p icmp --icmp-type any -j ACCEPT<br />
-A RH-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br />
-A RH-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT<br />
-A RH-INPUT -j REJECT --reject-with icmp-host-prohibited<br />
COMMIT<br />
</pre><br />
<br />
Default /etc/sysconfig/iptables:<br />
<pre><br />
# Firewall configuration written by system-config-securitylevel<br />
# Manual customization of this file is not recommended.<br />
*filter<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:RH-Firewall-1-INPUT - [0:0]<br />
-A INPUT -j RH-Firewall-1-INPUT<br />
-A FORWARD -j RH-Firewall-1-INPUT<br />
-A RH-Firewall-1-INPUT -i lo -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited<br />
COMMIT<br />
</pre><br />
<br />
<br />
Modified /etc/sysconfig/iptables:<br />
<pre><br />
# Firewall configuration written by system-config-securitylevel<br />
# Manual customization of this file is not recommended.<br />
*filter<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:RH-Firewall-1-INPUT - [0:0]<br />
-A INPUT -j RH-Firewall-1-INPUT<br />
-A FORWARD -j RH-Firewall-1-INPUT<br />
-A RH-Firewall-1-INPUT -i lo -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br />
<br />
# SSH<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT<br />
<br />
# WEB<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT<br />
<br />
# SAMBA<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT<br />
<br />
# NFS4<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT<br />
<br />
# NFS3<br />
# Uncomment MOUNTD_PORT in /etc/sysconfig/nfs<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 111 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 111 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 2049 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 892 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m udp -p udp --dport 892 -j ACCEPT<br />
<br />
# FTP<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT<br />
<br />
# MYSQL<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT<br />
<br />
# LOG AND BLOCK<br />
-A RH-Firewall-1-INPUT -j LOG --log-level 4 --log-prefix "** BLOCKED **"<br />
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited<br />
COMMIT<br />
</pre><br />
<br />
<br />
t0e data modified:<br />
<pre><br />
# Firewall configuration written by system-config-securitylevel<br />
# Manual customization of this file is not recommended.<br />
*filter<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [0:0]<br />
:RH-Firewall-1-INPUT - [0:0]<br />
-A INPUT -j RH-Firewall-1-INPUT<br />
-A FORWARD -j RH-Firewall-1-INPUT<br />
<br />
# ESTABLISHED<br />
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br />
<br />
# LOCAL<br />
-A RH-Firewall-1-INPUT -i lo -j ACCEPT<br />
<br />
# PING<br />
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT<br />
<br />
# IPSec<br />
# 50 ESP Encap Security Payload [RFC4303]<br />
# 51 AH Authentication Header [RFC4302]<br />
#-A RH-Firewall-1-INPUT -p 50 -j ACCEPT<br />
#-A RH-Firewall-1-INPUT -p 51 -j ACCEPT<br />
<br />
# MULTICAST (DNS)<br />
#-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j REJECT --reject-with icmp-host-prohibited<br />
<br />
# Internet Printing Protocol<br />
#-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT<br />
#-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT<br />
<br />
<br />
# SSH<br />
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s 10.10.10.5 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s 10.10.10.1 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s 10.10.20.5 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -s 216.119.0.0/16 -j ACCEPT<br />
<br />
# WEB<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT<br />
<br />
# MAIL<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT<br />
<br />
# SAMBA<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT<br />
<br />
# VNC<br />
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5900 -j ACCEPT<br />
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT<br />
<br />
# VMWARE<br />
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 902 -j ACCEPT<br />
<br />
# UNKNOWN<br />
###-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 69 -j ACCEPT<br />
###<br />
####-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT<br />
####-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 784 -j ACCEPT<br />
####-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 765 -j ACCEPT<br />
####-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 787 -j ACCEPT<br />
####-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 618 -j ACCEPT<br />
####-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 621 -j ACCEPT<br />
###<br />
<br />
# NFS<br />
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 111 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m udp -p udp --dport 111 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 2049 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m udp -p udp --dport 2049 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 4001 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m udp -p udp --dport 4001 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 4002 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m udp -p udp --dport 4002 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 4003 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m udp -p udp --dport 4003 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 4004 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m udp -p udp --dport 4004 -j ACCEPT<br />
<br />
<br />
<br />
# MYSQL<br />
#-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 3306 -j ACCEPT<br />
<br />
# LOGGING AND BLOCKING<br />
-A RH-Firewall-1-INPUT -j LOG --log-level 4 --log-prefix "*** BLOCKED ***"<br />
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited<br />
<br />
COMMIT<br />
</pre><br />
<br />
== Basic NAT Routing Example ==<br />
<br />
<pre><br />
# Generated by iptables-save v1.3.5 on Sun Aug 5 10:02:44 2012<br />
*nat<br />
:PREROUTING ACCEPT [1:65]<br />
:POSTROUTING ACCEPT [1:65]<br />
:OUTPUT ACCEPT [0:0]<br />
-A POSTROUTING -o eth1 -j MASQUERADE<br />
COMMIT<br />
# Completed on Sun Aug 5 10:02:44 2012<br />
# Generated by iptables-save v1.3.5 on Sun Aug 5 10:02:44 2012<br />
*filter<br />
:INPUT ACCEPT [0:0]<br />
:FORWARD ACCEPT [0:0]<br />
:OUTPUT ACCEPT [138:20068]<br />
:RH-Firewall-1-INPUT - [0:0]<br />
-A INPUT -j RH-Firewall-1-INPUT<br />
-A FORWARD -j RH-Firewall-1-INPUT<br />
-A RH-Firewall-1-INPUT -i lo -j ACCEPT<br />
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p esp -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p ah -j ACCEPT<br />
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT<br />
-A RH-Firewall-1-INPUT -j LOG --log-level 4 --log-prefix "** BLOCKED **"<br />
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited<br />
COMMIT<br />
# Completed on Sun Aug 5 10:02:44 2012<br />
</pre><br />
<br />
== Stop SSH Brute Force Attacks ==<br />
<br />
<pre><br />
here's an easy fix. It drops new ssh connections coming from the same IP with less than 15s intervals (or any timeout you<br />
want). In my server, this has shown to stop the automated attempts on the first failed connection - and even if the<br />
attacker waits for the 15s, it makes brute-force attempts not practical.<br />
<br />
For legit sessions, 15s is reasonable (at least for me) between session starts.<br />
<br />
It's just two lines on the iptables configuration. No other change required:<br />
<br />
iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --update --seconds 15 -j DROP<br />
iptables -A INPUT -p tcp -i eth0 -m state --state NEW --dport 22 -m recent --set -j ACCEPT<br />
<br />
This assumes you already have<br />
iptables -A INPUT -j ACCEPT -p tcp ! --syn -s <REMOTENET> -d <OUTERNET><br />
above that, to accept established connection packets.<br />
</pre><br />
<br />
<pre><br />
look up a program called denyhosts.<br />
<br />
we have a lot of problems with ssh brute attacks. denyhost has helped a lot.<br />
</pre><br />
<br />
See [[Linux/Security#DenyHosts]]<br />
<br />
SSH tricks -- any way to block failed attempts by IP address - http://www.linuxquestions.org/questions/linux-security-4/ssh-tricks-any-way-to-block-failed-attempts-by-ip-address-342359/<br />
<br />
== Quick Block Ping ==<br />
<br />
Block Ping:<br />
iptables -A INPUT -p icmp --icmp-type 8 -j DROP<br />
<br />
Flush tables:<br />
iptables -F<br />
<br />
== Quick Port 8080 to 80 Redirect ==<br />
<br />
/etc/rc.local:<br />
<br />
<pre><br />
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080<br />
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8443<br />
<br />
iptables -t nat -A OUTPUT -d localhost -p tcp --dport 80 -j REDIRECT --to-port 8080<br />
iptables -t nat -A OUTPUT -d localhost -p tcp --dport 443 -j REDIRECT --to-port 8443<br />
<br />
iptables -t nat -A OUTPUT -d $(hostname) -p tcp --dport 80 -j REDIRECT --to-port 8080<br />
iptables -t nat -A OUTPUT -d $(hostname) -p tcp --dport 443 -j REDIRECT --to-port 8443<br />
<br />
</pre><br />
<br />
== by IP ==<br />
<br />
iptables -A INPUT -s 15.15.15.51 -j REJECT<br />
iptables -A INPUT -i eth0 -s 15.15.15.51 -j DROP<br />
<br />
== notes ==<br />
<br />
[http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables Quick HOWTO : Ch14 : Linux Firewalls Using iptables - Linux Home Networking]<br />
:"Network security is a primary consideration in any decision to host a website as the threats are becoming more widespread and persistent every day. One means of providing additional protection is to invest in a firewall. Though prices are always falling, in some cases you may be able to create a comparable unit using the Linux iptables package on an existing server for little or no additional expenditure. "<br />
<br />
== keywords ==</div>
Kenneth