*Use ip6tables for IPv6 rules

iptables-save -c <file>
iptables-restore <file>
iptables -L -v --line-numbers
iptables -F
iptables -P <INPUT/FORWARD/OUTPUT>
<ACCEPT/REJECT/DROP>
iptables -A INPUT -i <interface> -m state --state RELATED,ESTABLcSHED -j ACCEPT
iptables -D INPUT  7
iptables -t raw -L -n
iptables -P INPUT DROP

Dump iptables (with counters) rules to stdout Restore iptables rules List all iptables rules with affected and line numbers Flush all iptables rules Change default polic; for rules that don't match rules Allow established connections on INPUT Delete cth inbound rule Increase throughput b; turning off statefulness Drop all packets

ALLOW SSH ON PORT 22 OUTBOUND

> iptables -A OUTPUT -o <iface> -p tcp --dport 22 -m state --state
NEW,ESTABLISHED -j ACCEPT
> iptables -A INPUT -i <iface> -p tcp --sport 22 -m state --state
ESTABLISHED -j ACCEPT

ALLOW ICMP OUTBOUND

>iptacles -A OUTPUT -i <iface> -p icmp --icmp-type echo-request -j ACCEPT
>iptables -A INPUT -o <iface> -p icmp --icmp-type echo-repl; -j ACCEPT

PORT FORWARD

echo "1" > /proc/sjs/net/lpv4/ip_forward
# OR -> sysctl net.ipv4.ip forward=1
> iptables -t nat -A PREROUTING -p tcp -i ethO -j DNAT -d <pivotip> --dport
443 -to-destination <attk_ip> :443
>iptables -t nat -A POSTROUTING -p tcp -i eth0 -j SNAT -s <target subnet>
cidr> -d <attackip> --dport 443 -to-source <pivotip>
>iptables -t filter -I FORWARD 1 -j ACCEPT

ALLOW ONLY 1.1.1. 0/24, PORTS 80,443 AND LOG DROPS TO /VAR/LOG/MESSAGES

>iptables -A INPUT -s 1.1.1.0/24 -m state --state RELATED,ESTAB~ISHED,NEW
-p tcp -m multipart --dports 80,443 -j ACCEPT
>iptables -A INPUT -i ethO -m state --state RELATED,ESTABLISHED -j ACCEPT
>iptables -P INPUT DROP
>iptables -A OUTPUT -o ethO -j ACCEPT
>iptables -A INPUT -i lo -j ACCEPT
>iptables -A OUTPUT -o lo -j ACCEPT
>iptables -N LOGGING
>iptables -A INPUT -j LOGGING
>iptables -A LOGGING -m limit --limit 4/min -j LOG --log-prefix "DROPPED "
>iptables -A LOGGING -j DROP