iptables does not add/list PREROUTING rulesCan I uninstall UFW completely?How do I remove all the ufw chains...

How to bake one texture for one mesh with multiple textures blender 2.8

Non-trope happy ending?

Pre-mixing cryogenic fuels and using only one fuel tank

Why does the Sun have different day lengths, but not the gas giants?

Can I sign legal documents with a smiley face?

Why did the HMS Bounty go back to a time when whales are already rare?

GraphicsGrid with a Label for each Column and Row

Is it possible to put a rectangle as background in the author section?

Lowest total scrabble score

Multiplicative persistence

Does a 'pending' US visa application constitute a denial?

Freedom of speech and where it applies

Open a doc from terminal, but not by its name

Is it possible to have a strip of cold climate in the middle of a planet?

Aragorn's "guise" in the Orthanc Stone

Travelling outside the UK without a passport

Calculating Wattage for Resistor in High Frequency Application?

The screen of my macbook suddenly broken down how can I do to recover

How much character growth crosses the line into breaking the character

If a character has darkvision, can they see through an area of nonmagical darkness filled with lightly obscuring gas?

Should I outline or discovery write my stories?

Not using 's' for he/she/it

WiFi Thermostat, No C Terminal on Furnace

Which one is correct as adjective “protruding” or “protruded”?



iptables does not add/list PREROUTING rules


Can I uninstall UFW completely?How do I remove all the ufw chains from iptables?How can I set up GUFW so that only firefox connects to the internetiptables problemHow to enable Apache Solr service on Rackspace Ubuntu Server?UFW BLOCK port even if it is on the allow listCannot ssh remotely into Ubuntu 14.04 Desktop (connection refused)Forward FTP to another ServerTor Browser Bundle/Tor and IPTables: Seeking a Working Setuphow to redirect and load balance locally generated packets through iptablesftp port 21 and 20 not showingHow to seed torrents in Linux?













0















I'm trying to add all of the anti-DDoSing rules from JavaPipe after removing UFW from my system and deleting all of the ufw chains (though the referenced answer didn't work. I had to run iptables -F and iptables -X with no parameters).



### 1: Drop invalid packets ### 

/sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP  



### 2: Drop TCP packets that are new and are not SYN ### 

/sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP 



### 3: Drop SYN packets with suspicious MSS value ### 

/sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP  



### 4: Block packets with bogus TCP flags ### 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP  



### 5: Block spoofed packets ### 

/sbin/iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP  



### 6: Drop ICMP (you usually don't need this protocol) ### 

/sbin/iptables -t mangle -A PREROUTING -p icmp -j DROP  



### 7: Drop fragments in all chains ### 

/sbin/iptables -t mangle -A PREROUTING -f -j DROP  



### 8: Limit connections per source IP ### 

/sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset  



### 9: Limit RST packets ### 

/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT 

/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP  



### 10: Limit new TCP connections per second per source IP ### 

/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT 

/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP  



### 11: Use SYNPROXY on all ports (disables connection limiting rule) ### 

# Hidden - unlock content above in "Mitigating SYN Floods With SYNPROXY" section



### SSH brute-force protection ### 

/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set 

/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP  



### Protection against port scanning ### 

/sbin/iptables -N port-scanning 

/sbin/iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN 

/sbin/iptables -A port-scanning -j DROP


When I type iptables -S after this, I only see a few of these rules.



# iptables -S

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

-N port-scanning

-A INPUT -p tcp -m connlimit --connlimit-above 111 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset

-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT

-A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP

-A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT

-A INPUT -p tcp -m conntrack --ctstate NEW -j DROP

-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource

-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP

-A port-scanning -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec --limit-burst 2 -j RETURN

-A port-scanning -j DROP


If I type iptables -t nat -L, I can see none of these rules.



# iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination



Chain INPUT (policy ACCEPT)

target     prot opt source               destination



Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination



Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination


How do I get a list of all iptables rules for all tables?






networking server iptables firewall ufw







share|improve this question























  • It does not make sense to me that you add your rules to the mangle table. Just add them to the INPUT chain. You can not see the rules because you didn't specify the mangle table. Increase your SSH brute force timeout to many thousands of seconds.

    – Doug Smythies
    Jul 5 '18 at 20:39
















0















I'm trying to add all of the anti-DDoSing rules from JavaPipe after removing UFW from my system and deleting all of the ufw chains (though the referenced answer didn't work. I had to run iptables -F and iptables -X with no parameters).



### 1: Drop invalid packets ### 

/sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP  



### 2: Drop TCP packets that are new and are not SYN ### 

/sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP 



### 3: Drop SYN packets with suspicious MSS value ### 

/sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP  



### 4: Block packets with bogus TCP flags ### 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP  



### 5: Block spoofed packets ### 

/sbin/iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP  



### 6: Drop ICMP (you usually don't need this protocol) ### 

/sbin/iptables -t mangle -A PREROUTING -p icmp -j DROP  



### 7: Drop fragments in all chains ### 

/sbin/iptables -t mangle -A PREROUTING -f -j DROP  



### 8: Limit connections per source IP ### 

/sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset  



### 9: Limit RST packets ### 

/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT 

/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP  



### 10: Limit new TCP connections per second per source IP ### 

/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT 

/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP  



### 11: Use SYNPROXY on all ports (disables connection limiting rule) ### 

# Hidden - unlock content above in "Mitigating SYN Floods With SYNPROXY" section



### SSH brute-force protection ### 

/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set 

/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP  



### Protection against port scanning ### 

/sbin/iptables -N port-scanning 

/sbin/iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN 

/sbin/iptables -A port-scanning -j DROP


When I type iptables -S after this, I only see a few of these rules.



# iptables -S

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

-N port-scanning

-A INPUT -p tcp -m connlimit --connlimit-above 111 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset

-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT

-A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP

-A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT

-A INPUT -p tcp -m conntrack --ctstate NEW -j DROP

-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource

-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP

-A port-scanning -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec --limit-burst 2 -j RETURN

-A port-scanning -j DROP


If I type iptables -t nat -L, I can see none of these rules.



# iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination



Chain INPUT (policy ACCEPT)

target     prot opt source               destination



Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination



Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination


How do I get a list of all iptables rules for all tables?






networking server iptables firewall ufw







share|improve this question























  • It does not make sense to me that you add your rules to the mangle table. Just add them to the INPUT chain. You can not see the rules because you didn't specify the mangle table. Increase your SSH brute force timeout to many thousands of seconds.

    – Doug Smythies
    Jul 5 '18 at 20:39














0












0








0








I'm trying to add all of the anti-DDoSing rules from JavaPipe after removing UFW from my system and deleting all of the ufw chains (though the referenced answer didn't work. I had to run iptables -F and iptables -X with no parameters).



### 1: Drop invalid packets ### 

/sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP  



### 2: Drop TCP packets that are new and are not SYN ### 

/sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP 



### 3: Drop SYN packets with suspicious MSS value ### 

/sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP  



### 4: Block packets with bogus TCP flags ### 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP  



### 5: Block spoofed packets ### 

/sbin/iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP  



### 6: Drop ICMP (you usually don't need this protocol) ### 

/sbin/iptables -t mangle -A PREROUTING -p icmp -j DROP  



### 7: Drop fragments in all chains ### 

/sbin/iptables -t mangle -A PREROUTING -f -j DROP  



### 8: Limit connections per source IP ### 

/sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset  



### 9: Limit RST packets ### 

/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT 

/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP  



### 10: Limit new TCP connections per second per source IP ### 

/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT 

/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP  



### 11: Use SYNPROXY on all ports (disables connection limiting rule) ### 

# Hidden - unlock content above in "Mitigating SYN Floods With SYNPROXY" section



### SSH brute-force protection ### 

/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set 

/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP  



### Protection against port scanning ### 

/sbin/iptables -N port-scanning 

/sbin/iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN 

/sbin/iptables -A port-scanning -j DROP


When I type iptables -S after this, I only see a few of these rules.



# iptables -S

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

-N port-scanning

-A INPUT -p tcp -m connlimit --connlimit-above 111 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset

-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT

-A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP

-A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT

-A INPUT -p tcp -m conntrack --ctstate NEW -j DROP

-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource

-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP

-A port-scanning -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec --limit-burst 2 -j RETURN

-A port-scanning -j DROP


If I type iptables -t nat -L, I can see none of these rules.



# iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination



Chain INPUT (policy ACCEPT)

target     prot opt source               destination



Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination



Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination


How do I get a list of all iptables rules for all tables?






networking server iptables firewall ufw







share|improve this question














I'm trying to add all of the anti-DDoSing rules from JavaPipe after removing UFW from my system and deleting all of the ufw chains (though the referenced answer didn't work. I had to run iptables -F and iptables -X with no parameters).



### 1: Drop invalid packets ### 

/sbin/iptables -t mangle -A PREROUTING -m conntrack --ctstate INVALID -j DROP  



### 2: Drop TCP packets that are new and are not SYN ### 

/sbin/iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP 



### 3: Drop SYN packets with suspicious MSS value ### 

/sbin/iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP  



### 4: Block packets with bogus TCP flags ### 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP 

/sbin/iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP  



### 5: Block spoofed packets ### 

/sbin/iptables -t mangle -A PREROUTING -s 224.0.0.0/3 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 169.254.0.0/16 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 192.0.2.0/24 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 0.0.0.0/8 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 240.0.0.0/5 -j DROP 

/sbin/iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP  



### 6: Drop ICMP (you usually don't need this protocol) ### 

/sbin/iptables -t mangle -A PREROUTING -p icmp -j DROP  



### 7: Drop fragments in all chains ### 

/sbin/iptables -t mangle -A PREROUTING -f -j DROP  



### 8: Limit connections per source IP ### 

/sbin/iptables -A INPUT -p tcp -m connlimit --connlimit-above 111 -j REJECT --reject-with tcp-reset  



### 9: Limit RST packets ### 

/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT 

/sbin/iptables -A INPUT -p tcp --tcp-flags RST RST -j DROP  



### 10: Limit new TCP connections per second per source IP ### 

/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/s --limit-burst 20 -j ACCEPT 

/sbin/iptables -A INPUT -p tcp -m conntrack --ctstate NEW -j DROP  



### 11: Use SYNPROXY on all ports (disables connection limiting rule) ### 

# Hidden - unlock content above in "Mitigating SYN Floods With SYNPROXY" section



### SSH brute-force protection ### 

/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set 

/sbin/iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 -j DROP  



### Protection against port scanning ### 

/sbin/iptables -N port-scanning 

/sbin/iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN 

/sbin/iptables -A port-scanning -j DROP


When I type iptables -S after this, I only see a few of these rules.



# iptables -S

-P INPUT ACCEPT

-P FORWARD ACCEPT

-P OUTPUT ACCEPT

-N port-scanning

-A INPUT -p tcp -m connlimit --connlimit-above 111 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset

-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/sec --limit-burst 2 -j ACCEPT

-A INPUT -p tcp -m tcp --tcp-flags RST RST -j DROP

-A INPUT -p tcp -m conntrack --ctstate NEW -m limit --limit 60/sec --limit-burst 20 -j ACCEPT

-A INPUT -p tcp -m conntrack --ctstate NEW -j DROP

-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource

-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -m recent --update --seconds 60 --hitcount 10 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP

-A port-scanning -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec --limit-burst 2 -j RETURN

-A port-scanning -j DROP


If I type iptables -t nat -L, I can see none of these rules.



# iptables -t nat -L

Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination



Chain INPUT (policy ACCEPT)

target     prot opt source               destination



Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination



Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination


How do I get a list of all iptables rules for all tables?






networking server iptables firewall ufw




networking server iptables firewall ufw






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jul 2 '18 at 2:30









PatPeterPatPeter

113




113













  • It does not make sense to me that you add your rules to the mangle table. Just add them to the INPUT chain. You can not see the rules because you didn't specify the mangle table. Increase your SSH brute force timeout to many thousands of seconds.

    – Doug Smythies
    Jul 5 '18 at 20:39



















  • It does not make sense to me that you add your rules to the mangle table. Just add them to the INPUT chain. You can not see the rules because you didn't specify the mangle table. Increase your SSH brute force timeout to many thousands of seconds.

    – Doug Smythies
    Jul 5 '18 at 20:39

















It does not make sense to me that you add your rules to the mangle table. Just add them to the INPUT chain. You can not see the rules because you didn't specify the mangle table. Increase your SSH brute force timeout to many thousands of seconds.

– Doug Smythies
Jul 5 '18 at 20:39





It does not make sense to me that you add your rules to the mangle table. Just add them to the INPUT chain. You can not see the rules because you didn't specify the mangle table. Increase your SSH brute force timeout to many thousands of seconds.

– Doug Smythies
Jul 5 '18 at 20:39










1 Answer
1






active

oldest

votes


















0














I don't remember the solution that I chose, but this is close enough of a link to warrant a solution.



https://www.cyberciti.biz/faq/how-to-list-all-iptables-rules-in-linux/





share























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "89"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1051353%2fiptables-does-not-add-list-prerouting-rules%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    I don't remember the solution that I chose, but this is close enough of a link to warrant a solution.



    https://www.cyberciti.biz/faq/how-to-list-all-iptables-rules-in-linux/





    share




























      0














      I don't remember the solution that I chose, but this is close enough of a link to warrant a solution.



      https://www.cyberciti.biz/faq/how-to-list-all-iptables-rules-in-linux/





      share


























        0












        0








        0







        I don't remember the solution that I chose, but this is close enough of a link to warrant a solution.



        https://www.cyberciti.biz/faq/how-to-list-all-iptables-rules-in-linux/





        share













        I don't remember the solution that I chose, but this is close enough of a link to warrant a solution.



        https://www.cyberciti.biz/faq/how-to-list-all-iptables-rules-in-linux/






        share











        share


        share










        answered 2 mins ago









        PatPeterPatPeter

        113




        113






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Ask Ubuntu!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1051353%2fiptables-does-not-add-list-prerouting-rules%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            Why do type traits not work with types in namespace scope?What are POD types in C++?Why can templates only be...

            Image
            What does it mean to express a gate in Dirac notation? A Strange Latex Symbol How can Republicans who favour free markets, consistently express anger when they don't like the outcome of that choice? What happened to Captain America in Endgame? How to solve constants out of the internal energy equation? How can I place the product on a social media post better? Will tsunami waves travel forever if there was no land? Unexpected email from Yorkshire Bank What is the relationship between spectral sequences and obstruction theory? How can I practically buy stocks? Will a top journal at least re
            Read more

            Will tsunami waves travel forever if there was no land?Why do tsunami waves begin with the water flowing away...

            Image
            How much cash can I safely carry into the USA and avoid civil forfeiture? Is there really no use for MD5 anymore? Is contacting this expert in the field something acceptable or would it be discourteous? How to pronounce 'C++' in Spanish How to creep the reader out with what seems like a normal person? Critique of timeline aesthetic Sci fi novel series with instant travel between planets through gates. A river runs through the gates How did Captain America manage to do this? Are Boeing 737-800’s grounded? Error message with tabularx How to make a pipeline wait for end-of-file or stop af
            Read more

            Should I use Docker or LXD?How to cache (more) data on SSD/RAM to avoid spin up?Unable to get Windows File...

            Image
            kill -0 <PID> は何をするのでしょうか? Why avoid shared user accounts? Using only 1s, make 29 with the minimum number of digits Cookies - Should the toggles be on? Can I string the DnD Starter Set campaign into another modules, keeping the same characters? Why do neural networks need so many training examples to perform? Intern applicant asking for compensation equivalent to that of permanent employee Why would space fleets be aligned? It took me a lot of time to make this, pls like. (YouTube Comments #1) Can a long polymer chain interact with itself via van der Waals forces? What is the purpose of
            Read more