Skip to content
  • Korean: 이 페이지는 아직 한글로 번역되지 않았습니다.

net-iptables.plugin.bash¤

iptables firewall configurations.

group:net | runtype:systemd | deps: - | port: -

Usage 
net-iptables help|install|uninstall|download|disable|configgen|configapply|check|run|build|watch
$ net-iptables install - install iptables firewall
$ net-iptables uninstall - uninstall iptables firewall
$ net-iptables download - download iptables package files to pkg dir
$ net-iptables disable - disable iptables plugin
$ net-iptables configgen - generate iptables configuration files
$ net-iptables configapply - apply iptables configuration files
$ net-iptables check - check iptables plugin status
$ net-iptables run - run iptables firewall rules
$ net-iptables build - build iptables rule files
$ net-iptables watch - watch iptables traffic
$ net-iptables help - show this help message
Description

Iptables is a user-space utility for configuring Linux kernel firewall.

Jangbi Configs¤

/opt/jangbi/.config
RUN_NET_IPTABLES=1 # enable iptables firewall
IPTABLES_MODE="Gateway" # Gateway, Tunnelonly, Client

Check if running¤

bash command
$ iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
$ iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)

Current Configuration¤

Current configuration is stored in /etc/iptables/. it is generated by net-iptables configgen command on install. You can edit it manually and not run install or configapply commands to keep current configurations.

/etc/iptables/rules.v4
# Generated by iptables-save v1.8.9 (nf_tables) on Mon Jul 21 09:28:53 2025
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -m comment --comment mab_limitmss -j DROP
-A PREROUTING -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -m comment --comment mab_dropnonsyn -j DROP
-A PREROUTING -p icmp -m comment --comment mab_dropicmp -j DROP
-A PREROUTING -s 224.0.0.0/3 -i WAN -m comment --comment mab_dropspoofing_block_0 -j DROP
-A PREROUTING -s 169.254.0.0/16 -i WAN -m comment --comment mab_dropspoofing_block_1 -j DROP
-A PREROUTING -s 172.17.0.0/16 -m comment --comment mab_dropspoofing_allow_20 -j ACCEPT
-A PREROUTING -s 172.16.0.0/12 -i WAN -m comment --comment mab_dropspoofing_block_2 -j DROP
-A PREROUTING -s 192.0.2.0/24 -i WAN -m comment --comment mab_dropspoofing_block_3 -j DROP
-A PREROUTING -s 192.168.79.0/24 -m comment --comment mab_dropspoofing_allow_41 -j ACCEPT
-A PREROUTING -s 192.168.0.0/16 -i WAN -m comment --comment mab_dropspoofing_block_4 -j DROP
-A PREROUTING -s 10.0.0.0/8 -i WAN -m comment --comment mab_dropspoofing_block_5 -j DROP
-A PREROUTING -s 0.0.0.0/8 -i WAN -m comment --comment mab_dropspoofing_block_6 -j DROP
-A PREROUTING -s 240.0.0.0/5 -i WAN -m comment --comment mab_dropspoofing_block_7 -j DROP
-A PREROUTING -s 127.0.0.0/8 -i WAN -m comment --comment mab_dropspoofing_block_8 -j DROP
COMMIT
# Completed on Mon Jul 21 09:28:53 2025
# Generated by iptables-save v1.8.9 (nf_tables) on Mon Jul 21 09:28:53 2025
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m comment --comment rab_dropinvtcpflag1 -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -m comment --comment rab_dropinvtcpflag2 -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags ACK,URG URG -m comment --comment rab_dropinvtcpflag3 -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,ACK FIN -m comment --comment rab_dropinvtcpflag4 -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags PSH,ACK PSH -m comment --comment rab_dropinvtcpflag5 -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m comment --comment rab_dropinvtcpflag6 -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -m comment --comment rab_dropinvtcpflag7 -j DROP
COMMIT
# Completed on Mon Jul 21 09:28:53 2025
# Generated by iptables-save v1.8.9 (nf_tables) on Mon Jul 21 09:28:53 2025
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -d 192.168.79.10/32 -i enx803f5d06a2f4 -m comment --comment neb_dmzsdmz_dmzinput -j ACCEPT
-A INPUT -m set --match-set bl0 src -j DROP
-A INPUT -i lo -m comment --comment fab_basesetup_loopback_v4 -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment fab_basesetup_established_v4 -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -m comment --comment fab_basesetup_invalid_v4 -j DROP
-A INPUT -s 127.0.0.0/8 ! -i lo -m comment --comment fab_antispoofing_block_fake_loopback_v4 -j DROP
-A INPUT -m addrtype --dst-type BROADCAST -m comment --comment fab_dropcasts_drop_broadcast -j DROP
-A INPUT -m addrtype --dst-type MULTICAST -m comment --comment fab_dropcasts_drop_multicast -j DROP
-A INPUT -m addrtype --dst-type ANYCAST -m comment --comment fab_dropcasts_drop_anycast -j DROP
-A INPUT -d 224.0.0.0/4 -m comment --comment fab_dropcasts_drop_multicast_range -j DROP
-A INPUT -p icmp -m icmp --icmp-type 0 -m conntrack --ctstate NEW -m comment --comment fab_icmprules_echo_reply -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -m conntrack --ctstate NEW -m comment --comment fab_icmprules_dest_unreachable -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -m comment --comment fab_icmprules_echo_request -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -m conntrack --ctstate NEW -m comment --comment fab_icmprules_time_exceeded -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10897 --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -m comment --comment fab_servicerules_custom_10897_v4 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10898 --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -m comment --comment fab_servicerules_custom_10898_v4 -j ACCEPT
-A INPUT -p udp -m multiport --dports 135,445 -m comment --comment fab_noisereduction_smb_udp_v4 -j DROP
-A INPUT -p udp -m udp --dport 137:139 -m comment --comment fab_noisereduction_netbios_v4 -j DROP
-A INPUT -p udp -m udp --sport 137 --dport 1024:65535 -m comment --comment fab_noisereduction_netbios_reply_v4 -j DROP
-A INPUT -p tcp -m multiport --dports 135,139,445 -m comment --comment fab_noisereduction_smb_tcp_v4 -j DROP
-A INPUT -p udp -m udp --dport 1900 -m comment --comment fab_dropupnp_upnp_v4 -j DROP
-A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -m comment --comment fab_rejectauth_auth_v4 -j REJECT --reject-with tcp-reset
-A FORWARD -d 192.168.79.10/32 -i enx00e04c680686 -o enx803f5d06a2f4 -m comment --comment neb_dmzsdmz_dmzhostforward -j ACCEPT
-A FORWARD -i enx00e04c680686 -o enx803f5d06a2f4 -m state --state RELATED,ESTABLISHED -m comment --comment neb_dmzsdmz_dmznetforward2 -j ACCEPT
-A FORWARD -i enx803f5d06a2f4 -o enx00e04c680686 -m comment --comment neb_dmzsdmz_dmznetforward1 -j ACCEPT
COMMIT
# Completed on Mon Jul 21 09:28:53 2025
# Generated by iptables-save v1.8.9 (nf_tables) on Mon Jul 21 09:28:53 2025
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i enx00e04c680686 -m comment --comment neb_dmzsdmz_dmznat -j DNAT --to-destination 192.168.79.10
-A PREROUTING -d 192.168.79.186/32 -p tcp -m tcp --dport 8090 -m comment --comment neb_portforward_pre -j DNAT --to-destination 192.168.79.11:8090
-A POSTROUTING -d 192.168.79.11/32 -p tcp -m tcp --dport 8090 -m comment --comment neb_portforward_post -j SNAT --to-source 192.168.79.186
COMMIT
# Completed on Mon Jul 21 09:28:53 2025

Functions

Arptables : MAC Whitelisting¤

Add mac address for target interface(LO/LAN/WAN/WLAN/ALL) to whitelist.
(config)IPTABLES_WHMACADDR="LAN-aa:bb:cc:dd:ee,WAN-ab:cd:be:c0:a1"
(command)arptables -A INPUT -i "${targetinf}" --source-mac "${infmac[1]}" -j ACCEPT

Arptables : Allow Gateway MAC on WAN¤

Add gateway mac address to WAN mac whitelist.
(config)IPTABLES_GWMAC=1
(command)arptables -A INPUT -i "${targetinf}" --source-mac "${gwmac}" -j ACCEPT

Arptables : Allow all other network except gateway¤

Allow all ARP except gateway interface.
(config)IPTABLES_ARPALLINFS=1
(command)arptables -A INPUT -i "${allinfx[i]}" -j ACCEPT

Mangle Prerouting : Drop ICMP¤

Drop ICMP packets in mangle table prerouting chain.
(config)IPTABLES_DROP_ICMP=1
(command)iptables -t mangle -A PREROUTING -p icmp -m comment --comment ${funcname} -j DROP

Mangle Prerouting : Drop Invalid State¤

Drop packets with invalid connection state in mangle table prerouting chain.
(config)IPTABLES_DROP_INVALID_STATE=1
(command)iptables -t mangle -I PREROUTING -p all -m conntrack --ctstate INVALID -m comment --comment ${funcname} -j DROP

Mangle Prerouting : Drop new non-SYN TCP Packets¤

Drop new TCP packets that do not have SYN flag set in mangle table prerouting chain.
(config)IPTABLES_DROP_NON_SYN=1
(command)iptables -t mangle -I PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -m comment --comment ${funcname} -j DROP

Mangle Prerouting : Drop Spoofing Packets¤

Drop spoofing packets from specified networks except allowed routing in mangle table prerouting chain.
(config)IPTABLES_DROP_SPOOFING=1 IPTABLES_DROP_SPOOFING_TARINF=WAN IPTABLES_DROP_SPOOFING_NET="224.0.0.0/3,169.254.0.0/16,172.16.0.0/12,192.0.2.0/24,192.168.0.0/16,10.0.0.0/8,0.0.0.0/8,240.0.0.0/5,127.0.0.0/8"
(command)iptables -t mangle -A PREROUTING -s ${iptables_block_ip} -i ${tarinf} -m comment --comment ${funcname}_block_${j} -j DROP

Mangle Prerouting : Limit MSS¤

Drop TCP packets with MSS outside allowed range in mangle table prerouting chain.
(config)IPTABLES_LIMIT_MSS=1
(command)iptables -t mangle -I PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss ${mss} -m comment --comment ${funcname} -j DROP

Filter/NAT Forward/Postrouting Masquerade¤

Set up masquerading between internal and external interfaces with proper forwarding rules.
(config)IPTABLES_MASQ?="WLAN<WAN|LAN<WAN"
(command)iptables -t nat -A POSTROUTING ! -d ${fromnet} -o ${toinf} -m comment --comment ${funcname}_${j}_masq -j MASQUERADE

DMZ - after portforward, SDMZ - prior to portforward¤

Set up DMZ (Demilitarized Zone) routing to forward all traffic to specified internal host.
(config)IPTABLES_DMZ="192.68.79.10" IPTABLES_SUPERDMZ=1
(command)iptables -t nat -A PREROUTING -p ALL -i ${waninf} -j DNAT --to-destination ${dmzip} -m comment --comment ${funcname}_dmznat

NAT Prerouting/Postrouting Port forward¤

Forward external ports to internal hosts and ports using NAT DNAT/SNAT rules.
(config)IPTABLES_PORTFORWARD="8090:192.168.79.11:8090,8010:192.168.79.12:8010"
(command)iptables -t nat -A PREROUTING -p tcp --dst ${wanip} --dport ${wanport} -j DNAT --to-destination ${lanip}:${lanport} -m comment --comment ${funcname}_pre

Raw Prerouting : Drop Invalid Tcp Flag¤

Drop packets with invalid TCP flag combinations in raw table prerouting chain.
(config)IPTABLES_INVALID_TCPFLAG=1
(command)iptables -t raw -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -m comment --comment ${funcname}1 -j DROP

Filter Input : Drop IPs from blacklist¤

Download and block IP addresses from blacklist URLs using ipset.
(config)IPTABLES_BLACK_NAMELIST="url|url"
(command)iptables -I INPUT -m set --match-set ${blist_name} src -j DROP

Filter Table : Base Setup (policies, loopback, established connections)¤

Set up basic filter table policies, loopback rules, and connection state tracking.
(config)IPTABLES_ENABLE_BASE=1
(command)iptables -P INPUT DROP && iptables -A INPUT -i lo -m comment --comment ${funcname}_loopback_v4 -j ACCEPT

Filter Input : Anti-spoofing protection¤

Block packets claiming to be from loopback but coming from external interfaces.
(config)IPTABLES_ANTISPOOFING=1
(command)iptables -A INPUT -s 127.0.0.0/8 ! -i lo -m comment --comment ${funcname}_block_fake_loopback_v4 -j DROP

Filter Input : Drop broadcast/multicast/anycast packets¤

Drop broadcast, multicast, and anycast packets to reduce network noise.
(config)IPTABLES_DROPCASTS=1
(command)iptables -A INPUT -m addrtype --dst-type BROADCAST -m comment --comment ${funcname}_drop_broadcast -j DROP

Filter Input : drop ICMP packets¤

Allow specific ICMP types for proper network operation while blocking others.
(config)IPTABLES_DROPICMP=1
(command)iptables -A INPUT -p icmp --icmp-type 0 -m conntrack --ctstate NEW -m comment --comment ${funcname}_echo_reply -j ACCEPT

Filter Input : Service-specific rules¤

Allow incoming connections on specified ports for services.
(config)IPTABLES_ALLOWED_PORTS="80,443,8080"
(command)iptables -A INPUT -p tcp --dport ${port} --syn -m conntrack --ctstate NEW -m comment --comment ${funcname}_custom_${port}_v4 -j ACCEPT

Filter Input : Service-specific rules¤

Allow incoming connections on specified ports for services.
(config)***_PORTS="LO:19283,LO:19282,LAN:20392"
(command)iptables -A INPUT -p tcp --dport ${port} --syn -m conntrack --ctstate NEW -m comment --comment ${funcname}_custom_${port}_v4 -j ACCEPT

Filter Input : Noise reduction rules (Drop without logging)¤

Drop common network noise packets (SMB, NetBIOS) without logging to reduce log spam.
(config)IPTABLES_NOISE_REDUCTION=1
(command)iptables -A INPUT -p udp -m multiport --dports 135,445 -m comment --comment ${funcname}_smb_udp_v4 -j DROP

Filter Input : Drop UPnP packets¤

Drop UPnP discovery packets to prevent unwanted service discovery.
(config)IPTABLES_DROP_UPNP=1
(command)iptables -A INPUT -p udp --dport 1900 -m comment --comment ${funcname}_upnp_v4 -j DROP

Filter Input : Reject AUTH traffic quickly¤

Quickly reject AUTH (ident) service requests to speed up connections.
(config)IPTABLES_REJECT_AUTH=1
(command)iptables -A INPUT -p tcp --dport 113 --syn -m conntrack --ctstate NEW -m comment --comment ${funcname}_auth_v4 -j REJECT --reject-with tcp-reset

NAT Prerouting : Port redirection¤

Redirect incoming connections from one port to another on the same host.
(config)IPTABLES_PORT_REDIRECT="21:2121,8080:80" IPTABLES_REDIRECT_INTERFACE="eth0"
(command)iptables -t nat -A PREROUTING -i ${interface} -p tcp --dport ${from_port} -m comment --comment ${funcname}_${from_port}_${to_port} -j REDIRECT --to-port ${to_port}

NAT Prerouting : DNAT port forwarding¤

Forward external ports to internal hosts using DNAT (Destination NAT).
(config)IPTABLES_PORT_FORWARD="8080:192.168.1.10:80,9090:192.168.1.11:90" IPTABLES_FORWARD_INTERFACE="eth0"
(command)iptables -t nat -A PREROUTING -i ${interface} -p tcp --dport ${external_port} -m comment --comment ${funcname}_${external_port}_${internal_ip}_${internal_port} -j DNAT --to-destination ${internal_ip}:${internal_port}