Mastering iptables: Block Ping, Secure Web Servers, Build Gateways & DNAT

Practical 1: Disable Ping on Server

iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -j DROP

In addition to the iptables rule, you can disable ping by setting a kernel parameter:

echo net.ipv4.icmp_echo_ignore_all=1 >> /etc/sysctl.conf
sysctl -p
# To enable ping, set ignore_all=0

Practical 2: Use iptables to Protect Company Web Server

2.1 Web server setup

yum -y install httpd
yum -y install vsftpd
systemctl start httpd
systemctl start vsftpd

2.2 Client verification (without iptables)

Test web access

Test vsftpd

2.3 iptables firewall policy

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 22,80 -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP

2.4 Verification

Test web access

Test vsftpd

Result: the web service is reachable, but FTP is blocked because the iptables rules did not allow the FTP ports.

Practical 3: Build a Gateway Server with iptables

Background: The company uses a dual‑NIC Linux host as a gateway; eth0 connects to the LAN and eth1 to the Internet. With a single public IP, the gateway must be configured so LAN PCs can share Internet access.

Practical 4: Implement Port Mapping (DNAT) with iptables

Experiment topology

4.1 qll252 web server setup

yum -y install httpd
echo 10.10.10.2 > index.html
systemctl start httpd
# Set gateway on eth0
vim /etc/sysconfig/network-scripts/ifcfg-eth0   # GATEWAY=10.10.10.1
systemctl restart network

4.2 DNAT on qll251

echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
iptables -t nat -A PREROUTING -d 20.20.20.20 -p tcp --dport 8000 -j DNAT --to-destination 10.10.10.2:80
service iptables save

4.3 Verification

Result: accessing http://20.20.20.20:8000 redirects to the qll252 server, achieving the desired port mapping.

Conclusion

If you found this article useful, please click “Read later” or share it; your support is the greatest motivation for continued sharing.