IPTables quick reference

# iptables -N new_chain                         // create a chain
# iptables -E new_chain old_chain               // edit a chain
# iptables -X old_chain                         // delete a chain

redirecting packet to a user chain:
# iptables -A INPUT -p icmp -j new_chain

listing rules:
# iptables -L                                   // list all rules of all tables
# iptables -L -v                                // display rules and their counters
# iptables -L -t nat                            // display rules for a specific tables
# iptables -L -n --line-numbers                 // listing rules with line number for all tables
# iptables -L INPUT -n --line-numbers           // listing rules with line number for specific table

manage rules:
# iptables -A chain                             // append rules to the bottom of the chain
# iptables -I chain [rulenum]                   // insert in chain as rulenum (default at the top or 1)
# iptables -R chain rulenum                     // replace rules with rules specified for the rulnum
# iptables -D chain     rulenum                 // delete rules matching rulenum (default 1)
# iptables -D chain                             // delete matching rules

change default policy:
# iptables -P chain target                      // change policy on chain to target
# iptables -P INPUT DROP                        // change INPUT table policy to DROP
# iptables -P OUTPUT DROP                       // change OUTPUT chain policy to DROP
# iptables -P FORWARD DROP                      // change FORWARD chain policy to DROP 

Source: raynux.com

IPSEC – Site to site VPN

crypto isakmp policy <N> * N = priority, lower preferred

authentication pre-share
encryption <3DES/AES/DES> * AES preferred
group <1/2/5> * Diffie Hellman group
hash <MD5/SHA>
lifetime <T> * in Seconds

crypto isakmp key <0/6> <KEY> address

crypto ipsec transform-set <TRANS NAME> esp-aes esp-sha-hmac


crypto ipsec security-association lifetime <T>


crypto map <MAP NAME> <SEQ> ipsec-isakmp

match address 123
set peer <REMOTE ADDR>
set transform-set <TRANS NAME>

int dial0 <OUTSIDE IF>

crypto-map <MAP NAME>

Notes :

QM_IDLE = Good!

MM_NO_STATE = Phase 1 (*IKE problem) – Check public incoming ACL’s

MM_KEY_EXCH = Bad peer address or key problem

On public facing inbound ACL’s allow :

ESP – Protocol 50

AH – Protocol 51

IKE – UDP port 500