{"id":420,"date":"2026-05-10T14:52:00","date_gmt":"2026-05-10T12:52:00","guid":{"rendered":"https:\/\/blumhost.net\/blog\/?p=420"},"modified":"2026-05-10T20:10:58","modified_gmt":"2026-05-10T18:10:58","slug":"iptables-guia-completa","status":"publish","type":"post","link":"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/","title":{"rendered":"iptables: Gu\u00eda Completa 2026 \u2014 Comandos, Reglas y Seguridad en Linux"},"content":{"rendered":"\n<p><strong>iptables<\/strong> es la herramienta de espacio de usuario que permite configurar el framework <strong>netfilter<\/strong> del kernel Linux. Act\u00faa como firewall, controlando el tr\u00e1fico entrante, saliente y en tr\u00e1nsito de cualquier servidor Linux. Lleva m\u00e1s de dos d\u00e9cadas siendo el est\u00e1ndar de facto \u2014 y sigue siendo una habilidad imprescindible para cualquier administrador de sistemas.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u26a1 <strong>Resumen r\u00e1pido:<\/strong> iptables organiza sus reglas en <strong>5 tablas<\/strong> (filter, nat, mangle, raw, security) y <strong>5 cadenas<\/strong> (INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING). Esta gu\u00eda cubre desde la instalaci\u00f3n hasta scripts de producci\u00f3n con anti-DDoS, protecci\u00f3n SSH y NAT completo.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_74 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Tabla de Contenidos<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Alternar tabla de contenidos\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#%C2%BFQue_es_iptables\" >\u00bfQu\u00e9 es iptables?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Arquitectura_tablas_y_cadenas\" >Arquitectura: tablas y cadenas<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Tablas\" >Tablas<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Cadenas\" >Cadenas<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Objetivos_targets\" >Objetivos (targets)<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Flujo_de_paquetes\" >Flujo de paquetes<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Instalacion_y_verificacion\" >Instalaci\u00f3n y verificaci\u00f3n<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Comandos_basicos\" >Comandos b\u00e1sicos<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Sintaxis_general\" >Sintaxis general<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Listar_reglas\" >Listar reglas<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Gestionar_reglas\" >Gestionar reglas<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Firewall_basico\" >Firewall b\u00e1sico<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Coincidencias_avanzadas\" >Coincidencias avanzadas<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Puertos_y_protocolos\" >Puertos y protocolos<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#IPs_y_subredes\" >IPs y subredes<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Seguimiento_de_conexiones_stateful_firewall\" >Seguimiento de conexiones (stateful firewall)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Rate_limiting_limitacion_de_tasa\" >Rate limiting (limitaci\u00f3n de tasa)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Coincidencia_por_interfaz_y_MAC\" >Coincidencia por interfaz y MAC<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#NAT_Network_Address_Translation\" >NAT: Network Address Translation<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#MASQUERADE_%E2%80%94_compartir_conexion_a_internet\" >MASQUERADE \u2014 compartir conexi\u00f3n a internet<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#DNAT_%E2%80%94_reenvio_de_puertos\" >DNAT \u2014 reenv\u00edo de puertos<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Registro_de_eventos_logging\" >Registro de eventos (logging)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Hardening_proteccion_contra_ataques\" >Hardening: protecci\u00f3n contra ataques<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Proteccion_anti-DDoS\" >Protecci\u00f3n anti-DDoS<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-25\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Proteccion_contra_fuerza_bruta_SSH\" >Protecci\u00f3n contra fuerza bruta SSH<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-26\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Script_completo_de_produccion\" >Script completo de producci\u00f3n<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-27\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Guardar_y_restaurar_reglas\" >Guardar y restaurar reglas<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-28\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#UbuntuDebian\" >Ubuntu\/Debian<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-29\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#CentOSRHELRocky_Linux\" >CentOS\/RHEL\/Rocky Linux<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-30\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Backup_automatizado_cron\" >Backup automatizado (cron)<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-31\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Troubleshooting\" >Troubleshooting<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-32\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Diagnostico_general\" >Diagn\u00f3stico general<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-33\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Problemas_de_conntrack\" >Problemas de conntrack<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-34\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Checklist_de_diagnostico\" >Checklist de diagn\u00f3stico<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-35\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#iptables_vs_nftables_vs_UFW\" >iptables vs nftables vs UFW<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-36\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#Preguntas_frecuentes\" >Preguntas frecuentes<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-37\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#%C2%BFCual_es_la_diferencia_entre_DROP_y_REJECT\" >\u00bfCu\u00e1l es la diferencia entre DROP y REJECT?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-38\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#%C2%BFPor_que_mis_reglas_desaparecen_tras_reiniciar\" >\u00bfPor qu\u00e9 mis reglas desaparecen tras reiniciar?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-39\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#%C2%BFAfectan_las_reglas_de_iptables_al_trafico_IPv6\" >\u00bfAfectan las reglas de iptables al tr\u00e1fico IPv6?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-40\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#%C2%BFEs_compatible_iptables_con_Docker\" >\u00bfEs compatible iptables con Docker?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-41\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#%C2%BFComo_se_si_una_regla_esta_funcionando\" >\u00bfC\u00f3mo s\u00e9 si una regla est\u00e1 funcionando?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-42\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#%C2%BFQue_pasa_si_bloqueo_todo_y_pierdo_el_acceso_SSH\" >\u00bfQu\u00e9 pasa si bloqueo todo y pierdo el acceso SSH?<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%C2%BFQue_es_iptables\"><\/span>\u00bfQu\u00e9 es iptables?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>iptables es la interfaz de l\u00ednea de comandos para el m\u00f3dulo <strong>netfilter<\/strong> del kernel Linux. Proporciona control total sobre el tr\u00e1fico de red: filtra paquetes, gestiona NAT, reenv\u00eda puertos, registra eventos y protege el servidor contra ataques como fuerza bruta o DDoS.<\/p>\n\n\n\n<p>Introducido en el kernel 2.4 (a\u00f1o 2000), su longevidad se debe a su potencia, flexibilidad y la enorme cantidad de documentaci\u00f3n y herramientas construidas a su alrededor.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u2139\ufe0f <strong>Nota 2025:<\/strong> En distribuciones modernas como Ubuntu 22.04+ y Debian 12, el comando <code>iptables<\/code> es en realidad un frontend de <strong>nftables<\/strong> mediante la capa de compatibilidad <code>iptables-nft<\/code>. Los comandos son id\u00e9nticos \u2014 esta gu\u00eda aplica igualmente.<\/p>\n<\/blockquote>\n\n\n\n<p><strong>Casos de uso principales:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Filtrado de paquetes: bloquear o permitir tr\u00e1fico por IP, puerto o protocolo<\/li>\n\n\n\n<li>Firewall con estado (stateful): tracking de conexiones TCP\/UDP<\/li>\n\n\n\n<li>NAT (Network Address Translation): compartir IPs, reenv\u00edo de puertos<\/li>\n\n\n\n<li>Protecci\u00f3n contra ataques: DDoS, fuerza bruta, escaneo de puertos<\/li>\n\n\n\n<li>QoS y marcado de tr\u00e1fico para gesti\u00f3n de ancho de banda<\/li>\n\n\n\n<li>Logging y auditor\u00eda de tr\u00e1fico de red<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Arquitectura_tablas_y_cadenas\"><\/span>Arquitectura: tablas y cadenas<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Tablas\"><\/span>Tablas<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>iptables organiza las reglas en <strong>5 tablas<\/strong> seg\u00fan su prop\u00f3sito. La tabla predeterminada (si no especificas <code>-t<\/code>) es <strong>filter<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Tabla<\/th><th>Prop\u00f3sito<\/th><th>Cadenas disponibles<\/th><th>Cu\u00e1ndo usarla<\/th><\/tr><\/thead><tbody><tr><td><code>filter<\/code><\/td><td>Filtrado de paquetes<\/td><td>INPUT, OUTPUT, FORWARD<\/td><td>Reglas de firewall est\u00e1ndar: permitir\/bloquear tr\u00e1fico<\/td><\/tr><tr><td><code>nat<\/code><\/td><td>Traducci\u00f3n de direcciones<\/td><td>PREROUTING, POSTROUTING, OUTPUT<\/td><td>NAT, MASQUERADE, reenv\u00edo de puertos<\/td><\/tr><tr><td><code>mangle<\/code><\/td><td>Alteraci\u00f3n de paquetes<\/td><td>Todas las cadenas<\/td><td>Modificar TTL, TOS, marcar paquetes para QoS<\/td><\/tr><tr><td><code>raw<\/code><\/td><td>Excepciones conntrack<\/td><td>PREROUTING, OUTPUT<\/td><td>Saltarse el seguimiento de conexiones (NOTRACK) para rendimiento<\/td><\/tr><tr><td><code>security<\/code><\/td><td>Control de acceso MAC<\/td><td>INPUT, OUTPUT, FORWARD<\/td><td>Integraci\u00f3n con SELinux (uso infrecuente en la pr\u00e1ctica)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Cadenas\"><\/span>Cadenas<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Las cadenas son listas de reglas que se aplican en puntos espec\u00edficos del recorrido de un paquete. Las reglas se eval\u00faan <strong>de arriba a abajo<\/strong>; la primera que coincide determina qu\u00e9 le ocurre al paquete.<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Cadena<\/th><th>Aplica a<\/th><th>Descripci\u00f3n<\/th><\/tr><\/thead><tbody><tr><td><code>INPUT<\/code><\/td><td>Paquetes entrantes<\/td><td>Paquetes destinados al propio sistema local<\/td><\/tr><tr><td><code>OUTPUT<\/code><\/td><td>Paquetes salientes<\/td><td>Paquetes generados por el sistema local<\/td><\/tr><tr><td><code>FORWARD<\/code><\/td><td>Paquetes en tr\u00e1nsito<\/td><td>Paquetes que pasan a trav\u00e9s del sistema (router\/gateway)<\/td><\/tr><tr><td><code>PREROUTING<\/code><\/td><td>Antes del routing<\/td><td>Antes de decidir si el paquete es local o a reenviar<\/td><\/tr><tr><td><code>POSTROUTING<\/code><\/td><td>Despu\u00e9s del routing<\/td><td>Justo antes de que el paquete salga del sistema<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Objetivos_targets\"><\/span>Objetivos (targets)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Objetivo<\/th><th>Efecto<\/th><\/tr><\/thead><tbody><tr><td><code>ACCEPT<\/code><\/td><td>Permite el paquete<\/td><\/tr><tr><td><code>DROP<\/code><\/td><td>Descarta el paquete silenciosamente (sin respuesta al emisor)<\/td><\/tr><tr><td><code>REJECT<\/code><\/td><td>Descarta el paquete y env\u00eda error ICMP al emisor<\/td><\/tr><tr><td><code>LOG<\/code><\/td><td>Registra el paquete en syslog y contin\u00faa evaluando reglas<\/td><\/tr><tr><td><code>RETURN<\/code><\/td><td>Regresa a la cadena que llam\u00f3 a la cadena actual<\/td><\/tr><tr><td><code>MASQUERADE<\/code><\/td><td>NAT din\u00e1mico (solo en tabla nat)<\/td><\/tr><tr><td><code>DNAT<\/code><\/td><td>Cambia IP\/puerto de destino (solo en tabla nat)<\/td><\/tr><tr><td><code>SNAT<\/code><\/td><td>Cambia IP\/puerto de origen (solo en tabla nat)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Flujo_de_paquetes\"><\/span>Flujo de paquetes<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Entender el orden exacto en que un paquete pasa por las tablas y cadenas es cr\u00edtico para escribir reglas correctas:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Paquete entrante\n       \u2193\nraw:PREROUTING \u2192 mangle:PREROUTING \u2192 nat:PREROUTING (DNAT)\n       \u2193\n  \u00bfDestinado a este host?\n   \u2199                          \u2198\nS\u00cd (local)                 NO (reenviar)\n   \u2193                          \u2193\nmangle:INPUT             mangle:FORWARD\nfilter:INPUT             filter:FORWARD\n   \u2193                          \u2193\nProceso local           mangle:POSTROUTING\n   \u2193                    nat:POSTROUTING \u2192 Salida\nfilter:OUTPUT\nnat:OUTPUT\n   \u2193\nmangle:POSTROUTING \u2192 nat:POSTROUTING \u2192 Salida<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\u26a0\ufe0f <strong>Importante:<\/strong> NAT (DNAT\/MASQUERADE) solo se aplica al <em>primer paquete<\/em> de una conexi\u00f3n. Los paquetes posteriores de la misma conexi\u00f3n son gestionados autom\u00e1ticamente por conntrack, sin volver a pasar por las reglas NAT.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Instalacion_y_verificacion\"><\/span>Instalaci\u00f3n y verificaci\u00f3n<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Ubuntu\/Debian\nsudo apt update &amp;&amp; sudo apt install iptables iptables-persistent -y\n\n# Verificar versi\u00f3n\niptables --version\n\n# Ver reglas activas (con contadores, sin DNS, con n\u00famero de l\u00ednea)\nsudo iptables -L -n -v --line-numbers\n\n# Ver tabla NAT\nsudo iptables -t nat -L -n -v<\/code><\/pre>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># CentOS\/RHEL\/Rocky Linux\nsudo dnf install iptables-services -y\nsudo systemctl enable --now iptables\n\n# Deshabilitar firewalld si est\u00e1 activo\nsudo systemctl stop firewalld\nsudo systemctl disable firewalld<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Comandos_basicos\"><\/span>Comandos b\u00e1sicos<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Sintaxis_general\"><\/span>Sintaxis general<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-code\"><code>iptables &#91;-t tabla] ACCI\u00d3N CADENA &#91;criterios] -j OBJETIVO<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Acci\u00f3n<\/th><th>Significado<\/th><\/tr><\/thead><tbody><tr><td><code>-A<\/code><\/td><td>Append \u2014 a\u00f1adir regla al final de la cadena<\/td><\/tr><tr><td><code>-I<\/code><\/td><td>Insert \u2014 insertar en posici\u00f3n concreta (por defecto: 1)<\/td><\/tr><tr><td><code>-D<\/code><\/td><td>Delete \u2014 eliminar regla<\/td><\/tr><tr><td><code>-R<\/code><\/td><td>Replace \u2014 reemplazar regla en posici\u00f3n<\/td><\/tr><tr><td><code>-L<\/code><\/td><td>List \u2014 listar reglas<\/td><\/tr><tr><td><code>-F<\/code><\/td><td>Flush \u2014 vaciar todas las reglas de una cadena<\/td><\/tr><tr><td><code>-N<\/code><\/td><td>New \u2014 crear cadena personalizada<\/td><\/tr><tr><td><code>-X<\/code><\/td><td>Delete chain \u2014 eliminar cadena personalizada vac\u00eda<\/td><\/tr><tr><td><code>-P<\/code><\/td><td>Policy \u2014 establecer pol\u00edtica por defecto<\/td><\/tr><tr><td><code>-Z<\/code><\/td><td>Zero \u2014 poner a cero los contadores<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Listar_reglas\"><\/span>Listar reglas<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Listado completo con contadores, sin DNS, con n\u00fameros de l\u00ednea\nsudo iptables -L -n -v --line-numbers\n\n# Solo cadena INPUT\nsudo iptables -L INPUT -n -v --line-numbers\n\n# Ver en formato de comandos ejecutables (ideal para scripts)\nsudo iptables -S\n\n# Ver tabla NAT\nsudo iptables -t nat -L -n -v --line-numbers\n\n# Ver todas las tablas\nfor TABLE in filter nat mangle raw security; do\n  echo \"=== Tabla: $TABLE ===\"\n  sudo iptables -t $TABLE -L -n --line-numbers\ndone<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Gestionar_reglas\"><\/span>Gestionar reglas<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># A\u00f1adir al final (-A)\nsudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT\n\n# Insertar en primera posici\u00f3n (-I) \u2014 m\u00e1xima prioridad\nsudo iptables -I INPUT 1 -s 10.0.0.5 -j ACCEPT\n\n# Insertar en posici\u00f3n 5\nsudo iptables -I INPUT 5 -p tcp --dport 80 -j ACCEPT\n\n# Eliminar por especificaci\u00f3n exacta\nsudo iptables -D INPUT -p tcp --dport 80 -j ACCEPT\n\n# Eliminar por n\u00famero de l\u00ednea (m\u00e1s seguro)\nsudo iptables -D INPUT 3\n\n# Verificar si una regla existe sin aplicarla (-C = check)\nsudo iptables -C INPUT -p tcp --dport 80 -j ACCEPT\necho $?  # 0 = existe, 1 = no existe\n\n# Vaciar cadena espec\u00edfica\nsudo iptables -F INPUT\n\n# Reseteo completo (\u00a1cuidado en producci\u00f3n!)\nsudo iptables -F &amp;&amp; sudo iptables -X\nsudo iptables -t nat -F &amp;&amp; sudo iptables -t mangle -F\nsudo iptables -P INPUT ACCEPT\nsudo iptables -P OUTPUT ACCEPT\nsudo iptables -P FORWARD ACCEPT<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Firewall_basico\"><\/span>Firewall b\u00e1sico<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\ud83d\udea8 <strong>Advertencia cr\u00edtica:<\/strong> Antes de establecer pol\u00edtica DROP en INPUT, <strong>siempre<\/strong> a\u00f1ade primero la regla de SSH y las conexiones establecidas. De lo contrario te quedar\u00e1s sin acceso al servidor. Ten siempre preparado un acceso por consola\/KVM como alternativa.<\/p>\n<\/blockquote>\n\n\n\n<p><strong>Orden correcto para no quedarte bloqueado:<\/strong><\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Permitir interfaz loopback (<code>lo<\/code>)<\/li>\n\n\n\n<li>Permitir conexiones ya establecidas (ESTABLISHED, RELATED)<\/li>\n\n\n\n<li>Descartar paquetes inv\u00e1lidos<\/li>\n\n\n\n<li>Permitir SSH expl\u00edcitamente<\/li>\n\n\n\n<li>A\u00f1adir el resto de servicios<\/li>\n\n\n\n<li>Establecer pol\u00edtica DROP como <strong>\u00faltimo paso<\/strong><\/li>\n<\/ol>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>#!\/bin\/bash<\/strong>\n# firewall-basico.sh \u2014 Servidor web con SSH\n\n# 1. Loopback \u2014 siempre primero\nsudo iptables -A INPUT -i lo -j ACCEPT\nsudo iptables -A OUTPUT -o lo -j ACCEPT\n\n# 2. Conexiones ya establecidas \u2014 evita cortar sesiones activas\nsudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n\n# 3. Descartar paquetes inv\u00e1lidos (antes de otras reglas)\nsudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP\n\n# 4. SSH\nsudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT\n\n# 5. HTTP y HTTPS\nsudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT\nsudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT\n\n# 6. ICMP (ping) con l\u00edmite de velocidad\nsudo iptables -A INPUT -p icmp --icmp-type echo-request \\\n  -m limit --limit 1\/s --limit-burst 5 -j ACCEPT\n\n# 7. Pol\u00edtica por defecto \u2014 \u00daLTIMO PASO\nsudo iptables -P INPUT DROP\nsudo iptables -P FORWARD DROP\nsudo iptables -P OUTPUT ACCEPT\n\necho \"\u2713 Firewall b\u00e1sico configurado\"<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Coincidencias_avanzadas\"><\/span>Coincidencias avanzadas<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Puertos_y_protocolos\"><\/span>Puertos y protocolos<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Puerto \u00fanico\niptables -A INPUT -p tcp --dport 3306 -j ACCEPT   # MySQL\niptables -A INPUT -p udp --dport 53 -j ACCEPT      # DNS\n\n# Rango de puertos\niptables -A INPUT -p tcp --dport 8000:8999 -j ACCEPT\n\n# M\u00faltiples puertos (m\u00f3dulo multiport \u2014 hasta 15 puertos)\niptables -A INPUT -p tcp -m multiport \\\n  --dports 80,443,8080,8443 -j ACCEPT\n\n# Puerto de origen espec\u00edfico\niptables -A INPUT -p tcp --sport 1024:65535 -j ACCEPT<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"IPs_y_subredes\"><\/span>IPs y subredes<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># IP de origen espec\u00edfica\niptables -A INPUT -s 192.168.1.100 -j ACCEPT\n\n# Subred completa\niptables -A INPUT -s 10.0.0.0\/8 -j ACCEPT\n\n# Negaci\u00f3n (todo excepto esta IP)\niptables -A INPUT -s ! 192.168.1.100 -p tcp --dport 3306 -j DROP\n\n# Rango de IPs (m\u00f3dulo iprange)\niptables -A INPUT -m iprange \\\n  --src-range 192.168.1.10-192.168.1.20 -j ACCEPT<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Seguimiento_de_conexiones_stateful_firewall\"><\/span>Seguimiento de conexiones (stateful firewall)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>El m\u00f3dulo <code>conntrack<\/code> permite crear reglas basadas en el estado de la conexi\u00f3n TCP\/UDP:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Estado<\/th><th>Descripci\u00f3n<\/th><th>Acci\u00f3n t\u00edpica<\/th><\/tr><\/thead><tbody><tr><td><code>NEW<\/code><\/td><td>Primer paquete de una nueva conexi\u00f3n (SYN)<\/td><td>Evaluar reglas de acceso<\/td><\/tr><tr><td><code>ESTABLISHED<\/code><\/td><td>Pertenece a una conexi\u00f3n ya rastreada<\/td><td>ACCEPT siempre<\/td><\/tr><tr><td><code>RELATED<\/code><\/td><td>Nueva conexi\u00f3n relacionada con una existente (ej: FTP data)<\/td><td>ACCEPT generalmente<\/td><\/tr><tr><td><code>INVALID<\/code><\/td><td>No encaja en ninguna conexi\u00f3n conocida; posible ataque<\/td><td>DROP siempre<\/td><\/tr><tr><td><code>UNTRACKED<\/code><\/td><td>Excluido del tracking con NOTRACK en tabla raw<\/td><td>Seg\u00fan pol\u00edtica<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Forma moderna con conntrack (recomendada)\niptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\niptables -A INPUT -m conntrack --ctstate INVALID -j DROP\n\n# Forma cl\u00e1sica con state (equivalente, m\u00e1s antigua)\niptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT\n\n# Ver conexiones actuales rastreadas\nsudo conntrack -L\n\n# Ver estad\u00edsticas del tracking\ncat \/proc\/sys\/net\/netfilter\/nf_conntrack_count\ncat \/proc\/sys\/net\/netfilter\/nf_conntrack_max<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Rate_limiting_limitacion_de_tasa\"><\/span>Rate limiting (limitaci\u00f3n de tasa)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># M\u00f3dulo limit: --limit (velocidad media) y --limit-burst (r\u00e1faga inicial)\n\n# Limitar pings a 1 por segundo (r\u00e1faga inicial de 5)\niptables -A INPUT -p icmp --icmp-type echo-request \\\n  -m limit --limit 1\/s --limit-burst 5 -j ACCEPT\n\n# Limitar nuevas conexiones HTTP (25\/min, r\u00e1faga de 100)\niptables -A INPUT -p tcp --dport 80 \\\n  -m conntrack --ctstate NEW \\\n  -m limit --limit 25\/min --limit-burst 100 -j ACCEPT\n\n# M\u00f3dulo connlimit: limita conexiones simult\u00e1neas por IP\n# Bloquear si una IP tiene m\u00e1s de 50 conexiones HTTP simult\u00e1neas\niptables -A INPUT -p tcp --dport 80 \\\n  -m connlimit --connlimit-above 50 -j REJECT\n\n# Limitar conexiones SSH simult\u00e1neas a 3 por IP\niptables -A INPUT -p tcp --dport 22 \\\n  -m connlimit --connlimit-above 3 -j REJECT --reject-with tcp-reset<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Coincidencia_por_interfaz_y_MAC\"><\/span>Coincidencia por interfaz y MAC<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Por interfaz de entrada\/salida\niptables -A INPUT -i eth0 -j ACCEPT\niptables -A OUTPUT -o eth1 -j ACCEPT\n\n# Por direcci\u00f3n MAC\niptables -A INPUT -m mac --mac-source 00:11:22:33:44:55 -j ACCEPT\niptables -A INPUT -m mac --mac-source AA:BB:CC:DD:EE:FF -j DROP\n\n# Reglas basadas en tiempo (m\u00f3dulo time)\niptables -A INPUT -p tcp --dport 22 \\\n  -m time --weekdays Mon,Tue,Wed,Thu,Fri \\\n  --timestart 09:00 --timestop 18:00 -j ACCEPT<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"NAT_Network_Address_Translation\"><\/span>NAT: Network Address Translation<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"MASQUERADE_%E2%80%94_compartir_conexion_a_internet\"><\/span>MASQUERADE \u2014 compartir conexi\u00f3n a internet<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>MASQUERADE es SNAT din\u00e1mico: sustituye la IP de origen por la de la interfaz de salida. Ideal cuando tu IP p\u00fablica puede cambiar.<\/p>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># 1. Habilitar IP forwarding (obligatorio para NAT)\nsudo sysctl -w net.ipv4.ip_forward=1\necho \"net.ipv4.ip_forward=1\" | sudo tee -a \/etc\/sysctl.d\/99-forwarding.conf\nsudo sysctl -p \/etc\/sysctl.d\/99-forwarding.conf\n\n# 2. MASQUERADE en interfaz p\u00fablica (eth0)\nsudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE\n\n# 3. Permitir reenv\u00edo desde red interna (eth1) hacia internet (eth0)\nsudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT\nsudo iptables -A FORWARD -i eth0 -o eth1 \\\n  -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n\n# Alternativa: SNAT con IP fija (m\u00e1s eficiente que MASQUERADE)\nsudo iptables -t nat -A POSTROUTING -o eth0 \\\n  -j SNAT --to-source 203.0.113.10<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"DNAT_%E2%80%94_reenvio_de_puertos\"><\/span>DNAT \u2014 reenv\u00edo de puertos<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Puerto 80 externo \u2192 servidor web interno (192.168.1.10:80)\nsudo iptables -t nat -A PREROUTING \\\n  -i eth0 -p tcp --dport 80 \\\n  -j DNAT --to-destination 192.168.1.10:80\n\n# Puerto 2222 externo \u2192 SSH servidor interno (puerto 22)\nsudo iptables -t nat -A PREROUTING \\\n  -i eth0 -p tcp --dport 2222 \\\n  -j DNAT --to-destination 192.168.1.5:22\n\n# Puerto 443 externo \u2192 balanceador interno\nsudo iptables -t nat -A PREROUTING \\\n  -i eth0 -p tcp --dport 443 \\\n  -j DNAT --to-destination 192.168.1.100:443\n\n# Permitir el tr\u00e1fico reenviado en FORWARD\nsudo iptables -A FORWARD \\\n  -d 192.168.1.0\/24 -m conntrack --ctstate NEW -j ACCEPT\n\n# Redirecci\u00f3n local: puerto 80 \u2192 aplicaci\u00f3n en 8080\nsudo iptables -t nat -A PREROUTING -p tcp --dport 80 \\\n  -j REDIRECT --to-port 8080\nsudo iptables -t nat -A OUTPUT -p tcp --dport 80 \\\n  -j REDIRECT --to-port 8080<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Registro_de_eventos_logging\"><\/span>Registro de eventos (logging)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Patr\u00f3n recomendado: cadena personalizada de logging\nsudo iptables -N LOG_AND_DROP\nsudo iptables -A LOG_AND_DROP \\\n  -m limit --limit 5\/min --limit-burst 10 \\\n  -j LOG --log-prefix \"iptables-DROP: \" --log-level 6\nsudo iptables -A LOG_AND_DROP -j DROP\n\n# Usar la cadena de logging\nsudo iptables -A INPUT -p tcp --dport 23 -j LOG_AND_DROP   # Telnet\nsudo iptables -A INPUT -m conntrack --ctstate INVALID -j LOG_AND_DROP\n\n# Registrar nuevas conexiones SSH (sin bloquear)\nsudo iptables -A INPUT -p tcp --dport 22 \\\n  -m conntrack --ctstate NEW \\\n  -j LOG --log-prefix \"SSH-NEW: \" --log-level 6\n\n# Niveles de log: 0=emerg, 1=alert, 2=crit, 3=err,\n#                 4=warning, 5=notice, 6=info, 7=debug\n\n# Ver logs en tiempo real\nsudo tail -f \/var\/log\/kern.log | grep iptables\nsudo journalctl -f -k | grep iptables-DROP<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Hardening_proteccion_contra_ataques\"><\/span>Hardening: protecci\u00f3n contra ataques<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># \u2500\u2500 Paquetes TCP malformados \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\n# NULL scan (todos los flags a 0 \u2014 indica escaneo de puertos)\niptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP\n\n# XMAS scan (todos los flags a 1)\niptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP\n\n# SYN+FIN (combinaci\u00f3n inv\u00e1lida en TCP)\niptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP\n\n# SYN+RST (combinaci\u00f3n inv\u00e1lida en TCP)\niptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP\n\n# \u2500\u2500 Anti-spoofing en interfaz p\u00fablica (eth0) \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\niptables -A INPUT -i eth0 -s 10.0.0.0\/8 -j DROP\niptables -A INPUT -i eth0 -s 172.16.0.0\/12 -j DROP\niptables -A INPUT -i eth0 -s 192.168.0.0\/16 -j DROP\niptables -A INPUT -i eth0 -s 127.0.0.0\/8 -j DROP\niptables -A INPUT -i eth0 -s 169.254.0.0\/16 -j DROP   # APIPA\niptables -A INPUT -i eth0 -s 224.0.0.0\/4 -j DROP      # Multicast\niptables -A INPUT -i eth0 -s 240.0.0.0\/5 -j DROP      # Reservado\n\n# \u2500\u2500 SYN flood \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n# Habilitar SYN cookies a nivel kernel (la defensa m\u00e1s efectiva)\nsysctl -w net.ipv4.tcp_syncookies=1\n\n# Complementar con iptables\niptables -A INPUT -p tcp --syn \\\n  -m limit --limit 10\/s --limit-burst 20 -j ACCEPT\niptables -A INPUT -p tcp --syn -j DROP\n\n# \u2500\u2500 Paquetes inv\u00e1lidos \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\niptables -A INPUT -m conntrack --ctstate INVALID -j DROP<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Proteccion_anti-DDoS\"><\/span>Protecci\u00f3n anti-DDoS<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># \u2500\u2500 HTTP flood \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n# Limitar nuevas conexiones: m\u00e1x 20 por IP en 10 segundos\niptables -A INPUT -p tcp --dport 80 \\\n  -m conntrack --ctstate NEW \\\n  -m recent --set --name HTTP_FLOOD\n\niptables -A INPUT -p tcp --dport 80 \\\n  -m conntrack --ctstate NEW \\\n  -m recent --update --seconds 10 --hitcount 20 --name HTTP_FLOOD \\\n  -j DROP\n\n# Limitar conexiones simult\u00e1neas por IP (m\u00e1x 50)\niptables -A INPUT -p tcp --dport 80 \\\n  -m connlimit --connlimit-above 50 -j REJECT --reject-with tcp-reset\n\n# \u2500\u2500 UDP flood \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\niptables -A INPUT -p udp \\\n  -m limit --limit 100\/s --limit-burst 200 -j ACCEPT\niptables -A INPUT -p udp -j DROP\n\n# \u2500\u2500 ICMP flood \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\niptables -A INPUT -p icmp --icmp-type echo-request \\\n  -m limit --limit 2\/s --limit-burst 10 -j ACCEPT\niptables -A INPUT -p icmp --icmp-type echo-request -j DROP\n\n# \u2500\u2500 Blacklist din\u00e1mica con ipset \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n# Mucho m\u00e1s eficiente que reglas iptables individuales\n# Requiere: apt install ipset\n\n# Crear conjunto con timeout de 24h por IP\nipset create BLACKLIST hash:ip maxelem 65536 timeout 86400\niptables -A INPUT -m set --match-set BLACKLIST src -j DROP\n\n# A\u00f1adir IP a blacklist (expira en 24h autom\u00e1ticamente)\nipset add BLACKLIST 1.2.3.4\n\n# Script para poblar blacklist desde un archivo\nwhile read IP; do ipset add BLACKLIST $IP <strong>2<\/strong>&gt;\/dev\/null; done &lt; ips-maliciosas.txt<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Proteccion_contra_fuerza_bruta_SSH\"><\/span>Protecci\u00f3n contra fuerza bruta SSH<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Estrategia: banear IPs que intenten m\u00e1s de 4 conexiones en 60 segundos\n\n# Paso 1: Registrar cada nuevo intento de conexi\u00f3n SSH\niptables -A INPUT -p tcp --dport 22 \\\n  -m conntrack --ctstate NEW \\\n  -m recent --set --name SSH_BF --rsource\n\n# Paso 2: Si la misma IP ha intentado \u22654 veces en 60s \u2192 LOG y DROP\niptables -A INPUT -p tcp --dport 22 \\\n  -m conntrack --ctstate NEW \\\n  -m recent --update --seconds 60 --hitcount 4 \\\n  --name SSH_BF --rsource \\\n  -j LOG --log-prefix \"SSH-BRUTEFORCE: \" --log-level 6\n\niptables -A INPUT -p tcp --dport 22 \\\n  -m conntrack --ctstate NEW \\\n  -m recent --update --seconds 60 --hitcount 4 \\\n  --name SSH_BF --rsource -j DROP\n\n# Paso 3: Permitir las conexiones que pasan el filtro\niptables -A INPUT -p tcp --dport 22 -j ACCEPT\n\n# Ver IPs actualmente registradas\ncat \/proc\/net\/xt_recent\/SSH_BF\n\n# Limpiar lista manualmente\necho \/ | sudo tee \/proc\/net\/xt_recent\/SSH_BF<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\ud83d\udca1 <strong>Complementa con fail2ban<\/strong> para bloqueo din\u00e1mico basado en an\u00e1lisis de logs, que ofrece mayor flexibilidad y soporte para m\u00e1s servicios (HTTP, FTP, SMTP, etc.).<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Script_completo_de_produccion\"><\/span>Script completo de producci\u00f3n<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Script listo para usar en un servidor web Linux en producci\u00f3n, incorporando todas las buenas pr\u00e1cticas de esta gu\u00eda:<\/p>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>#!\/bin\/bash<\/strong>\n# production-firewall.sh \u2014 Firewall de producci\u00f3n para Blumhost\n# Uso: sudo bash production-firewall.sh\n# \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n\nset -e\n\nEXT_IF=\"eth0\"       # Interfaz p\u00fablica\nSSH_PORT=\"22\"       # Cambia si usas otro puerto\nADMIN_IP=\"\"         # IP de admin (vac\u00edo = permitir todos con protecci\u00f3n)\n\necho \"&#91;*] Configurando firewall de producci\u00f3n...\"\n\n# \u2500\u2500 Reset limpio \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\niptables -F; iptables -X\niptables -t nat -F; iptables -t nat -X\niptables -t mangle -F; iptables -t raw -F\n\n# \u2500\u2500 Pol\u00edticas por defecto \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\niptables -P INPUT DROP\niptables -P FORWARD DROP\niptables -P OUTPUT ACCEPT\n\n# \u2500\u2500 Loopback \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\niptables -A INPUT -i lo -j ACCEPT\niptables -A OUTPUT -o lo -j ACCEPT\n\n# \u2500\u2500 Conexiones establecidas \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\niptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\niptables -A INPUT -m conntrack --ctstate INVALID -j DROP\n\n# \u2500\u2500 Anti-spoofing \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nfor NET in 10.0.0.0\/8 172.16.0.0\/12 192.168.0.0\/16 127.0.0.0\/8 169.254.0.0\/16; do\n  iptables -A INPUT -i $EXT_IF -s $NET -j DROP\ndone\n\n# \u2500\u2500 TCP malformado \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\niptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP\niptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP\niptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP\niptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP\n\n# \u2500\u2500 SYN flood \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\niptables -A INPUT -p tcp --syn \\\n  -m limit --limit 10\/s --limit-burst 20 -j ACCEPT\niptables -A INPUT -p tcp --syn -j DROP\n\n# \u2500\u2500 SSH \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nif &#91; -n \"$ADMIN_IP\" ]; then\n  # Solo desde IP de administraci\u00f3n\n  iptables -A INPUT -p tcp --dport $SSH_PORT -s $ADMIN_IP -j ACCEPT\nelse\n  # Protecci\u00f3n anti-fuerza-bruta para acceso general\n  iptables -A INPUT -p tcp --dport $SSH_PORT \\\n    -m conntrack --ctstate NEW -m recent --set --name SSH_BF\n  iptables -A INPUT -p tcp --dport $SSH_PORT \\\n    -m conntrack --ctstate NEW \\\n    -m recent --update --seconds 60 --hitcount 4 --name SSH_BF -j DROP\n  iptables -A INPUT -p tcp --dport $SSH_PORT -j ACCEPT\nfi\n\n# \u2500\u2500 HTTP\/HTTPS \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\niptables -A INPUT -p tcp -m multiport --dports 80,443 \\\n  -m conntrack --ctstate NEW \\\n  -m limit --limit 60\/s --limit-burst 120 -j ACCEPT\niptables -A INPUT -p tcp -m multiport --dports 80,443 \\\n  -m connlimit --connlimit-above 50 -j REJECT\n\n# \u2500\u2500 ICMP \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\niptables -A INPUT -p icmp --icmp-type echo-request \\\n  -m limit --limit 2\/s --limit-burst 10 -j ACCEPT\n\n# \u2500\u2500 Log paquetes bloqueados \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\niptables -A INPUT \\\n  -m limit --limit 5\/min --limit-burst 10 \\\n  -j LOG --log-prefix \"iptables-DROP: \" --log-level 6\n\n# \u2500\u2500 Guardar reglas \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\nif command -v netfilter-persistent &amp;&gt;\/dev\/null; then\n  netfilter-persistent save\nelse\n  mkdir -p \/etc\/iptables\n  iptables-save &gt; \/etc\/iptables\/rules.v4\nfi\n\necho \"&#91;\u2713] Firewall configurado y guardado\"\necho \"&#91;i] Verifica con: sudo iptables -L -n -v --line-numbers\"<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Guardar_y_restaurar_reglas\"><\/span>Guardar y restaurar reglas<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Las reglas de iptables son vol\u00e1tiles por defecto: viven en memoria y se pierden al reiniciar. Debes guardarlas expl\u00edcitamente.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"UbuntuDebian\"><\/span>Ubuntu\/Debian<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Instalar iptables-persistent\nsudo apt install iptables-persistent -y\n\n# Guardar reglas actuales\nsudo netfilter-persistent save\n# Se guardan en: \/etc\/iptables\/rules.v4 y rules.v6\n\n# Recargar manualmente\nsudo netfilter-persistent reload\n\n# Guardar manualmente\nsudo iptables-save &gt; \/etc\/iptables\/rules.v4\nsudo ip6tables-save &gt; \/etc\/iptables\/rules.v6\n\n# Restaurar manualmente\nsudo iptables-restore &lt; \/etc\/iptables\/rules.v4<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"CentOSRHELRocky_Linux\"><\/span>CentOS\/RHEL\/Rocky Linux<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Guardar reglas\nsudo service iptables save\n# O directamente:\nsudo iptables-save &gt; \/etc\/sysconfig\/iptables\n\n# Restaurar\nsudo systemctl restart iptables\n\n# Verificar que carga autom\u00e1ticamente al boot\nsudo systemctl is-enabled iptables<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Backup_automatizado_cron\"><\/span>Backup automatizado (cron)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>#!\/bin\/bash<\/strong>\n# backup-iptables.sh\nBACKUP_DIR=\"\/root\/iptables-backups\"\nmkdir -p $BACKUP_DIR\niptables-save &gt; $BACKUP_DIR\/iptables-$(date +%Y%m%d-%H%M%S).rules\n# Mantener solo los \u00faltimos 30 d\u00edas\nfind $BACKUP_DIR -name \"iptables-*.rules\" -mtime +30 -delete<\/code><\/pre>\n\n\n\n<p>A\u00f1adir al cron (<code>crontab -e<\/code>):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>0 2 * * * \/root\/backup-iptables.sh<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Troubleshooting\"><\/span>Troubleshooting<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\ud83d\udea8 <strong>\u00bfBloqueado por SSH?<\/strong> Accede por consola KVM\/VNC y ejecuta <code>sudo iptables -F &amp;&amp; sudo iptables -P INPUT ACCEPT<\/code> para resetear el firewall.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Diagnostico_general\"><\/span>Diagn\u00f3stico general<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Ver reglas con contadores (\u00bfse est\u00e1n aplicando?)\nsudo iptables -L -n -v --line-numbers\n\n# Poner contadores a cero y reprobar\nsudo iptables -Z\n# ... genera tr\u00e1fico de prueba ...\nsudo iptables -L -n -v\n\n# Verificar si una regla existe sin aplicarla\nsudo iptables -C INPUT -p tcp --dport 80 -j ACCEPT\necho $?  # 0 = existe, 1 = no existe\n\n# Trazar un paquete a trav\u00e9s de todas las reglas\nsudo iptables -t raw -A PREROUTING -p tcp --dport 80 -j TRACE\nsudo journalctl -f -k | grep TRACE\n# Quitar el trace cuando termines:\nsudo iptables -t raw -D PREROUTING -p tcp --dport 80 -j TRACE\n\n# Capturar tr\u00e1fico para verificar que llega\nsudo tcpdump -i eth0 -n port 80\n\n# \u00bfEl servicio est\u00e1 escuchando?\nss -tlnp | grep :80<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Problemas_de_conntrack\"><\/span>Problemas de conntrack<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Ver conexiones actualmente rastreadas\nsudo conntrack -L <strong>2<\/strong>&gt;\/dev\/null | head -20\n\n# Ver si el conntrack est\u00e1 lleno (causa com\u00fan de fallos)\ncat \/proc\/sys\/net\/netfilter\/nf_conntrack_count\ncat \/proc\/sys\/net\/netfilter\/nf_conntrack_max\n\n# Si count \u2248 max, aumentar el l\u00edmite\nsudo sysctl -w net.netfilter.nf_conntrack_max=262144\necho \"net.netfilter.nf_conntrack_max=262144\" &gt;&gt; \/etc\/sysctl.d\/99-conntrack.conf<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Checklist_de_diagnostico\"><\/span>Checklist de diagn\u00f3stico<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u00bfEl servicio est\u00e1 escuchando? \u2192 <code>ss -tlnp | grep :PUERTO<\/code><\/li>\n\n\n\n<li>\u00bfEl paquete llega al servidor? \u2192 <code>tcpdump -i eth0 port PUERTO<\/code><\/li>\n\n\n\n<li>\u00bfLas reglas se procesan en orden correcto? \u2192 <code>iptables -L --line-numbers<\/code><\/li>\n\n\n\n<li>\u00bfLos contadores aumentan? \u2192 <code>iptables -L -v -n<\/code> despu\u00e9s de prueba<\/li>\n\n\n\n<li>\u00bfEl conntrack est\u00e1 lleno? \u2192 Comparar count vs max<\/li>\n\n\n\n<li>\u00bfip_forward est\u00e1 habilitado (si es router)? \u2192 <code>sysctl net.ipv4.ip_forward<\/code><\/li>\n\n\n\n<li>\u00bfDocker est\u00e1 interfiriendo? \u2192 Revisar cadenas DOCKER y DOCKER-USER<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"iptables_vs_nftables_vs_UFW\"><\/span>iptables vs nftables vs UFW<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th><\/th><th>iptables<\/th><th>nftables<\/th><th>UFW<\/th><\/tr><\/thead><tbody><tr><td><strong>Disponibilidad<\/strong><\/td><td>Universal<\/td><td>Linux 3.13+<\/td><td>Ubuntu\/Debian<\/td><\/tr><tr><td><strong>Sintaxis<\/strong><\/td><td>Verbosa, familiar<\/td><td>Limpia y unificada<\/td><td>Muy simple<\/td><\/tr><tr><td><strong>IPv4 + IPv6<\/strong><\/td><td>Comandos separados<\/td><td>Una sola regla<\/td><td>Autom\u00e1tico<\/td><\/tr><tr><td><strong>Rendimiento<\/strong><\/td><td>Bueno<\/td><td>Mejor<\/td><td>Igual a iptables<\/td><\/tr><tr><td><strong>NAT avanzado<\/strong><\/td><td>\u2713 Completo<\/td><td>\u2713 Completo<\/td><td>\u2717 Limitado<\/td><\/tr><tr><td><strong>Scripts legacy<\/strong><\/td><td>\u2713 Compatible<\/td><td>\u2717 Incompatible<\/td><td>\u2717<\/td><\/tr><tr><td><strong>Documentaci\u00f3n<\/strong><\/td><td>Masiva<\/td><td>Creciendo<\/td><td>B\u00e1sica<\/td><\/tr><tr><td><strong>Curva de aprendizaje<\/strong><\/td><td>Media<\/td><td>Media-alta<\/td><td>Baja<\/td><\/tr><tr><td><strong>Recomendado para<\/strong><\/td><td>Producci\u00f3n, sistemas existentes<\/td><td>Proyectos nuevos<\/td><td>Escritorio, pruebas r\u00e1pidas<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>\ud83d\udca1 <strong>Recomendaci\u00f3n:<\/strong> Usa <strong>iptables<\/strong> si tienes infraestructura existente o necesitas compatibilidad m\u00e1xima. Para proyectos nuevos, considera migrar directamente a <strong>nftables<\/strong>. Evita UFW en servidores de producci\u00f3n con necesidades de red complejas.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Preguntas_frecuentes\"><\/span>Preguntas frecuentes<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%C2%BFCual_es_la_diferencia_entre_DROP_y_REJECT\"><\/span>\u00bfCu\u00e1l es la diferencia entre DROP y REJECT?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p><strong>DROP<\/strong> descarta el paquete silenciosamente: el emisor no recibe respuesta y tiene que esperar el timeout de la conexi\u00f3n. <strong>REJECT<\/strong> env\u00eda un mensaje de error ICMP (\u00abport unreachable\u00bb) al emisor.<\/p>\n\n\n\n<p>DROP es preferible en internet p\u00fablico: no revela informaci\u00f3n de la topolog\u00eda de red y dificulta el escaneo de puertos. REJECT es m\u00e1s adecuado en redes internas donde los clientes leg\u00edtimos necesitan saber r\u00e1pidamente que el acceso est\u00e1 denegado, sin esperar timeouts.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%C2%BFPor_que_mis_reglas_desaparecen_tras_reiniciar\"><\/span>\u00bfPor qu\u00e9 mis reglas desaparecen tras reiniciar?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Las reglas de iptables son vol\u00e1tiles por defecto: viven en memoria del kernel. Para hacerlas persistentes, en Ubuntu\/Debian instala <code>iptables-persistent<\/code> y ejecuta <code>sudo netfilter-persistent save<\/code>. En CentOS\/RHEL usa <code>sudo service iptables save<\/code>. Verifica que el servicio est\u00e9 habilitado en el arranque con <code>systemctl is-enabled iptables<\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%C2%BFAfectan_las_reglas_de_iptables_al_trafico_IPv6\"><\/span>\u00bfAfectan las reglas de iptables al tr\u00e1fico IPv6?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>No. iptables solo gestiona IPv4. Para IPv6 existe <code>ip6tables<\/code> con una sintaxis id\u00e9ntica. Debes configurar ambos por separado. En distribuciones modernas con backend nftables (Ubuntu 22.04+), existe la opci\u00f3n de unificarlos en un \u00fanico ruleset.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%C2%BFEs_compatible_iptables_con_Docker\"><\/span>\u00bfEs compatible iptables con Docker?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>S\u00ed, pero con precauciones. Docker modifica las reglas de iptables autom\u00e1ticamente (cadenas DOCKER, DOCKER-USER, DOCKER-ISOLATION-*) para gestionar la red de los contenedores. Si a\u00f1ades reglas en INPUT que bloquean tr\u00e1fico, puede que no afecten a los contenedores porque Docker usa DNAT y FORWARD.<\/p>\n\n\n\n<p>Para aplicar reglas a contenedores, a\u00f1\u00e1delas en la cadena <strong>DOCKER-USER<\/strong>, que Docker respeta y no sobreescribe entre reinicios.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%C2%BFComo_se_si_una_regla_esta_funcionando\"><\/span>\u00bfC\u00f3mo s\u00e9 si una regla est\u00e1 funcionando?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Usa <code>sudo iptables -L -n -v --line-numbers<\/code>. La columna <strong>pkts<\/strong> muestra cu\u00e1ntos paquetes han coincidido con cada regla. Si el contador es 0 despu\u00e9s de generar tr\u00e1fico de prueba, la regla no est\u00e1 siendo alcanzada: revisa el orden (las reglas se procesan de arriba a abajo, la primera que coincide gana) o los criterios de coincidencia.<\/p>\n\n\n\n<p>Usa <code>sudo iptables -Z<\/code> para poner todos los contadores a cero antes de tu prueba, y el flag <code>-t raw -j TRACE<\/code> para trazar paquetes individuales.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%C2%BFQue_pasa_si_bloqueo_todo_y_pierdo_el_acceso_SSH\"><\/span>\u00bfQu\u00e9 pasa si bloqueo todo y pierdo el acceso SSH?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Accede al servidor por <strong>consola KVM o VNC<\/strong> (disponible en el panel de Blumhost) y ejecuta:<\/p>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo iptables -F\nsudo iptables -P INPUT ACCEPT<\/code><\/pre>\n\n\n\n<p>Esto resetea todas las reglas y restaura el acceso. Para evitar que ocurra, siempre prueba los cambios con un script que revierta las reglas autom\u00e1ticamente tras un tiempo:<\/p>\n\n\n\n<p>bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Aplicar nuevas reglas\niptables-restore &lt; \/root\/nuevas-reglas.txt\n# Revertir en 60 segundos si no confirmas\nsleep 60 &amp;&amp; iptables-restore &lt; \/root\/reglas-buenas.txt &amp;<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>iptables es la herramienta de espacio de usuario que permite configurar el framework netfilter del kernel Linux. Act\u00faa como firewall, controlando el tr\u00e1fico entrante, saliente y en tr\u00e1nsito de cualquier servidor Linux. Lleva m\u00e1s de dos d\u00e9cadas siendo el est\u00e1ndar&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[65,66],"tags":[],"class_list":["post-420","post","type-post","status-publish","format-standard","hentry","category-soporte-y-ayuda","category-tutoriales"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.8 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>iptables: Gu\u00eda Completa 2026 \u2014 Comandos, Reglas y Seguridad en Linux - Blog de BlumHost<\/title>\n<meta name=\"description\" content=\"Gu\u00eda definitiva de iptables en Linux: instalaci\u00f3n, tablas, cadenas, reglas de firewall, NAT, protecci\u00f3n anti-DDoS y scripts listos para producci\u00f3n. Con ejemplos reales para servidores web y VPS.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/\" \/>\n<meta property=\"og:locale\" content=\"es_ES\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"iptables: Gu\u00eda Completa 2026 \u2014 Comandos, Reglas y Seguridad en Linux - Blog de BlumHost\" \/>\n<meta property=\"og:description\" content=\"Gu\u00eda definitiva de iptables en Linux: instalaci\u00f3n, tablas, cadenas, reglas de firewall, NAT, protecci\u00f3n anti-DDoS y scripts listos para producci\u00f3n. Con ejemplos reales para servidores web y VPS.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/\" \/>\n<meta property=\"og:site_name\" content=\"Blog de BlumHost\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/BlumHost\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-10T12:52:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-05-10T18:10:58+00:00\" \/>\n<meta name=\"author\" content=\"Miguel Taboada\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Escrito por\" \/>\n\t<meta name=\"twitter:data1\" content=\"Miguel Taboada\" \/>\n\t<meta name=\"twitter:label2\" content=\"Tiempo de lectura\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutos\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/\"},\"author\":{\"name\":\"Miguel Taboada\",\"@id\":\"https:\/\/blumhost.net\/blog\/#\/schema\/person\/33aa890af362ded38723fc4c1ef65ee7\"},\"headline\":\"iptables: Gu\u00eda Completa 2026 \u2014 Comandos, Reglas y Seguridad en Linux\",\"datePublished\":\"2026-05-10T12:52:00+00:00\",\"dateModified\":\"2026-05-10T18:10:58+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/\"},\"wordCount\":1613,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/blumhost.net\/blog\/#organization\"},\"articleSection\":[\"Soporte y Ayuda\",\"tutoriales\"],\"inLanguage\":\"es\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/\",\"url\":\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/\",\"name\":\"iptables: Gu\u00eda Completa 2026 \u2014 Comandos, Reglas y Seguridad en Linux - Blog de BlumHost\",\"isPartOf\":{\"@id\":\"https:\/\/blumhost.net\/blog\/#website\"},\"datePublished\":\"2026-05-10T12:52:00+00:00\",\"dateModified\":\"2026-05-10T18:10:58+00:00\",\"description\":\"Gu\u00eda definitiva de iptables en Linux: instalaci\u00f3n, tablas, cadenas, reglas de firewall, NAT, protecci\u00f3n anti-DDoS y scripts listos para producci\u00f3n. Con ejemplos reales para servidores web y VPS.\",\"breadcrumb\":{\"@id\":\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#breadcrumb\"},\"inLanguage\":\"es\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Portada\",\"item\":\"https:\/\/blumhost.net\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"iptables: Gu\u00eda Completa 2026 \u2014 Comandos, Reglas y Seguridad en Linux\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blumhost.net\/blog\/#website\",\"url\":\"https:\/\/blumhost.net\/blog\/\",\"name\":\"Blog de BlumHost\",\"description\":\"Gu\u00eda completa con consejos pr\u00e1cticos, precios y ventajas reales para tu proyecto.\",\"publisher\":{\"@id\":\"https:\/\/blumhost.net\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blumhost.net\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"es\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/blumhost.net\/blog\/#organization\",\"name\":\"Blog de BlumHost\",\"url\":\"https:\/\/blumhost.net\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"es\",\"@id\":\"https:\/\/blumhost.net\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/blumhost.net\/blog\/wp-content\/uploads\/2025\/05\/cropped-blumhost.webp\",\"contentUrl\":\"https:\/\/blumhost.net\/blog\/wp-content\/uploads\/2025\/05\/cropped-blumhost.webp\",\"width\":240,\"height\":67,\"caption\":\"Blog de BlumHost\"},\"image\":{\"@id\":\"https:\/\/blumhost.net\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/BlumHost\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/blumhost.net\/blog\/#\/schema\/person\/33aa890af362ded38723fc4c1ef65ee7\",\"name\":\"Miguel Taboada\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"es\",\"@id\":\"https:\/\/blumhost.net\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/bf9731b74ae636e457ef0ddcebbeb20f37a75f89668501ce0a80767a29e02722?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/bf9731b74ae636e457ef0ddcebbeb20f37a75f89668501ce0a80767a29e02722?s=96&d=mm&r=g\",\"caption\":\"Miguel Taboada\"},\"description\":\"Ingeniero en Telecomunicaciones e Inform\u00e1tica. Cre\u00e9 BlumHost para ofrecer un hosting distinto a los dem\u00e1s, que ofrezca la mejor atenci\u00f3n al cliente, al menor precio y con la mejor calidad.\",\"sameAs\":[\"https:\/\/blumhost.net\/\",\"https:\/\/es.linkedin.com\/in\/miguel-taboada-iglesias\"],\"url\":\"https:\/\/blumhost.net\/blog\/author\/miguel\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"iptables: Gu\u00eda Completa 2026 \u2014 Comandos, Reglas y Seguridad en Linux - Blog de BlumHost","description":"Gu\u00eda definitiva de iptables en Linux: instalaci\u00f3n, tablas, cadenas, reglas de firewall, NAT, protecci\u00f3n anti-DDoS y scripts listos para producci\u00f3n. Con ejemplos reales para servidores web y VPS.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/","og_locale":"es_ES","og_type":"article","og_title":"iptables: Gu\u00eda Completa 2026 \u2014 Comandos, Reglas y Seguridad en Linux - Blog de BlumHost","og_description":"Gu\u00eda definitiva de iptables en Linux: instalaci\u00f3n, tablas, cadenas, reglas de firewall, NAT, protecci\u00f3n anti-DDoS y scripts listos para producci\u00f3n. Con ejemplos reales para servidores web y VPS.","og_url":"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/","og_site_name":"Blog de BlumHost","article_publisher":"https:\/\/www.facebook.com\/BlumHost","article_published_time":"2026-05-10T12:52:00+00:00","article_modified_time":"2026-05-10T18:10:58+00:00","author":"Miguel Taboada","twitter_card":"summary_large_image","twitter_misc":{"Escrito por":"Miguel Taboada","Tiempo de lectura":"6 minutos"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#article","isPartOf":{"@id":"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/"},"author":{"name":"Miguel Taboada","@id":"https:\/\/blumhost.net\/blog\/#\/schema\/person\/33aa890af362ded38723fc4c1ef65ee7"},"headline":"iptables: Gu\u00eda Completa 2026 \u2014 Comandos, Reglas y Seguridad en Linux","datePublished":"2026-05-10T12:52:00+00:00","dateModified":"2026-05-10T18:10:58+00:00","mainEntityOfPage":{"@id":"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/"},"wordCount":1613,"commentCount":0,"publisher":{"@id":"https:\/\/blumhost.net\/blog\/#organization"},"articleSection":["Soporte y Ayuda","tutoriales"],"inLanguage":"es","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/","url":"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/","name":"iptables: Gu\u00eda Completa 2026 \u2014 Comandos, Reglas y Seguridad en Linux - Blog de BlumHost","isPartOf":{"@id":"https:\/\/blumhost.net\/blog\/#website"},"datePublished":"2026-05-10T12:52:00+00:00","dateModified":"2026-05-10T18:10:58+00:00","description":"Gu\u00eda definitiva de iptables en Linux: instalaci\u00f3n, tablas, cadenas, reglas de firewall, NAT, protecci\u00f3n anti-DDoS y scripts listos para producci\u00f3n. Con ejemplos reales para servidores web y VPS.","breadcrumb":{"@id":"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#breadcrumb"},"inLanguage":"es","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blumhost.net\/blog\/iptables-guia-completa\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blumhost.net\/blog\/iptables-guia-completa\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Portada","item":"https:\/\/blumhost.net\/blog\/"},{"@type":"ListItem","position":2,"name":"iptables: Gu\u00eda Completa 2026 \u2014 Comandos, Reglas y Seguridad en Linux"}]},{"@type":"WebSite","@id":"https:\/\/blumhost.net\/blog\/#website","url":"https:\/\/blumhost.net\/blog\/","name":"Blog de BlumHost","description":"Gu\u00eda completa con consejos pr\u00e1cticos, precios y ventajas reales para tu proyecto.","publisher":{"@id":"https:\/\/blumhost.net\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blumhost.net\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"es"},{"@type":"Organization","@id":"https:\/\/blumhost.net\/blog\/#organization","name":"Blog de BlumHost","url":"https:\/\/blumhost.net\/blog\/","logo":{"@type":"ImageObject","inLanguage":"es","@id":"https:\/\/blumhost.net\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/blumhost.net\/blog\/wp-content\/uploads\/2025\/05\/cropped-blumhost.webp","contentUrl":"https:\/\/blumhost.net\/blog\/wp-content\/uploads\/2025\/05\/cropped-blumhost.webp","width":240,"height":67,"caption":"Blog de BlumHost"},"image":{"@id":"https:\/\/blumhost.net\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/BlumHost"]},{"@type":"Person","@id":"https:\/\/blumhost.net\/blog\/#\/schema\/person\/33aa890af362ded38723fc4c1ef65ee7","name":"Miguel Taboada","image":{"@type":"ImageObject","inLanguage":"es","@id":"https:\/\/blumhost.net\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/bf9731b74ae636e457ef0ddcebbeb20f37a75f89668501ce0a80767a29e02722?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/bf9731b74ae636e457ef0ddcebbeb20f37a75f89668501ce0a80767a29e02722?s=96&d=mm&r=g","caption":"Miguel Taboada"},"description":"Ingeniero en Telecomunicaciones e Inform\u00e1tica. Cre\u00e9 BlumHost para ofrecer un hosting distinto a los dem\u00e1s, que ofrezca la mejor atenci\u00f3n al cliente, al menor precio y con la mejor calidad.","sameAs":["https:\/\/blumhost.net\/","https:\/\/es.linkedin.com\/in\/miguel-taboada-iglesias"],"url":"https:\/\/blumhost.net\/blog\/author\/miguel\/"}]}},"_links":{"self":[{"href":"https:\/\/blumhost.net\/blog\/wp-json\/wp\/v2\/posts\/420","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blumhost.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blumhost.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blumhost.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blumhost.net\/blog\/wp-json\/wp\/v2\/comments?post=420"}],"version-history":[{"count":4,"href":"https:\/\/blumhost.net\/blog\/wp-json\/wp\/v2\/posts\/420\/revisions"}],"predecessor-version":[{"id":425,"href":"https:\/\/blumhost.net\/blog\/wp-json\/wp\/v2\/posts\/420\/revisions\/425"}],"wp:attachment":[{"href":"https:\/\/blumhost.net\/blog\/wp-json\/wp\/v2\/media?parent=420"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blumhost.net\/blog\/wp-json\/wp\/v2\/categories?post=420"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blumhost.net\/blog\/wp-json\/wp\/v2\/tags?post=420"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}