iptables
Frequently Used Linux
iptables Rules Examples
sources: wikipedia, geekstuff
by Patrick O'Connor
About:
iptables - linux kernel firewall, implemented as netfilter modules.
iptables modules applies to IPv4 and IPv6
made up of "chains" of rules:
source: wikipedia.org/wiki/Iptables
CHAINS EXPLAINED:
PREROUTING - before routing
INPUT - locally delivered packets
FORWARD - routed traffic not for local delivery
OUTPUT - packets sent from machine
POSTROUTING - after routing has been determined
Sample Commands/INteractions:
Show some sample commands
Show some sample interactions with iptables
1. DELETE EXISTING RULES
iptables -F
(or)
iptables -flush
source: thegeekstuff.com
2. Set default chain policies
iptables -p input drop
IPTABLES -p forward drop
iptables -p output drop
(Will probably omit last one ^)
3. Block a specific ip-address
(Block all from IP)
iptables -A input -s "BLOCKIPADDRESS" -J DROP
(Block only TCP on eth0)
IPTABLES -A INPUT -i eth0 -p tcp -S "BLOCKIPADDRESS" -J DROP
4. Allow all incoming ssh
(Append rule for eth0 interface, tcp protocal, destination port 22, mode = state, state = established/related, action = ACCEPT)
IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -m state --state new,estabilished -j ACCEPT
5. Allow incoming SSH from a specific network
(Allow TCP port 22 from source 192.168.1.0/255.255.255.0)
iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0/24 --dport 22 -m state --state new,established -j accept
6. Allow incoming HTTP and HTTPS
IPTABLES -A INPUT -i eth0 -p tcp --dport 80 -m state --state new,established -j accept
IPTABLES -A INPUT -I ETH0 -P TCP --DPORT 443 -M STATE --STATE NEW,ESTABLISHED -J ACCEPT
7. COMBINE RULES USING MULTIPORTS
IPTABLES -A INPUT -I ETH0 -P TCP -M MULTIPORT
--DPORTS 22,80,443 -M STATE --STATE NEW,ESTABLISHED -J ACCEPT
8. ALLOW MAIL TRAFFIC
(SMTP)
IPTABLES -A INPUT -I ETH0 -P TCP --DPORT 25 -M STATE --STATE NEW,ESTABLISHED -J ACCEPT
(IMAPS)
IPTABLES -A INPUT -I ETH0 -P TCP --DPORT 993 -M STATE --STATE NEW,ESTABLISHED -J ACCEPT
(POP3)
IPTABLES -A INPUT -I ETH0 -P TCP --DPORT 110 -M STATE --STATE NEW,ESTABLISHED -J ACCEPT
9. Prevent Dos ATTACK
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
-m limit: This uses the limit iptables extension
–limit 25/minute: This limits only maximum of 25 connection per minute.
–limit-burst 100: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limitburst level.
10. Log dropped packets
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
Iptables -a input -j logging
SAMPLE:
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -s 172.0.0.0/16 -p tcp -m tcp --dport 636 -j ACCEPT -A INPUT -s 192.168.1.0/24 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -s 192.168.2.10/32 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 -A INPUT -j REJECT --reject-with icmp-port-unreachable -A FORWARD -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -j ACCEPT COMMIT
iptables
By dontrebootme
iptables
- 1,348
