Thursday, February 5, 2015

iptables examples

Leave a Comment
In this articles, we are create iptables examples, iptables places rules into predefined chains (INPUT, OUTPUT and FORWARD). These chains are:
  • INPUT - All packets destined for the host computer.
  • OUTPUT - All packets originating from the host computer.
  • FORWARD - All packets neither destined for nor originating from the host computer, but passing through (routed by) the host computer. This chain is used if you are using your computer as a router. 

iptables examples

Clear existing rule
# iptables -F
Set the default INPUT chain policy
# iptables -P input DENY
Note: if you use remote ssh then DENY -> ACCEPT, then you ACCEPT--> DENY when set rule allow ssh

FTP

# iptables -A INPUT -i eth0 -p tcp -s any/0 --sport 1024:65535 -d MY.IP.ADDR --dport 21 -j ACCEPT
#iptables -A INPUT -i eth0 -p tcp -s any/0 --sport 1024:65535 -d MY.IP.ADDR --dport 20 -j ACCEPT

DNS

#iptables -A INPUT -i eth0 -p udp -s any/0 --sport 1024:65535 -d MY.IP.ADDR --dport 53 -j ACCEPT
#iptables -A INPUT -i eth0 -p tcp -s any/0 --sport 1024:65535 -d MY.IP.ADDR --dport 53 -j ACCEPT

Telnet

#iptables -A INPUT -i eth0 -p tcp -s any/0 --sport 1024:65535 -d MY.IP.ADDR --dport 23 -j ACCEPT

SSH

#iptables -A INPUT -i eth0 -p tcp -s any/0 --sport 1024:65535 -d MY.IP.ADDR --dport 22 -j ACCEPT

Email

# iptables -A INPUT -i eth0 -p tcp ! --syn -s EMAIL.NET.IP.ADDR --sport 25 -d MY.IP.ADDR --dport 1024:65535 -j ACCEPT
Note: ! --syn : added level of security that confirms that the packet coming in is really a reply packet to one we've sent out This rule will not allow inbound email messages to come in to the sendmail service on the server

HTTP/HTTPS

#iptables -A INPUT -i eth0 -p tcp -d MY.IP.ADDR --dport 80 -j ACCEPT
#iptables -A INPUT -i eth0 -p tcp -d MY.IP.ADDR --dport 443 -j ACCEPT

ICMP:

# iptables -A INPUT -i eth0 -p icmp -d MY.IP.ADDR -j ACCEPT

DDOS

# iptables -A INPUT -s IP.machine/32 -j DROP
# iptables -A INPUT -s 127.0.0.0/8 -j DROP
# iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
# iptables -A INPUT -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP
# iptables -A INPUT -p icmp -m limit --limit 2/second --limit-burst 2 -j ACCEPT
# iptables -A INPUT -p tcp -m state --state NEW -m limit --limit 2/second --limit-burst 2 -j ACCEPT
Review and save Rules
# iptables -L  
#/etc/init.d/iptables save
Or
#service iptables save

Copyright by: www.linuxoperatingsystem.info http://goo.gl/kMscJ4

0 comments:

Post a Comment