IPtable Ruleset
Contents
- 1 IPtable Ruleset
- 1.1 Basic IPtables rulesets
- 1.2 Reject all outgoing network connections
- 1.3 Reject all incoming network connections
- 1.4 Reject all network connections
- 1.5 Drop incoming ping requests
- 1.6 Drop outgoing telnet connections
- 1.7 Reject incoming telnet connections
- 1.8 Reject outgoing ssh connections
- 1.9 Reject incoming ssh connections
- 1.10 Reject all incoming traffic except ssh and local connections
- 1.11 Accept incoming ssh connections from specific IP address
- 1.12 Accept incoming ssh connections from specific MAC address
- 1.13 Reject incoming connections on a specific TCP port
- 1.14 Drop all incoming connections on a specific network interface
- 1.15 Create a simple IP Masquerading
- 1.16 Reject all incoming telnet traffic except specified IP address
- 1.17 Reject all incoming ssh traffic except specified IP address range
- 1.18 Reject all outgoing traffic to a specific remote host
- 1.19 Block an access to a specific website
- 1.20 Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
- 1.21 Allows Ping
- 1.22 Dropping Fragments
- 1.23 Log iptables denied calls
IPtable Ruleset
Basic IPtables rulesets
The following iptables rules should serve as a template for creating more customized iptables rules to fit desired network environment.
This is NOT a comprehensive guide to iptables. If you are new to iptables please familiarize your self with netfilter / iptables before you use some of the iptables rules described below. This is especially recommended if you are working on a production server.
Before applying any rule make sure that you know what you are doing!
After making changes to your iptable rules, the service 'MUST BE' restarted for the changes to take effect. In a console window as the root user enter the following
service iptables restart
If everything goes well you should see something like this
[root@findmoore ~]# service iptables restart
Applying iptables firewall rules: [ OK ]
[root@findmoore ~]#
Reject all outgoing network connections
The second line of the rules only allows current outgoing and established connection. This is very useful when you are login to the server vie ssh or telnet
# iptables -F OUTPUT # iptables -A OUTPUT -m state \ --state ESTABLISHED -j ACCEPT # iptables -A OUTPUT -j REJECT
Reject all incoming network connections
The second line of the rules only allows current outgoing and established connection. This is very useful when you are logged in to the server via ssh or telnet
# iptables -F INPUT # iptables -A INPUT -m state \ --state ESTABLISHED -j ACCEPT # iptables -A INPUT -j REJECT
Reject all network connections
NOTE: This rule will drop and block all network connection whether incoming or outgoing. More importantly this will also include current ongoing established connections
# iptables -F # iptables -A INPUT -j REJECT # iptables -A OUTPUT -j REJECT # iptables -A FORWARD -j REJECT
Drop incoming ping requests
This iptables rule will DROP all incoming ping requests.
NOTE: it is possible to use REJECT instead of DROP. The difference between DROP vs REJECT is that DROP silently discards the incoming package, whereas REJECT will result in ICMP error being returned.
# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
Drop outgoing telnet connections
This iptables rule will block any outgoing traffic to any host where destination port is 23 ( telnet ).
# iptables -A OUTPUT -p tcp --dport telnet -j REJECT
Reject incoming telnet connections
Refuse all incoming connection requests to a local port 23
# iptables -A INPUT -p tcp --dport telnet -j REJECT
Reject outgoing ssh connections
# iptables -A OUTPUT -p tcp --dport ssh -j REJECT
to allow all outgoing ssh change the word REJECT with ACCEPT
Reject incoming ssh connections
Refuse all incoming connections to a local port 22 ( ssh ).
# iptables -A INPUT -p tcp --dport ssh -j REJECT
to accept all incoming ssh change the word REJECT with ACCEPT
Allows SSH connections (only 4 attempts by an IP every 3 minutes, drop the rest)
# iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource # iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j DROP # iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
Reject all incoming traffic except ssh and local connections
# iptables -A INPUT -i lo -j ACCEPT # iptables -A INPUT -p tcp --dport ssh -j ACCEPT # iptables -A INPUT -j REJECT
Accept incoming ssh connections from specific IP address
Using this iptables rule we will block all incoming connections to port 22 ( ssh ) except host with IP address 77.66.55.44. What it means is that only host with IP 77.66.55.44 will be able to ssh.
# iptables -A INPUT -p tcp -s 77.66.55.44 --dport ssh -j ACCEPT # iptables -A INPUT -p tcp --dport ssh -j REJECT
Accept incoming ssh connections from specific MAC address
Using this iptables rule we will block all incoming connections to port 22 ( ssh ) except host with MAC address 00:e0:4c:f1:41:6b . In other words all ssh connections will be limited to a single host with a MAC address 00:e0:4c:f1:41:6b.
# iptables -A INPUT -m mac --mac-source 00:e0:4c:f1:41:6b -p tcp --dport ssh -j ACCEPT # iptables -A INPUT -p tcp --dport ssh -j REJECT
Reject incoming connections on a specific TCP port
The following iptables rule will drop all incoming traffic on TCP port 3333
# iptables -A INPUT -p tcp --dport 3333 -j REJECT
Drop all incoming connections on a specific network interface
The following rule will drop incoming traffic on a specific network interface coming from subnet 192.168.0.0/16. The is very useful in attempt to drop all spoofed IP addresses. If eth0 is an external network interface, no incoming traffic originating from internal network should hit eth0 network interface.
# iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
Create a simple IP Masquerading
The following rule will create a simple IP Masquerading gateway to allow all host on the same subnet to access the Internet. The below specified eth0 is a external interface connected to the Internet.
# echo "1" > /proc/sys/net/ipv4/ip_forward # iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE
Reject all incoming telnet traffic except specified IP address
The following iptables rule will reject all incoming telnet traffic except connection request from IP 222.111.111.222
# iptables -A INPUT -t filter ! -s 222.111.111.222 -p tcp --dport 23 -j REJECT
Reject all incoming ssh traffic except specified IP address range
The following iptables rule will reject all incoming ssh traffic except connection request from IP address range 10.1.1.90 - 10.1.1.1.100.
Removing negator "!" from the below rule reject all ssh traffic originating from IP address range 10.1.1.90 - 10.1.1.100.
# iptables -A INPUT -t filter -m iprange ! --src-range 10.1.1.90-10.1.1.100 -p tcp --dport 22 -j REJECT
Reject all outgoing traffic to a specific remote host
The following iptables rule will reject all outgoing traffic to a remote host with an IP address 222.111.111.222
# iptables -A OUTPUT -d 222.111.111.222 -j REJECT
Block an access to a specific website
The following iptables rule will block all incoming traffic from facebook.com where source port is port 80 / www
# iptables -A INPUT -s facebook.com -p tcp --sport www -j DROP
NOTE: the above iptables rule will block access to facebook.com as well as www.facebook.com.
Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
The following rules llows HTTP and HTTPS connections from anywhere (the normal ports for websites)
# iptables -A INPUT -p tcp --dport 80 -j ACCEPT # iptables -A INPUT -p tcp --dport 443 -j ACCEPT
Allows Ping
The following rule allow ping
# iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
Dropping Fragments
I have to say that fragments scare me more than anything. Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown" Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such fragments is very OS-dependent. I am not going to trust any fragments. Log fragments just to see if we get any, and deny them too.
# iptables -A INPUT -i $IFACE -f -j LOG --log-prefix "IPTABLES FRAGMENTS: " # iptables #-A INPUT -i $IFACE -f -j DROP
Log iptables denied calls
# iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7