IPtable Ruleset

From PCLinuxOSHelp Knowledge Base
Jump to: navigation, search

IPtable Ruleset

Basic IPtables rulesets

The following iptables rules should serve as a template for creating more customized iptables rules to fit desired network environment.

This is NOT a comprehensive guide to iptables. If you are new to iptables please familiarize your self with netfilter / iptables before you use some of the iptables rules described below. This is especially recommended if you are working on a production server.

Before applying any rule make sure that you know what you are doing!

After making changes to your iptable rules, the service 'MUST BE' restarted for the changes to take effect. In a console window as the root user enter the following

    service iptables restart

If everything goes well you should see something like this

[root@findmoore ~]# service iptables restart
Applying iptables firewall rules: [ OK ]
[root@findmoore ~]#

Reject all outgoing network connections

The second line of the rules only allows current outgoing and established connection. This is very useful when you are login to the server vie ssh or telnet

   #  iptables -F OUTPUT
   #  iptables -A OUTPUT -m state \ --state ESTABLISHED -j ACCEPT
   #  iptables -A OUTPUT -j REJECT


Reject all incoming network connections

The second line of the rules only allows current outgoing and established connection. This is very useful when you are logged in to the server via ssh or telnet

   #  iptables -F INPUT
   #  iptables -A INPUT -m state \ --state ESTABLISHED -j ACCEPT
   #  iptables -A INPUT -j REJECT


Reject all network connections

NOTE: This rule will drop and block all network connection whether incoming or outgoing. More importantly this will also include current ongoing established connections

   #  iptables -F
   #  iptables -A INPUT -j REJECT
   #  iptables -A OUTPUT -j REJECT
   #  iptables -A FORWARD -j REJECT

Drop incoming ping requests

This iptables rule will DROP all incoming ping requests.

NOTE: it is possible to use REJECT instead of DROP. The difference between DROP vs REJECT is that DROP silently discards the incoming package, whereas REJECT will result in ICMP error being returned.

 #  iptables -A INPUT -p icmp --icmp-type echo-request -j DROP


Drop outgoing telnet connections

This iptables rule will block any outgoing traffic to any host where destination port is 23 ( telnet ).

  #  iptables -A OUTPUT -p tcp --dport telnet -j REJECT

Reject incoming telnet connections

Refuse all incoming connection requests to a local port 23

 #  iptables -A INPUT -p tcp --dport telnet -j REJECT

Reject outgoing ssh connections

 #  iptables -A OUTPUT -p tcp --dport ssh -j REJECT

to allow all outgoing ssh change the word REJECT with ACCEPT

Reject incoming ssh connections

Refuse all incoming connections to a local port 22 ( ssh ).

 #  iptables -A INPUT -p tcp --dport ssh -j REJECT

to accept all incoming ssh change the word REJECT with ACCEPT


Allows SSH connections (only 4 attempts by an IP every 3 minutes, drop the rest)

    #  iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
    #  iptables -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j DROP
    #  iptables -A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

Reject all incoming traffic except ssh and local connections

    #  iptables -A INPUT -i lo -j ACCEPT
    #  iptables -A INPUT -p tcp --dport ssh -j ACCEPT
    #  iptables -A INPUT -j REJECT

Accept incoming ssh connections from specific IP address

Using this iptables rule we will block all incoming connections to port 22 ( ssh ) except host with IP address 77.66.55.44. What it means is that only host with IP 77.66.55.44 will be able to ssh.

    #  iptables -A INPUT -p tcp -s 77.66.55.44 --dport ssh -j ACCEPT
    #  iptables -A INPUT -p tcp --dport ssh -j REJECT

Accept incoming ssh connections from specific MAC address

Using this iptables rule we will block all incoming connections to port 22 ( ssh ) except host with MAC address 00:e0:4c:f1:41:6b . In other words all ssh connections will be limited to a single host with a MAC address 00:e0:4c:f1:41:6b.

    #  iptables -A INPUT -m mac --mac-source 00:e0:4c:f1:41:6b -p tcp --dport ssh -j ACCEPT
    #  iptables -A INPUT -p tcp --dport ssh -j REJECT

Reject incoming connections on a specific TCP port

The following iptables rule will drop all incoming traffic on TCP port 3333

    #  iptables -A INPUT -p tcp --dport 3333 -j REJECT


Drop all incoming connections on a specific network interface

The following rule will drop incoming traffic on a specific network interface coming from subnet 192.168.0.0/16. The is very useful in attempt to drop all spoofed IP addresses. If eth0 is an external network interface, no incoming traffic originating from internal network should hit eth0 network interface.

    #  iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP

Create a simple IP Masquerading

The following rule will create a simple IP Masquerading gateway to allow all host on the same subnet to access the Internet. The below specified eth0 is a external interface connected to the Internet.

    #  echo "1" > /proc/sys/net/ipv4/ip_forward
    #  iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE

Reject all incoming telnet traffic except specified IP address

The following iptables rule will reject all incoming telnet traffic except connection request from IP 222.111.111.222

    #  iptables -A INPUT -t filter ! -s 222.111.111.222 -p tcp --dport 23 -j REJECT

Reject all incoming ssh traffic except specified IP address range

The following iptables rule will reject all incoming ssh traffic except connection request from IP address range 10.1.1.90 - 10.1.1.1.100.

Removing negator "!" from the below rule reject all ssh traffic originating from IP address range 10.1.1.90 - 10.1.1.100.

    #  iptables -A INPUT -t filter -m iprange ! --src-range 10.1.1.90-10.1.1.100  -p tcp --dport 22 -j REJECT

Reject all outgoing traffic to a specific remote host

The following iptables rule will reject all outgoing traffic to a remote host with an IP address 222.111.111.222

    #  iptables -A OUTPUT -d 222.111.111.222 -j REJECT

Block an access to a specific website

The following iptables rule will block all incoming traffic from facebook.com where source port is port 80 / www

    #  iptables -A INPUT -s facebook.com -p tcp --sport www -j DROP

NOTE: the above iptables rule will block access to facebook.com as well as www.facebook.com.

Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)

The following rules llows HTTP and HTTPS connections from anywhere (the normal ports for websites)

    #  iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    #  iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Allows Ping

The following rule allow ping

    #  iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

Dropping Fragments

I have to say that fragments scare me more than anything. Sending lots of non-first fragments was what allowed Jolt2 to effectively "drown" Firewall-1. Fragments can be overlapped, and the subsequent interpretation of such fragments is very OS-dependent. I am not going to trust any fragments. Log fragments just to see if we get any, and deny them too.

    # iptables -A INPUT -i $IFACE -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "
    # iptables #-A INPUT -i $IFACE -f -j DROP

Log iptables denied calls

   # iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7