IPTABLES GUIDE


***** SAMPLE DEFAULT IPTABLES file************************

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p UDP -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

***********************************************************************





********************IPTABLES Command line Examples ********************************************



Drop all Incoming ICMP
----------------------
iptables -A INPUT -p ICMP --icmp-type 8 -j DROP


Drop all Outgoing ICMP
-----------------------
iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP


Allow ICMP from a specific host
--------------------------------
iptables -A INPUT -s
XXX.XXX.XXX.XXX -p ICMP --icmp-type 8 -j ACCEPT


Allow all UDP traffic
---------------------
iptables -A INPUT -p udp -j ACCEPT


Allow range of UDP ports
------------------------
iptables -A INPUT -p udp -m state --state NEW -m multiport --dports 40000:60000 -j ACCEPT


Allow SNMP form a particular source
XXX.XXX.XXX.XXX/24
-----------------------------------------------------

iptables -A INPUT -p udp -s XXX.XXX.XXX.XXX/24 --sport 1024:65535 --dport 161:162 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --sport 161:162 -d
XXX.XXX.XXX.XXX/24 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

*Following is optional. It is required only when the default OUTPUT chain policy is set to DROP or REJECT
iptables -A OUTPUT -p udp --sport 161:162 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT


**************************************************************************************************************************************


**********************Sample IP Tables File after applying rules ************************************************************************
-------------------------

# Generated by iptables-save v1.4.7 on Thu Apr 24 14:51:47 2014
*filter
:INPUT ACCEPT [0:0] --> Set default INPUT chain Policy to ACCEPT
:FORWARD ACCEPT [0:0] --> Set default FORWARD chain Policy to ACCEPT
:OUTPUT ACCEPT [1771:96518] --> Set default FORWARD chain Policy to ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT --> Initially allow all INPUT traffic from all
-A INPUT -i lo -j ACCEPT --> ACCEPT all incoming traffic on loopback interface from all
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8595 -j ACCEPT --> ACCEPT custom SSH TCP port 8585 from all
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT --> ACCEPT default HTTP TCP port 80 from all
-A INPUT -s
XXX.XXX.XXX.XXX/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT --> ACCEPT ICMP ping requests from the specific host/ipaddress
XXX.XXX.XXX.XXX

 -A INPUT -s XXX.XXX.XXX.XXX/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT --> ACCEPT ICMP ping requests from the specific host/ipaddress XXX.XXX.XXX.XXX
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT --> ACCEPT secondary HTTP TCP port 8080 from all
-A INPUT -p udp -m udp --dport 5060 -j ACCEPT --> ACCEPT custom media UDP port 5060 from all
-A INPUT -p udp -m state --state NEW -m multiport --dports 40000:60000 -j ACCEPT --> ACCEPT all custom media UDP port numbers within the range 40000 to 60000 from all
-A INPUT -s
XXX.XXX.XXX.XXX/32 -j ACCEPT --> ACCEPT any kind of traffic comming from specific host/ipaddress
XXX.XXX.XXX.XXX

 -A INPUT -s XXX.XXX.XXX.XXX/24 -p udp -m udp --sport 1024:65535 --dport 161:162 -m state --state NEW,ESTABLISHED -j ACCEPT --> Allow SNMP requests comming from the specific network XXX.XXX.XXX.XXX/24 originationg from the ports with in the rage 1024 to 65535 destined to 161 and 162
-A INPUT -s
XXX.XXX.XXX.XXX/24 -p icmp -m icmp --icmp-type 8 -j ACCEPT --> ACCEPT ICMP ping requests from the specific network XXX.XXX.XXX.XXX/24
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP --> DROP (Deny without a message) ping request from rest all
-A INPUT -j REJECT --reject-with icmp-host-prohibited --> REJCET (Deny with a message) rest all type of incoming traffic from rest all sources
-A FORWARD -j REJECT --reject-with icmp-host-prohibited --> REJECT (Deny with a message) rest all type of forwarding traffic from rest all sources
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j DROP --> DROP (Deny without a message) ping request sending from localhost
COMMIT --> Save and apply all the above rules
# Completed on Thu Apr 24 14:51:47 2014

0 comments:

Post a Comment