Collection of basic Linux Firewall iptables rules
Last Updated on Tuesday, 07 December 2010 23:10
The following iptables rules should serve as a template for creating more customized iptables rules to fit desired network environment.
This article is NOT a comprehensive guide to iptables. If you are new to iptables please familiarize your self with netfilter / iptables before you use some of the iptables rules described below. This is especially recommended if you are working on a production server.
Before applying any rule make sure that you know what you are doing.
1. Rule: iptables to reject all outgoing network connections
The second line of the rules only allows current outgoing and established connection. This is very useful when you are login to the server vie ssh or telnet
# iptables -F OUTPUT # iptables -A OUTPUT -m state \ --state ESTABLISHED -j ACCEPT # iptables -A OUTPUT -j REJECT
2. Rule: iptables to reject all incoming network connections
The second line of the rules only allows current outgoing and established connection. This is very useful when you are login to the server vie ssh or telnet
# iptables -F INPUT # iptables -A INPUT -m state \ --state ESTABLISHED -j ACCEPT # iptables -A INPUT -j REJECT
3. Rule: iptables to reject all network connections
NOTE: This rule will drop and block all network connection whether incoming or outgoing. More importantly this will also include current ongoing established connections
# iptables -F # iptables -A INPUT -j REJECT # iptables -A OUTPUT -j REJECT # iptables -A FORWARD -j REJECT
4. Rule: iptables to drop incoming ping requests
This iptables rule will DROP all incoming ping requests.
NOTE: it is possible to use REJECT instead of DROP. The difference between DROP vs REJECT is that DROP silently discards the incoming package, whereas REJECT will result in ICMP error being returned.
# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
5. Rule: iptables to drop outgoing telnet connections
This iptables rule will block any outgoing traffic to any host where destination port is 23 ( telnet ).
# iptables -A OUTPUT -p tcp --dport telnet -j REJECT
6. Rule: iptables to reject incoming telnet connections
Refuse all incoming connection requests to a local port 23
# iptables -A INPUT -p tcp --dport telnet -j REJECT
7. Rule: iptables to reject outgoing ssh connections
# iptables -A OUTPUT -p tcp --dport ssh -j REJECT
8. Rule: iptables to reject incoming ssh connections
Refuse all incoming connections to a local port 22 ( ssh ).
# iptables -A INPUT -p tcp --dport ssh -j REJECT
9. Rule: iptables to reject all incoming traffic except ssh and local connections
# iptables -A INPUT -i lo -j ACCEPT # iptables -A INPUT -p tcp --dport ssh -j ACCEPT # iptables -A INPUT -j REJECT
10. Rule: iptables to accept incoming ssh connections from specific IP address
Using this iptables rule we will block all incoming connections to port 22 ( ssh ) except host with IP address 77.66.55.44. What it meas is that only host with IP 77.66.55.44 will be able to ssh.
# iptables -A INPUT -p tcp -s 77.66.55.44 --dport ssh -j ACCEPT # iptables -A INPUT -p tcp --dport ssh -j REJECT
11. Rule: iptables to accept incoming ssh connections from specific MAC address
Using this iptables rule we will block all incoming connections to port 22 ( ssh ) except host with MAC address 00:e0:4c:f1:41:6b . In other works all ssh connections will be limited to a single host with a MAC address 00:e0:4c:f1:41:6b.
# iptables -A INPUT -m mac --mac-source 00:e0:4c:f1:41:6b -p tcp --dport ssh -j ACCEPT # iptables -A INPUT -p tcp --dport ssh -j REJECT
12. Rule: iptables to reject incoming connections on a specific TCP port
The following iptables rule will drop all incoming traffic on TCP port 3333
# iptables -A INPUT -p tcp --dport 3333 -j REJECT
13. Rule: iptables to drop all incoming connections on a specific network interface
The following rule will drop incoming traffic on a specific network interface coming from subnet 192.168.0.0/16. The is very useful in attempt to drop all spoofed IP addresses. If eth0 is an external network interface, no incoming traffic originating from internal network should hit eth0 network interface.
# iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
14. Rule: iptables to create a simple IP Masquerading
The following rule will create a simple IP Masquerading gateway to allow all host on the same subnet to access the Internet. The below specified eth0 is a external interface connected to the Internet.
# echo "1" > /proc/sys/net/ipv4/ip_forward # iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE
15. Rule: Reject all incoming telnet traffic except specified IP address
The following iptables rule will reject all incoming telnet traffic except connection request from IP 222.111.111.222
# iptables -A INPUT -t filter ! -s 222.111.111.222 -p tcp --dport 23 -j REJECT
16. Rule: Reject all incoming ssh traffic except specified IP address range
The following iptables rule will reject all incoming ssh traffic except connection request from IP address range 10.1.1.90 - 10.1.1.1.100.
Removing negator "!" from the below rule reject all ssh traffic originating from IP address range 10.1.1.90 - 10.1.1.100.
iptables -A INPUT -t filter -m iprange ! --src-range 10.1.1.90-10.1.1.100 -p tcp --dport 22 -j REJECT
17. Rule: iptables to reject all outgoing traffic to a specific remote host
The following iptables rule will reject all outgoing traffic to a remote host with an IP address 222.111.111.222
# iptables -A OUTPUT -d 222.111.111.222 -j REJECT
18. Rule: iptables to block an access to a specific website
The following iptables rule will block all incoming traffic from facebook.com where source port is port 80 / www
# iptables -A INPUT -s facebook.com -p tcp --sport www -j DROP
NOTE: the above iptables rule will block access to facebook.com as well as www.facebook.com.
Share this linux post:
Please visit our new Linux Forum for additional help or discussion.
| Linux eBooks FREE Download | ||||
|
|
|
|
|