Thursday, 10 January 2013



#/etc/sysconfig/iptables - The system scripts that activate the firewall by reading this file.

RH-Firewall-1-INPUT - This is a user-defined custom chain. It is used by the INPUT, OUTPUT and FORWARD chains.

Display Default Rules - #iptables --line-numbers -n -L

Turn On Firewall
chkconfig iptables on
service iptables start
# restart the firewall
service iptables restart
# stop the firewall
service iptables stop

Drop All Traffic
Update as follows to change the default policy to DROP from ACCEPT for the INPUT and FORWARD built-in chains:

Log And Drop All Traffic
Find the lines: -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

Update it as follows:
-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j DROP

Open Port

To open port 80 (Http server) add the following before COMMIT line:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT

To open port 53 (DNS Server) add the following before COMMIT line:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p tcp --dport 53 -j ACCEPT

To open port 443 (Https server) add the following before COMMIT line:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT

To open port 25 (smtp server) add the following before COMMIT line:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 25 -j ACCEPT

Only allow SSH traffic From

-A RH-Firewall-1-INPUT -s -m state --state NEW -p tcp --dport 22 -j ACCEPT

Allow Legitimate NTP Clients to Access the Server

-A RH-Firewall-1-INPUT -s -m state --state NEW -p udp --dport 123 -j ACCEPT

Open FTP Port 21 (FTP)

-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

Save and close the file. Edit /etc/sysconfig/iptables-config, enter:

# vi /etc/sysconfig/iptables-config

To restart firewall, type the following commands:
# service iptables restart
# iptables -vnL --line-numbers

Log and Drop Spoofing Source Addresses

Append the following lines before final COMMIT line:

-A INPUT -i eth0 -s -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -s -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -s -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -s -j LOG --log-prefix "IP DROP MULTICAST "
-A INPUT -i eth0 -s -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -d -j LOG --log-prefix "IP DROP LOOPBACK "
-A INPUT -i eth0 -s  -j LOG --log-prefix "IP DROP MULTICAST "
-A INPUT -i eth0 -s  -j LOG --log-prefix "IP DROP "
-A INPUT -i eth0 -s  -j LOG --log-prefix "IP DROP "
-A INPUT -i eth0 -s  -j LOG --log-prefix "IP DROP  "
-A INPUT -i eth0 -s  -j LOG --log-prefix "IP DROP "
-A INPUT -i eth0 -s  -j LOG --log-prefix "IP DROP "

1: Displaying the Status of Your Firewall - # iptables -L -n -v

    -L : List rules.
    -v : Display detailed information. This option makes the list command show the interface name, the rule options, and the TOS masks. The packet and byte counters are also listed, with the suffix 'K', 'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipliers respectively.
    -n : Display IP address and port in numeric format. Do not use DNS to resolve names. This will speed up listing.
1.1: To inspect firewall with line numbers, enter: # iptables -n -L -v --line-numbers

You can use the iptables command itself to stop the firewall and delete all rules:
# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD ACCEPT


    -F : Deleting (flushing) all the rules.
    -X : Delete chain.
    -t table_name : Select table (called nat or mangle) and delete/flush rules.
    -P : Set the default policy (such as DROP, REJECT, or ACCEPT).

Delete Firewall Rules

To display line number along with other information for existing rules, enter:
# iptables -L INPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers | less
# iptables -L OUTPUT -n --line-numbers | grep

You will get the list of IP. Look at the number on the left, then use number to delete it. For example delete line number 4, enter:
# iptables -D INPUT 4

Insert Firewall Rules
To insert one or more rules in the selected chain as the given rule number use the following syntax. First find out line numbers, enter:
# iptables -L INPUT -n --line-numbers

To insert rule between 1 and 2, enter:
# iptables -I INPUT 2 -s -j DROP

To view updated rules, enter:
# iptables -L INPUT -n --line-numbers

5: Save Firewall Rules

To save firewall rules under CentOS / RHEL / Fedora Linux, enter:
# service iptables save

Restore Firewall Rules
# service iptables restart

7: Set the Default Firewall Policies
To drop all traffic:
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP
# iptables -L -v -n

7.1: Only Block Incoming Traffic

To drop all incoming / forwarded packets, but allow outgoing traffic, enter:
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
# iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -L -v -n

8:Drop Private Network Address On Public Interface
IP spoofing is nothing but to stop the following IPv4 address ranges for private networks on your public interfaces. Packets with non-routable source addresses should be rejected using the following syntax:
# iptables -A INPUT -i eth1 -s -j DROP
# iptables -A INPUT -i eth1 -s -j DROP

8.1: IPv4 Address Ranges For Private Networks (make sure you block them on public interface) -j (A) (B) (C) (MULTICAST D) (E) (LOOPBACK)
9: Blocking an IP Address (BLOCK IP)

To block an attackers ip address called, enter:
# iptables -A INPUT -s -j DROP
# iptables -A INPUT -s -j DROP

10: Block Incoming Port Requests (BLOCK PORT)

To block all service requests on port 80, enter:
# iptables -A INPUT -p tcp --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP

To block port 80 only for an ip address, enter:
# iptables -A INPUT -p tcp -s --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp -s --dport 80 -j DROP

11: Block Outgoing IP Address

To block outgoing traffic to a particular host or domain such as, enter:
# host -t a

Note down its ip address and type the following to block all outgoing traffic to
# iptables -A OUTPUT -d -j DROP
You can use a subnet as follows:
# iptables -A OUTPUT -d -j DROP
# iptables -A OUTPUT -o eth1 -d -j DROP

To prevent outgoing access to, enter:
# iptables -A OUTPUT -p tcp -d -j DROP

You can also use domain name, enter:
# iptables -A OUTPUT -p tcp -d -j DROP
# iptables -A OUTPUT -p tcp -d -j DROP

12: Log and Drop Packets

Type the following to log and block IP spoofing on public interface called eth1
# iptables -A INPUT -i eth1 -s -j LOG --log-prefix "IP_SPOOF A: "
# iptables -A INPUT -i eth1 -s -j DROP
By default everything is logged to /var/log/messages file.
# tail -f /var/log/messages
# grep --color 'IP SPOOF' /var/log/messages

13: Log and Drop Packets with Limited Number of Log Entries

The -m limit module can limit the number of log entries created per time. This is used to prevent flooding your log file. To log and drop spoofing per 5 minutes, in bursts of at most 7 entries .
# iptables -A INPUT -i eth1 -s -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP_SPOOF A: "
# iptables -A INPUT -i eth1 -s -j DROP

14: Drop or Accept Traffic From Mac Address

Use the following syntax:
# iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
## *only accept traffic for TCP port # 8080 from mac 00:0F:EA:91:04:07 * ##
# iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT

15: Block or Allow ICMP Ping Request

Type the following command to block ICMP ping requests:
# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP

Ping responses can also be limited to certain networks or hosts:
# iptables -A INPUT -s -p icmp --icmp-type echo-request -j ACCEPT

16: Open Range of Ports

Use the following syntax to open a range of ports:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT

17: Open Range of IP Addresses

Use the following syntax to open a range of IP address:
## only accept connection to tcp port 80 (Apache) if ip is between and ##
iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range -j ACCEPT

18: Established Connections and Restaring The Firewall

When you restart the iptables service it will drop established connections as it unload modules from the system under RHEL / Fedora / CentOS Linux. Edit, /etc/sysconfig/iptables-config and set IPTABLES_MODULES_UNLOAD as follows:


20: Block or Open Common Ports

Replace ACCEPT with DROP to block port:
## open port ssh tcp port 22 ##
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s -m state --state NEW -p tcp --dport 22 -j ACCEPT

## open cups (printing service) udp/tcp port 631 for LAN users ##
iptables -A INPUT -s -p udp -m udp --dport 631 -j ACCEPT
iptables -A INPUT -s -p tcp -m tcp --dport 631 -j ACCEPT

## allow time sync via NTP for lan users (open udp port 123) ##
iptables -A INPUT -s -m state --state NEW -p udp --dport 123 -j ACCEPT

## open tcp port 25 (smtp) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT

# open dns server ports for all ##
iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

## open http/https (Apache) server port to all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT

## open tcp port 110 (pop3) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT

## open tcp port 143 (imap) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT

## open access to Samba file server for lan users only ##
iptables -A INPUT -s -m state --state NEW -p tcp --dport 137 -j ACCEPT
iptables -A INPUT -s -m state --state NEW -p tcp --dport 138 -j ACCEPT
iptables -A INPUT -s -m state --state NEW -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -s -m state --state NEW -p tcp --dport 445 -j ACCEPT

## open access to proxy server for lan users only ##
iptables -A INPUT -s -m state --state NEW -p tcp --dport 3128 -j ACCEPT

## open access to mysql server for lan users only ##
iptables -I INPUT -p tcp --dport 3306 -j ACCEPT

21: Restrict the Number of Parallel Connections To a Server Per Client IP

You can use connlimit module to put such restrictions. To allow 3 ssh connections per client host, enter:
# iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT

Set HTTP requests to 20:
# iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP

    --connlimit-above 3 : Match if the number of existing connections is above 3.
    --connlimit-mask 24 : Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32.
22.1: Testing Your Firewall

Find out if ports are open or not, enter:
# netstat -tulpn
Find out if tcp port 80 open or not, enter:
# netstat -tulpn | grep :80
If port 80 is not open, start the Apache, enter:
# service httpd start

Make sure iptables allowing access to the port 80:
# iptables -L INPUT -v -n | grep 80
Otherwise open port 80 using the iptables for all users:
# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
# service iptables save
Use the telnet command to see if firewall allows to connect to port 80:
$ telnet 80   


No comments:

Post a Comment