Iptables rules that Linux administrators should know

by ddos · November 3, 2019

Managing network traffic is one of the toughest tasks that system administrators must handle. We must specify that users connected to the system meet the firewall’s incoming and outgoing requirements to maximize system protection.

Many users use iptables in Linux as a firewall. From a strict perspective, Iptables are just a command-line tool that helps administrators define rules and communicate with the Linux kernel. It is just a list of incoming and outgoing rules that help administrators configure network traffic. The specific implementation is actually in the Linux kernel.

Iptables include a set of chains of built-in and user-defined rules that administrators can attach to the chain.

FILTER default filter table, built-in chain:

INPUT: handling incoming data packets
FORWARD: handling packets routed through the system

OUTPUT: handling locally outgoing packets

NAT implements a table for network address translation. The built-in chains are:

PREROUTING: handling packets to be received
OUTPUT: handling locally generated packets

POSTROUTING: handling outgoing packets

MANGLE is used to change the data packet, a total of 5 chains:

PREROUTING: handling incoming connections
OUTPUT: handling locally generated packets

INPUT: processing packets
POSTROUTING: handling outgoing packets
FORWARD: handling packets forwarded through the machine

Below, we will introduce the Iptables rules that are most commonly used by Linux administrators.

Start, stop and restart Iptables

Although IPTables is not a service, it can still be managed like a service in Linux.

Using systemd
systemctl start iptables
systemctl stop iptables
systemctl restart iptables
Using sysvinit
/etc/init.d/iptables start
/etc/init.d/iptables stop
/etc/init.d/iptables restart

View Iptables firewall policy

You can use the following command to view the Iptables firewall policy:

iptables -L -n -v

The above command is to view the default FILTER table. If you only want to view a specific table, you can follow the -t parameter to the table name to be viewed separately. For example, to view only the rules in the NAT table, you can use the following command:

iptables -t nat -L -v –n

Block an IP address

If you identify an IP like an attack or abnormal traffic to the server, you can block its IP address using the following rules:

iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP

Note that you need to change the above xxx to the actual IP address to be masked, where the -A parameter indicates that this rule is appended at the end of the INPUT chain.

If you only want to block TCP traffic, you can use the specified protocol of the -p parameter, for example:

iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx -j DROP

Unblock an IP address

To unblock the IP address, you can use the following command to delete it:

iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP

Where the -D parameter indicates that one or more rules are removed from the chain.

Use Iptables to close a specific port

Many times, we need to block network connections for a particular port, and Iptables can be used to block specific ports.

Block specific outgoing connections:

iptables -A OUTPUT -p tcp –dport xxx -j DROP

Block specific incoming connections:

iptables -A INPUT -p tcp –dport xxx -j ACCEPT

Use Multiport to control multiple ports

Using multiport we can write multiple ports in a single rule at once, for example:

iptables -A INPUT -p tcp -m multiport –dports 22,80,443 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport –sports 22,80,443 -j ACCEPT

Use IP address ranges in rules

The IP address range in IPtables can be expressed directly using CIDR, for example:

iptables -A OUTPUT -p tcp -d 192.168.1.1/24 –dport 22 -j ACCEPT

Configuring port forwarding

Sometimes we need to forward service traffic from a Linux server to another port. In this case, you can use the following command:

iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 22 -j REDIRECT –to-port 2222

The above command will redirect all traffic arriving on the eth0 NIC 22 port to port 2222.

Block HTTP service Flood attacks

Sometimes a user initiates a large number of connection requests on a service, such as HTTP 80, at which point we can enable the following rules:

iptables -A INPUT -p tcp –dport 80 -m limit –limit 100/minute –limit-burst 200 -j ACCEPT

The above command will limit the connection to 100 per minute and the upper limit to 200.

Block Ping

Forbidden PING for Linux, You can use the following rules to mask ICMP incoming connections:

iptables -A INPUT -p icmp -i eth0 -j DROP

Allow Loopback Connections

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Drop or Accept Traffic From Mac Address

iptables -A INPUT -m mac –mac-source 00:0F:EA:91:04:08 -j DROP
iptables -A INPUT -p tcp –destination-port 22 -m mac –mac-source 00:0F:EA:91:04:07 -j ACCEPT

Limit the number of concurrent connections

If you don’t want too many concurrent connections from a particular port, you can use the following rules

iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 3 -j REJECT

The above rules limit no more than 3 connections per client.

Allow related connections to be established

With the ingress and egress of network traffic, to allow the establishment of incoming related connections, you can use the following rules:

iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

Allow rules to establish outgoing connections

iptables -A OUTPUT -m conntrack –ctstate ESTABLISHED -j ACCEPT

Discard invalid packets

Many cyber attacks try to use hacker-defined illegal packets, we can use the following command to discard invalid packets:

iptables -A INPUT -m conntrack –ctstate INVALID -j DROP

Allow All Incoming SSH

iptables -A INPUT -p tcp –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp –sport 22 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow Incoming SSH from Specific IP address or subnet

iptables -A INPUT -p tcp -s 192.168.240.0/24 –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp –sport 22 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow Outgoing SSH

iptables -A OUTPUT -p tcp –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp –sport 22 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow All Incoming HTTP

iptables -A INPUT -p tcp –dport 80 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp –sport 80 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow All Incoming HTTPS

iptables -A INPUT -p tcp –dport 443 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp –sport 443 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow All Incoming HTTP and HTTPS

iptables -A INPUT -p tcp -m multiport –dports 80,443 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -m multiport –dports 80,443 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow MySQL from Specific IP Address or Subnet

iptables -A INPUT -p tcp -s 192.168.240.0/24 –dport 3306 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp –sport 3306 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow MySQL to Specific Network Interface

iptables -A INPUT -i eth1 -p tcp –dport 3306 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth1 -p tcp –sport 3306 -m conntrack –ctstate ESTABLISHED -j ACCEPT

PostgreSQL from Specific IP Address or Subnet

iptables -A INPUT -p tcp -s 192.168.240.0/24 –dport 5432 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp –sport 5432 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow PostgreSQL to Specific Network Interface

iptables -A INPUT -i eth1 -p tcp –dport 5432 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth1 -p tcp –sport 5432 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Block Outgoing SMTP Mail

iptables -A OUTPUT -p tcp –dport 25 -j REJECT

Allow All Incoming SMTP

iptables -A INPUT -p tcp –dport 25 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp –sport 25 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow All Incoming IMAP

iptables -A INPUT -p tcp –dport 143 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp –sport 143 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow All Incoming IMAPS

iptables -A INPUT -p tcp –dport 993 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp –sport 993 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow All Incoming POP3

iptables -A INPUT -p tcp –dport 110 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp –sport 110 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Allow All Incoming POP3S

iptables -A INPUT -p tcp –dport 995 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp –sport 995 -m conntrack –ctstate ESTABLISHED -j ACCEPT

Flush All Chains

To empty the Iptables chain you can use the following command

iptables -F

To clear a particular table, you can specify it with the -t parameter, for example:

iptables -t nat –F

Save Iptables rules

By default, administrator actions on Iptables rules take effect immediately. However, since the rules are stored in memory, restarting the system will result in configuration loss. To permanently save Iptables rules, use the iptables-save command:

iptables-save > ~/iptables.rules

or

Debian Based
netfilter-persistent save
RedHat Based
service iptables save

Restore Iptables rules

If there is a natural save, there is a restore. You can use the iptables-restore command to restore the saved rules.

iptables-restore < ~/iptables.rules

Reference: iptables-essentials

Iptables rules that Linux administrators should know

Search

Brilliantly

Content & Links