Iptables rules that Linux administrators should know
Managing network traffic is one of the toughest tasks that system administrators must handle. We must specify that users connected to the system meet the firewall’s incoming and outgoing requirements to maximize system protection.
Many users use iptables in Linux as a firewall. From a strict perspective, Iptables are just a command-line tool that helps administrators define rules and communicate with the Linux kernel. It is just a list of incoming and outgoing rules that help administrators configure network traffic. The specific implementation is actually in the Linux kernel.
Iptables include a set of chains of built-in and user-defined rules that administrators can attach to the chain.
- INPUT: handling incoming data packets
- FORWARD: handling packets routed through the system
- OUTPUT: handling locally outgoing packets
- PREROUTING: handling packets to be received
- OUTPUT: handling locally generated packets
- POSTROUTING: handling outgoing packets
- PREROUTING: handling incoming connections
- OUTPUT: handling locally generated packets
- INPUT: processing packets
- POSTROUTING: handling outgoing packets
- FORWARD: handling packets forwarded through the machine
- Using systemd
systemctl start iptables
systemctl stop iptables
systemctl restart iptables - Using sysvinit
/etc/init.d/iptables start
/etc/init.d/iptables stop
/etc/init.d/iptables restart
iptables -L -n -v
iptables -t nat -L -v –n
If you identify an IP like an attack or abnormal traffic to the server, you can block its IP address using the following rules:
iptables -A INPUT -s xxx.xxx.xxx.xxx -j DROP
Note that you need to change the above xxx to the actual IP address to be masked, where the -A parameter indicates that this rule is appended at the end of the INPUT chain.
iptables -A INPUT -p tcp -s xxx.xxx.xxx.xxx -j DROP
iptables -D INPUT -s xxx.xxx.xxx.xxx -j DROP
iptables -A OUTPUT -p tcp –dport xxx -j DROP
iptables -A INPUT -p tcp –dport xxx -j ACCEPT
iptables -A INPUT -p tcp -m multiport –dports 22,80,443 -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport –sports 22,80,443 -j ACCEPT
iptables -A OUTPUT -p tcp -d 192.168.1.1/24 –dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 22 -j REDIRECT –to-port 2222
iptables -A INPUT -p tcp –dport 80 -m limit –limit 100/minute –limit-burst 200 -j ACCEPT
Block Ping
iptables -A INPUT -p icmp -i eth0 -j DROP
Allow Loopback Connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
Drop or Accept Traffic From Mac Address
iptables -A INPUT -m mac –mac-source 00:0F:EA:91:04:08 -j DROP
iptables -A INPUT -p tcp –destination-port 22 -m mac –mac-source 00:0F:EA:91:04:07 -j ACCEPT
iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 3 -j REJECT
iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack –ctstate ESTABLISHED -j ACCEPT
Discard invalid packets
iptables -A INPUT -m conntrack –ctstate INVALID -j DROP
Allow All Incoming SSH
iptables -A INPUT -p tcp –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp –sport 22 -m conntrack –ctstate ESTABLISHED -j ACCEPT
Allow Incoming SSH from Specific IP address or subnet
iptables -A INPUT -p tcp -s 192.168.240.0/24 –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp –sport 22 -m conntrack –ctstate ESTABLISHED -j ACCEPT
Allow Outgoing SSH
iptables -A OUTPUT -p tcp –dport 22 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp –sport 22 -m conntrack –ctstate ESTABLISHED -j ACCEPT
Allow All Incoming HTTP
iptables -A INPUT -p tcp –dport 80 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp –sport 80 -m conntrack –ctstate ESTABLISHED -j ACCEPT
Allow All Incoming HTTPS
iptables -A INPUT -p tcp –dport 443 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp –sport 443 -m conntrack –ctstate ESTABLISHED -j ACCEPT
Allow All Incoming HTTP and HTTPS
iptables -A INPUT -p tcp -m multiport –dports 80,443 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -m multiport –dports 80,443 -m conntrack –ctstate ESTABLISHED -j ACCEPT
Allow MySQL from Specific IP Address or Subnet
iptables -A INPUT -p tcp -s 192.168.240.0/24 –dport 3306 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp –sport 3306 -m conntrack –ctstate ESTABLISHED -j ACCEPT
Allow MySQL to Specific Network Interface
iptables -A INPUT -i eth1 -p tcp –dport 3306 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp –sport 3306 -m conntrack –ctstate ESTABLISHED -j ACCEPT
PostgreSQL from Specific IP Address or Subnet
iptables -A INPUT -p tcp -s 192.168.240.0/24 –dport 5432 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp –sport 5432 -m conntrack –ctstate ESTABLISHED -j ACCEPT
Allow PostgreSQL to Specific Network Interface
iptables -A INPUT -i eth1 -p tcp –dport 5432 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp –sport 5432 -m conntrack –ctstate ESTABLISHED -j ACCEPT
Block Outgoing SMTP Mail
iptables -A OUTPUT -p tcp –dport 25 -j REJECT
Allow All Incoming SMTP
iptables -A INPUT -p tcp –dport 25 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp –sport 25 -m conntrack –ctstate ESTABLISHED -j ACCEPT
Allow All Incoming IMAP
iptables -A INPUT -p tcp –dport 143 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp –sport 143 -m conntrack –ctstate ESTABLISHED -j ACCEPT
Allow All Incoming IMAPS
iptables -A INPUT -p tcp –dport 993 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp –sport 993 -m conntrack –ctstate ESTABLISHED -j ACCEPT
Allow All Incoming POP3
iptables -A INPUT -p tcp –dport 110 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp –sport 110 -m conntrack –ctstate ESTABLISHED -j ACCEPT
Allow All Incoming POP3S
iptables -A INPUT -p tcp –dport 995 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp –sport 995 -m conntrack –ctstate ESTABLISHED -j ACCEPT
Flush All Chains
iptables -F
iptables -t nat –F
iptables-save > ~/iptables.rulesor
- Debian Based
netfilter-persistent save - RedHat Based
service iptables save
iptables-restore < ~/iptables.rules