Archives
/
iptables-essentials
mirror of https://github.com/trimstray/iptables-essentials
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
testing
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '948dd7ce49'
${ noResults }
iptables-essentials/README.md

299 lines
6.8 KiB
Markdown
Raw Normal View History Unescape Escape

init commit - signed-off-by: trimstray <trimstray@gmail.com>
6 years ago
<h2 align="center">Iptables Essentials: Common Firewall Rules and Commands</h2>
<br>
<p align="center">
<a href="https://github.com/trimstray/iptables-essentials/tree/master">
<img src="https://img.shields.io/badge/Branch-master-green.svg?longCache=true"
alt="Branch">
</a>
<a href="http://www.gnu.org/licenses/">
<img src="https://img.shields.io/badge/License-GNU-blue.svg?longCache=true"
alt="License">
</a>
</p>
<div align="center">
<sub>Created by
<a href="https://twitter.com/trimstray">trimstray</a> and
<a href="https://github.com/trimstray/iptables-essentials/graphs/contributors">
contributors
</a>
</div>
<br>
****
#### Tools to help you configure iptables
- **[Shorewall](http://shorewall.org/)**
- **[Firewalld](https://firewalld.org/)**
- **[FireHOL](https://github.com/firehol/firehol)**
#### 1. Saving Rules
###### Debian Based
```bash
apt-get install iptables-persistent
```
If you update your firewall rules and want to save the changes, run this command:
```bash
netfilter-persistent save
```
###### RedHat Based
```bash
service iptables save
```
#### 2. List out all of the active iptables rules
```bash
iptables -S
```
#### 3. List out all of the active iptables rules with numeric lines
```bash
iptables -L --line-numbers
```
#### 4. List Rules as Tables
```bash
iptables -L
```
#### 5. List Rules as Tables for INPUT chain
```bash
iptables -L INPUT
```
#### 6. Show all of the rule specifications in the INPUT chain
```bash
iptables -S INPUT
```
#### 7. Show Packet Counts and Aggregate Size
```bash
iptables -L INPUT -v
```
#### 8. Delete Rule by Chain and Number
```bash
iptables -D INPUT 10
```
#### 9. Delete Rule by Specification
```bash
iptables -D INPUT -m conntrack --ctstate INVALID -j DROP
```
#### 10. Flush All Rules, Delete All Chains, and Accept All
```bash
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
```
#### 11. Flush All Chains
```bash
iptables -F
```
#### 12. Flush a Single Chain
```bash
iptables -F INPUT
```
#### 13. Allow Loopback Connections
```bash
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
```
#### 14. Allow Established and Related Incoming Connections
```bash
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
```
#### 15. Allow Established Outgoing Connections
```bash
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
```
#### 16. Internal to External
```bash
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
```
#### 17. Drop Invalid Packets
```bash
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
```
#### 18. Block an IP Address
```bash
README.md - minor fix - signed-off-by: trimstray <trimstray@gmail.com>
6 years ago
iptables -A INPUT -s 192.168.252.10 -j DROP
init commit - signed-off-by: trimstray <trimstray@gmail.com>
6 years ago
```
#### 19. Block and IP Address and Reject
```bash
README.md - minor fix - signed-off-by: trimstray <trimstray@gmail.com>
6 years ago
iptables -A INPUT -s 192.168.252.10 -j REJECT
init commit - signed-off-by: trimstray <trimstray@gmail.com>
6 years ago
```
#### 20. Block Connections to a Network Interface
```bash
README.md - minor fix - signed-off-by: trimstray <trimstray@gmail.com>
6 years ago
iptables -A INPUT -i eth0 -s 192.168.252.10 -j DROP
init commit - signed-off-by: trimstray <trimstray@gmail.com>
6 years ago
```
#### 21. Block Connections to a Network Interface
```bash
README.md - minor fix - signed-off-by: trimstray <trimstray@gmail.com>
6 years ago
iptables -A INPUT -i eth0 -s 192.168.252.10 -j DROP
init commit - signed-off-by: trimstray <trimstray@gmail.com>
6 years ago
```
#### 22. Allow All Incoming SSH
```bash
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
```
#### 23. Allow Incoming SSH from Specific IP address or subnet
```bash
iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
```
#### 24. Allow Outgoing SSH
```bash
iptables -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
```
#### 25. Allow Incoming Rsync from Specific IP Address or Subnet
```bash
iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 873 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 873 -m conntrack --ctstate ESTABLISHED -j ACCEPT
```
#### 26. Allow All Incoming HTTP
```bash
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
```
#### 27. Allow All Incoming HTTPS
```bash
iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
```
#### 28. Allow All Incoming HTTP and HTTPS
```bash
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
```
#### 29. Allow MySQL from Specific IP Address or Subnet
```bash
iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT
```
#### 30. Allow MySQL to Specific Network Interface
```bash
iptables -A INPUT -i eth1 -p tcp --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT
```
#### 31. PostgreSQL from Specific IP Address or Subnet
```bash
iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 5432 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 5432 -m conntrack --ctstate ESTABLISHED -j ACCEPT
```
#### 32. Allow PostgreSQL to Specific Network Interface
```bash
iptables -A INPUT -i eth1 -p tcp --dport 5432 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --sport 5432 -m conntrack --ctstate ESTABLISHED -j ACCEPT
```
#### 33. Block Outgoing SMTP Mail
```bash
iptables -A OUTPUT -p tcp --dport 25 -j REJECT
```
#### 34. Allow All Incoming SMTP
```bash
iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT
```
#### 35. Allow All Incoming IMAP
```bash
iptables -A INPUT -p tcp --dport 143 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 143 -m conntrack --ctstate ESTABLISHED -j ACCEPT
```
#### 36. Allow All Incoming IMAPS
```bash
iptables -A INPUT -p tcp --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 993 -m conntrack --ctstate ESTABLISHED -j ACCEPT
```
#### 37. Allow All Incoming POP3
```bash
iptables -A INPUT -p tcp --dport 110 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 110 -m conntrack --ctstate ESTABLISHED -j ACCEPT
```
#### 38. Allow All Incoming POP3S
```bash
iptables -A INPUT -p tcp --dport 995 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 995 -m conntrack --ctstate ESTABLISHED -j ACCEPT
```