You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
- signed-off-by: trimstray <trimstray@gmail.com> |
6 years ago | |
---|---|---|
doc | 6 years ago | |
lib | 6 years ago | |
CODE_OF_CONDUCT.md | 6 years ago | |
CONTRIBUTING.md | 6 years ago | |
LICENSE.md | 6 years ago | |
README.md | 6 years ago |
README.md
Iptables Essentials: Common Firewall Rules and Commands
Created by
trimstray and
contributors
Table Of Content
- Tools to help you configure Iptables
- Iptables Rules
- Saving Rules
- List out all of the active iptables rules
- List out all of the active iptables rules with numeric lines
- List Rules as Tables
- List Rules as Tables for INPUT chain
- Show all of the rule specifications in the INPUT chain
- Show Packet Counts and Aggregate Size
- Delete Rule by Chain and Number
- Delete Rule by Specification
- Flush All Rules, Delete All Chains, and Accept All
- Flush All Chains
- Flush a Single Chain
- Allow Loopback Connections
- Allow Established and Related Incoming Connections
- Allow Established Outgoing Connections
- Internal to External
- Drop Invalid Packets
- Block an IP Address
- Block and IP Address and Reject
- Block Connections to a Network Interface
- Block Connections to a Network Interface
- Allow All Incoming SSH
- Allow Incoming SSH from Specific IP address or subnet
- Allow Outgoing SSH
- Allow Incoming Rsync from Specific IP Address or Subnet
- Allow All Incoming HTTP
- Allow All Incoming HTTPS
- Allow All Incoming HTTP and HTTPS
- Allow MySQL from Specific IP Address or Subnet
- Allow MySQL to Specific Network Interface
- PostgreSQL from Specific IP Address or Subnet
- Allow PostgreSQL to Specific Network Interface
- Block Outgoing SMTP Mail
- Allow All Incoming SMTP
- Allow All Incoming IMAP
- Allow All Incoming IMAPS
- Allow All Incoming POP3
- Allow All Incoming POP3S
Tools to help you configure Iptables
Iptables Rules
Saving Rules
Debian Based
apt-get install iptables-persistent
If you update your firewall rules and want to save the changes, run this command:
netfilter-persistent save
RedHat Based
service iptables save
List out all of the active iptables rules
iptables -S
List out all of the active iptables rules with numeric lines
iptables -L --line-numbers
List Rules as Tables
iptables -L
List Rules as Tables for INPUT chain
iptables -L INPUT
Show all of the rule specifications in the INPUT chain
iptables -S INPUT
Show Packet Counts and Aggregate Size
iptables -L INPUT -v
Delete Rule by Chain and Number
iptables -D INPUT 10
Delete Rule by Specification
iptables -D INPUT -m conntrack --ctstate INVALID -j DROP
Flush All Rules, Delete All Chains, and Accept All
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
Flush All Chains
iptables -F
Flush a Single Chain
iptables -F INPUT
Allow Loopback Connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
Allow Established and Related Incoming Connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
Allow Established Outgoing Connections
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
Internal to External
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
Drop Invalid Packets
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
Block an IP Address
iptables -A INPUT -s 15.15.15.51 -j DROP
Block and IP Address and Reject
iptables -A INPUT -s 15.15.15.51 -j REJECT
Block Connections to a Network Interface
iptables -A INPUT -i eth0 -s 15.15.15.51 -j DROP
Block Connections to a Network Interface
iptables -A INPUT -i eth0 -s 15.15.15.51 -j DROP
Allow All Incoming SSH
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow Incoming SSH from Specific IP address or subnet
iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow Outgoing SSH
iptables -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow Incoming Rsync from Specific IP Address or Subnet
iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 873 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 873 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow All Incoming HTTP
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow All Incoming HTTPS
iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow All Incoming HTTP and HTTPS
iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow MySQL from Specific IP Address or Subnet
iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow MySQL to Specific Network Interface
iptables -A INPUT -i eth1 -p tcp --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT
PostgreSQL from Specific IP Address or Subnet
iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 5432 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 5432 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow PostgreSQL to Specific Network Interface
iptables -A INPUT -i eth1 -p tcp --dport 5432 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --sport 5432 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Block Outgoing SMTP Mail
iptables -A OUTPUT -p tcp --dport 25 -j REJECT
Allow All Incoming SMTP
iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow All Incoming IMAP
iptables -A INPUT -p tcp --dport 143 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 143 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow All Incoming IMAPS
iptables -A INPUT -p tcp --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 993 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow All Incoming POP3
iptables -A INPUT -p tcp --dport 110 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 110 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Allow All Incoming POP3S
iptables -A INPUT -p tcp --dport 995 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 995 -m conntrack --ctstate ESTABLISHED -j ACCEPT