GIT – Iptable is the administration tool for IPv4 packet filtering and NAT. is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined.Each table contains a number of built-in chains and may also contain user-defined chains.Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a `target’,which may be a jump to a user-defined chain in the same table.

A rule specifies criteria for a packet and a target. If the packet does not match, the next rule in the chain is the examined; if it does match,then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values ACCEPT, DROP, QUEUE or RETURN.

  • ACCEPT  means  to let the packet through.
  • DROP means to drop the packet on the floor
  • QUEUE means to pass the packet to userspace
  • RETURN means stop traversing this chain and resume at the next rule in the previous chain.

There are total 4 chains:

  • INPUT – The default chain is used for packets addressed to the system. Use this to open or close incoming ports and addresses / subnet
  • OUTPUT – The default chain is used when packets are generating from the system. Use this open or close outgoing ports and ip addresses / subnets
  • FORWARD – The default chains is used when packets send through another interface. Usually used when you setup Linux as router
  • RH-Firewall-1-INPUT – This is a user-defined custom chain. It is used by the INPUT, OUTPUT and FORWARD chains.

Installation of Iptables

We can iptables via following command.

[[email protected] ~]# install iptables -y


Check iptable version :

[[email protected] ~]# iptables –version
iptables v1.3.5

Check iptables status :

[[email protected] ~]# service iptables status

Start  iptables :

[[email protected] ~]# service iptables start
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]

To set iptables start at boot :

[[email protected] ~]# chkconfig iptables on

The default configuration file of is /etc/sysconfig/iptables. It is the system that activate the firewall by reading this file

Iptable Rules

1. Reset all rules (F) and chains (X), necessary if have already defined iptables rules

#iptables -t filter -F
#iptables -t filter -X

2. Display Status of the firewall

#iptables -L -n -v

3.  Blocking null packets.

#iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP

 4. Reject SYN -FLOOD  attack.

#iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP

5. Reject a recon Packet

#iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP

6. Adding localhost interface to the firewall filter

#iptables -A INPUT -i lo -j ACCEPT

7. Allow web traffic

#iptables -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp –dport 443 -j ACCEPT

8. Allow users to use SMTP servers

#iptables -A INPUT -p tcp -m tcp –dport 25 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp –dport 465 -j ACCEPT

9.  Allow the users read on their server

allow POP3 traffic

#iptables -A INPUT -p tcp -m tcp –dport 110 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp –dport 995 -j ACCEPT

allow POP3 traffic

#iptables -A INPUT -p tcp -m tcp –dport 143 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp –dport 993 -j ACCEPT

10. Allow traffic

#iptables -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT

allow traffic to SSH port if it comes from one source

#iptables -A INPUT -p tcp -s YOUR_IP_ADDRESS -m tcp –dport 22 -j ACCEPT

11. Allow any established outgoing connections to receive replies from the server

#iptables -I INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

12. Block an IP address

#iptables -A INPUT -s IP_ADDRESS -j DROP

13. Block a Port for a specific IP Address

#iptables -A INPUT -p tcp -s IP_ADDRESS –dport PORT -j DROP

14. Open a port for a Specific IP Address

#iptables -A INPUT -p tcp -s IP_ADDRESS –dport PORT -j ACCEPT

15. Allow Printer for a Specific IP address

#iptables -A INPUT -s IP_ADDRESS -p udp -m udp –dport 631 -j ACCEPT

16. Open DNS

#iptables -A INPUT -m state –state NEW -p tcp –dport 53 -j ACCEPT

17. Open Port

#iptables -A INPUT -p tcp –dport 3306 -j ACCEPT

18. Open a Range of Ports (eg : 7000-7100 )

#iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 7000:7100 -j ACCEPT

After setting all the rules , you need to save the rules and restart the iptables

#service iptables save

#service iptables restart

Print Friendly



Bài viết liên quan