iptables examples

How to allow or denied on iptables firewall on centos. To configure iptables static file on centos.
 You may reading link as below:







*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#### Mail port ###
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -s 10.10.9.0/24
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -j ACCEPT -s 10.10.9.0/24
####End mail ports###
####To limit the connectios per ip we use####
-A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
#####To set the connection rate-limit to reject 4 or more connections attempts within 60 seconds#####
-A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
-A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update \ --seconds 60 --hitcount 4 -j REJECT
# Limit the number of incoming tcp connections
# Interface 0 incoming syn-flood protection
-N syn_flood
-A INPUT -p tcp --syn -j syn_flood
-A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
-A syn_flood -j DROP
#Limiting the incoming icmp ping request:
-A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
-A INPUT -p icmp -j DROP
-A OUTPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j DROP
COMMIT
Iptables Restricting Access By Time Of The Day
Input Rule
iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d 192.168.131.129 --dport 22 -m state --state NEW,ESTABLISHED -m time --timestart 01:00 --timestop 03:00 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT
Output Rule
iptables -A OUTPUT -p tcp -s 192.168.131.129 --sport 22 -d 0/0 --dport 513:65535 -m state --state ESTABLISHED -m time --timestart 01:00 --timestop 03:00 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT
iptables rules for DNS

# UDP
iptables -A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
# TCP
iptables -A INPUT -i eth0 -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

Updating later...
Labels:

2 comments:

  1. tmhoang, Ho Chi Minh City, VietnamMarch 2, 2018 at 3:49 PM

    Why do we need specific rules for DNS in INPUT chain if we already have "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"?

    Thanks.

    ReplyDelete
  2. HuuPVMarch 4, 2018 at 9:29 PM

    "Why do we need specific rules for DNS in INPUT chain if we already have "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
    Yes, you're right! you test environment ok ?

    ReplyDelete

Subscribe to: Post Comments (Atom)