Huu Phan | Blog Linux operating system | Linux operating system -Blog Huu Phan | www.huuphan.com

This Blog is protected by DMCA.com

huuphan.com. Powered by Blogger.

iptables examples

How to allow or denied on iptables firewall on centos. To configure iptables static file on centos.
 You may reading link as below:







*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#### Mail port ###
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -s 10.10.9.0/24
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -j ACCEPT -s 10.10.9.0/24
####End mail ports###
####To limit the connectios per ip we use####
-A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
#####To set the connection rate-limit to reject 4 or more connections attempts within 60 seconds#####
-A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
-A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update \ --seconds 60 --hitcount 4 -j REJECT
# Limit the number of incoming tcp connections
# Interface 0 incoming syn-flood protection
-N syn_flood
-A INPUT -p tcp --syn -j syn_flood
-A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
-A syn_flood -j DROP
#Limiting the incoming icmp ping request:
-A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
-A INPUT -p icmp -j DROP
-A OUTPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j DROP
COMMIT
Iptables Restricting Access By Time Of The Day
Input Rule
iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d 192.168.131.129 --dport 22 -m state --state NEW,ESTABLISHED -m time --timestart 01:00 --timestop 03:00 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT
Output Rule
iptables -A OUTPUT -p tcp -s 192.168.131.129 --sport 22 -d 0/0 --dport 513:65535 -m state --state ESTABLISHED -m time --timestart 01:00 --timestop 03:00 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT
iptables rules for DNS

# UDP
iptables -A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
# TCP
iptables -A INPUT -i eth0 -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

Updating later...
Thanks for reading iptables examples My blog Zimbra Mail Server,linux,bash script,centos,linux command I hope this is useful.

post new :

Huu Phan | Blog Linux operating system | Huu Phan ~ Zimbra Mail Server,linux,bash script,centos,linux command | www.huuphan.com

2 comments

Why do we need specific rules for DNS in INPUT chain if we already have "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"?

Thanks.

Relay

"Why do we need specific rules for DNS in INPUT chain if we already have "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
Yes, you're right! you test environment ok ?

Relay