How to allow or denied on iptables firewall on centos. To configure iptables static file on centos.
You may reading link as below:
Input Rule
Updating later...
You may reading link as below:
*filterIptables Restricting Access By Time Of The Day
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#### Mail port ###
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -s 10.10.9.0/24
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -j ACCEPT -s 10.10.9.0/24
####End mail ports###
####To limit the connectios per ip we use####
-A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
#####To set the connection rate-limit to reject 4 or more connections attempts within 60 seconds#####
-A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
-A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update \ --seconds 60 --hitcount 4 -j REJECT
# Limit the number of incoming tcp connections
# Interface 0 incoming syn-flood protection
-N syn_flood
-A INPUT -p tcp --syn -j syn_flood
-A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
-A syn_flood -j DROP
#Limiting the incoming icmp ping request:
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
-A INPUT -p icmp -j DROP
-A OUTPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j DROP
COMMIT
Input Rule
iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d 192.168.131.129 --dport 22 -m state --state NEW,ESTABLISHED -m time --timestart 01:00 --timestop 03:00 --days Mon,Tue,Wed,Thu,Fri -j ACCEPTOutput Rule
iptables -A OUTPUT -p tcp -s 192.168.131.129 --sport 22 -d 0/0 --dport 513:65535 -m state --state ESTABLISHED -m time --timestart 01:00 --timestop 03:00 --days Mon,Tue,Wed,Thu,Fri -j ACCEPTiptables rules for DNS
# UDP
iptables -A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
# TCP
iptables -A INPUT -i eth0 -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
Updating later...
Thanks for reading iptables examples My blog Effortless Zimbra Mail Management: Unleashing the Power of Linux Commands, How-To, and Bash Scripts I hope this is useful.
2 Comments
Why do we need specific rules for DNS in INPUT chain if we already have "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"?
RelayThanks.
"Why do we need specific rules for DNS in INPUT chain if we already have "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
RelayYes, you're right! you test environment ok ?