Tips for updating IPTables:
Rules File Location:
/etc/sysconfig/iptables
Save w/:
# iptables-save > /etc/sysconfig/iptables
Example ports setup:
#################################
## What we allow
#################################
# tcp ports
# smtp
$IPTABLES -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# http
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# pop3
$IPTABLES -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
# imap
$IPTABLES -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
# https
$IPTABLES -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
# smtp over SSL
$IPTABLES -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
# line printer spooler
$IPTABLES -A INPUT -p tcp -m tcp --dport 515 -j REJECT
# cups
$IPTABLES -A INPUT -p tcp -m tcp --dport 631 -j REJECT
## restrict some tcp things ##
# samba (netbios)
$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.nnn.0/16 --dport 137:139 -j ACCEPT
# webmin
$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.nnn.0/16 --dport 10000 -j ACCEPT
# ssh
$IPTABLES -A INPUT -p tcp -m tcp -s 192.168.nnn.0/16 --dport 22 -j REJECT
# udp ports
# DNS
$IPTABLES -A INPUT -p udp -m udp --dport 53 -j ACCEPT
## restrict some udp things ##
# DHCP
$IPTABLES -A INPUT -p udp -m udp --dport 67:68 -j REJECT
# NTP
$IPTABLES -A INPUT -p udp -m udp --dport 123 -j REJECT
# SNMP
$IPTABLES -A INPUT -p udp -m udp --dport 161:162 -j REJECT
# Samba (Netbios)
$IPTABLES -A INPUT -p udp -m udp -s 192.168.nnn.0/16 --dport 137:139 -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --sport 137:138 -j ACCEPT
# finally - drop the rest
/sbin/iptables -A INPUT -p tcp --syn -j DROP
|
|
|
Specific Range Examples:
| 0/0 | = source can be ANY IP address |
| 0.0.0.0/0.0.0.0 | = source can be ANY IP address |
| 1.2.3.4/32 | = source can ONLY be this IP address |
| 1.2.3.4/255.255.255.255 | = source can ONLY be this IP address |
| 1.2.3.0/24 | = source can be any IP address from 1.2.3.0 to 1.2.3.255 |
| 1.2.3.0/255.255.255.0 | = source can be any IP address from 1.2.3.0 to 1.2.3.255 |
| 1.2.0.0/16 | = source can be any IP address from 1.2.0.0 to 1.2.255.255 |
| 1.2.0.0/255.255.0.0 | = source can be any IP address from 1.2.0.0 to 1.2.255.255 |
 | |
Rules Examples:
| -m state --state NEW | matches only packets that have a status of NEW. This can be anyone of or a comma separated list of the four possible states |
| -p tcp | apply this rule to packets using the TCP protocol only. This can be anyone of tcp, udp, icmp or all (default). The exclamation mark can be used to invert the match |
| |
| --dport 80 (or --destination-port) | matches a packet trying to connect to port 80. The exclamation mark can be used to invert this match also. A range of ports can be given in the format begin:end. |
| -i eth0 (or --in-interface eth0) | name of an interface via which a packet is going to be received. Possible interfaces on your computer can be found using the command 'ifconfig'. In this example your computer is connected to the Internet through the first (or only) ethernet card |
| |
| -j ACCEPT | the target. In this case, if the incoming packet is creating a new TCP connection from anywhere to port 80 on your computer through the first ethernet card, we will allow it through |
| |
| |
Rule List By Number:
$ sudo iptables -L --line-numbers
Delete Rule By Line Number:
$ sudo iptables -D INPUT 3
previous page
|