25 Useful IPtable Firewall Rules Every Linux Administrator Should now by Marin Todorov | Todorov | Published: March 1, 2016 | March 1, 2016 "d#inis$ra$ors | % Free &hell !ownload "our "our Free e#oo$s %&' - 10 Free Linux eBoos !or "d#inis$ra$ors | &cri'$in( eBoos Mana(in( ne$)or $ra!!ic is $ra!!ic is one o! $he $ou(hes$ *obs a sys$e# ad#inis$ra$ors has $o deal )i$h+ e #us$ con!i(ure $he !ire)all in such a )ay $ha$ i$ )ill #ee$ $he sys$e# and users reuire#en$s !or bo$h inco#in( and ou$(oin( connec$ions, )i$hou$ leavin( $he sys$e# vulnerable $o a$$acs+
2. /P$ables Fire)all ules !or Linux This is )here iptables co#e in handy+ I(tables is a Linux co##and line !ire)all $ha$ allo)s sys$e# ad#inis$ra$ors $o #ana(e inco#in( and ou$(oin( $ra!!ic via a se$ o! co n!i(urable $able rules+ I(tables uses a se$ o! $ables )hich have chains $ha$ con$ain se$ o! buil$-in or user de!ined rules+ Thans $o $he# a sys$e# ad#inis$ra$or can 'ro'erly !il$er $he ne$)or $ra!!ic o! his sys$e#+
Per i'$ables #anual, $here are curren$ly $y'es $ y'es o! $ables: 1+ FILTER $his is $he de!aul$ $able, )hich con$ains $he buil$ in chains !or: 1
1+ I%PU) 'aca(es des$ined !or local soce$s 2+ F&R'AR! 'ace$s rou$ed $hrou(h $he sys$e# + &U)PU) 'ace$s (enera$ed locally 2+ NAT a $able $ha$ is consul$ed )hen a 'ace$ $ries $o crea$e a ne) connec$ion+ /$ has $he !ollo)in( buil$-in: 1+ PRER&U)I%* used !or al$erin( a 'ace$ as soon as i$3s received 2+ &U)PU) used !or al$erin( locally (enera$ed 'ace$s + P&S)R&U)I%* used !or al$erin( 'ace$s as $hey are abou$ $o (o ou$ + MANGLE $his $able is used !or 'ace$ al$erin(+ 4n$il ernel version 2+, $his $able had only $)o chains, bu$ $hey are no) .: 1+ PRER&U)I%* !or al$erin( inco#in( connec$ions 2+ &U)PU) !or al$erin( locally (enera$ed 'ace$s + I%PU) !or inco#in( 'ace$s %+ P&S)R&U)I%* !or al$erin( 'ace$s as $hey are abou$ $o (o ou$ .+ F&R'AR! !or 'ace$s rou$ed $hrou(h $he box /n $his ar$icle, you )ill see so#e use!ul co##ands $ha$ )ill hel' you #ana(e your Linux box !ire)all $hrou(h i'$ables+ For $he 'ur'ose o! $his ar$icle, / )ill s$ar$ )i$h si#'ler co##ands an d (o $o #ore co#'lex $o $he end+
-+ Start.Sto(.Restart I(tables Firewall Firs$, you should no) ho) $o #ana(e i'$ables service in di!!eren$ Linux dis$ribu$ions+ This is !airly easy: &n System! based Linux !istributions ------------ On Cent/RHEL 7 and Fedora 22+ -----------# systemctl start iptables # systemctl stop iptables # systemctl restart iptables
&n Sys/init based Linux !istributions ------------ On Cent/RHEL 6/5 and Fedora -----------2
# /etc/init.d/iptables start # /etc/init.d/iptables stop # /etc/init.d/iptables restart
2+ 0he1$ all IPtables Firewall Rules /! you )an$ $o chec your exis$in( rules, use $he !ollo)in( co##and: # iptables -L -n -v
This should re$urn ou$'u$ si#ilar $o $he one belo): !ain IN"T $policy AE"T %%&'( pac)ets* +%,M bytes p)ts bytes taret prot opt in ot sorce destination 0 0 AE"T tcp -- l1cbr0 2 0.0.0.0/0 0.0.0.0/0 tcp dpt3,4 0 0 AE"T dp -- l1cbr0 2 0.0.0.0/0 0.0.0.0/0 dp dpt3,4 0 0 AE"T tcp -- l1cbr0 2 0.0.0.0/0 0.0.0.0/0 tcp dpt356 0 0 AE"T dp -- l1cbr0 2 0.0.0.0/0 0.0.0.0/0 dp dpt356 !ain F7R8AR9 $policy AE"T 0 pac)ets* 0 bytes p)ts bytes taret prot opt in ot sorce destination 0 0 AE"T all -- 2 l1cbr0 0.0.0.0/0 0.0.0.0/0 0 0 AE"T all -- l1cbr0 2 0.0.0.0/0 0.0.0.0/0 !ain 7T"T $policy AE"T 4,+( pac)ets* %:,M bytes p)ts bytes taret prot opt in ot sorce destination
/! you 're!er $o chec $he rules !or a s'eci!ic $able, you can use $he -t o'$ion !ollo)ed by $he $able )hich you )an$ $o chec+ For exa#'le, $o chec $he rules in $he NAT $able, you can use: # iptables -t nat -L -v -n
+ #lo1$ S(e1ifi1 IP Address in IPtables Firewall /! you !ind an unusual or abusive ac$ivi$y !ro# an /P address you can bloc $ha$ /P address )i$h $he !ollo)in( rule: # iptables -A IN"T -s 111.111.111.111 -; 9R7"
5here you need $o chan(e <111.111.111.111< )i$h $he ac$ual /P address+ Be very care!ul )hen runnin( $his co##and as you can acciden$ally bloc your o)n /P address+ The -A o'$ion a''ends $he rule in $he end o! $he selec$ed chain+ /n case you only )an$ $o bloc )0P $ra!!ic !ro# $ha$ /P address, you can use $he -p o'$ion $ha$ s'eci!ies $he 'ro$ocol+ Tha$ )ay $he co##and )ill loo lie $his: # iptables -A IN"T -p tcp -s 111.111.111.111 -; 9R7"
,+ Unblo1$ IP Address in IPtables Firewall
3
/! you have decided $ha$ you no lon(er )an$ $o bloc reues$s !ro# s'eci!ic /P address, you can dele$e $he blocin( rule )i$h $he !ollo)in( co##and: # iptables -9 IN"T -s 111.111.111.111 -; 9R7"
The -9 o'$ion dele$es one or #ore rules !ro# $he selec$ed chain+ /! you 're!er $o use $he lon(er o'$ion you can use --delete +
5+ #lo1$ S(e1ifi1 Port on IPtables Firewall &o#e$i#es you #ay )an$ $o bloc inco#in( or ou$(oin( connec$ions on a s'eci!ic 'or$+ /$3s a (ood securi$y #easure and you should really $hin on $ha$ #a$$er )hen se$$in( u' your !ire)all+ To bloc ou$(oin( connec$ions on a s'eci!ic 'or$ use: # iptables -A 7T"T -p tcp --dport 111 -; 9R7"
To allo) inco#in( connec$ions use: # iptables -A IN"T -p tcp --dport 111 -; AE"T
/n bo$h exa#'les chan(e <111< )i$h $he ac$ual 'or$ you )ish $o allo)+ /! you )an$ $o bloc U!P $ra!!ic ins$ead o! )0P, si#'ly chan(e
3+ Allow 4ulti(le Ports on IPtables usin 4ulti(ort ou can allo) #ul$i'le 'or$s a$ once, by usin( multi(ort , belo) you can !ind such rule !or bo$h inco#in( and ou$(oin( connec$ions: # iptables -A IN"T -p tcp -m mltiport --dports &&*:0*++4 -; AE"T # iptables -A 7T"T -p tcp -m mltiport --sports &&*:0*++4 -; AE"T
6+ Allow S(e1ifi1 %etwor$ Rane on Parti1ular Port on IPtables ou #ay )an$ $o li#i$ cer$ain connec$ions on s'eci!ic 'or$ $o a (iven ne$)or+ Le$3s say you )an$ $o allo) ou$(oin( connec$ions on 'or$ && $o ne$)or %'&.%5:.%00.0/&+ + ou can do i$ )i$h $his co##and: # iptables -A 7T"T -p tcp -d %'&.%5:.%00.0/&+ --dport && -; AE"T
7+ #lo1$ Fa1eboo$ on IPtables Firewall &o#e e#'loyers lie $o bloc access $o Fa1eboo$ $o $heir e#'loyees+ Belo) is an exa#'le ho) $o bloc $ra!!ic $o Faceboo+
4
%ote: /! you are a sys$e# ad#inis$ra$or and need $o a''ly $hese rules, ee' in #ind $ha$ your collea(ues #ay s$o' $alin( $o you :7
Firs$ !ind $he /P addresses used by Faceboo: # !ost =aceboo).com =aceboo).com !as address 55.&&0.%,5.5: # >!ois 55.&&0.%,5.5: ? rep I9R I9R3 55.&&0.%++.0/&0
ou can $hen bloc $ha$ Faceboo ne$)or )i$h: # iptables -A 7T"T -p tcp -d 55.&&0.%++.0/&0 -; 9R7"
8ee' in #ind $ha$ $he /P address ran(e used b y Faceboo #ay vary in your coun$ry+
8+ Setu( Port Forwardin in IPtables &o#e$i#es you #ay )an$ $o !or)ard one service3s $ra!!ic $o ano$her 'or$+ ou can achieve $his )i$h $he !ollo)in( co##and: # iptables -t nat -A "RER7TING -i et!0 -p tcp --dport &, -; RE9IRET --toport &,&,
The above co##and !or)ards all inco#in( $ra!!ic on ne$)or in$er!ace et!0, !ro# 'or$ &, $o 'or$ &,&,+ ou #ay chan(e $he 'or$s )i$h $he ones you need+
-9+ #lo1$ %etwor$ Flood on A(a1he Port with IPtables &o#e$i#es /P addresses #ay reues$s $oo #any connec$ions $o)ards )eb 'or$s on your )ebsi$e+ This can cause nu#ber o! issues and $o 'reven$ such 'roble#s, you can use $he !ollo)in( rule: # iptables -A IN"T -p tcp --dport :0 -m limit --limit %00/minte --limitbrst &00 -; AE"T
The above co##and li#i$s $he inco#in( connec$ions !ro# 'er #inu$e $o %00 and se$s a li#i$ burs$ $o &00+ ou can edi$ $he li#i$ and li#i$-burs$ $o your o)n s'eci!ic reuire#en$s+
--+ #lo1$ In1omin Pin Re:uests on IPtables &o#e sys$e# ad#inis$ra$ors lie $o bloc inco#in( 'in( reues$s due $o securi$y concerns+ 5hile $he $hrea$ is no$ $ha$ bi(, i$3s (ood $o no) ho) $o bloc such reues$: # iptables -A IN"T -p icmp -i et!0 -; 9R7"
-2+ Allow loo(ba1$ A11ess
5
Loo'bac access 9access !ro# %&6.0.0.% 7 is i#'or$an$ and you should al)ays leave i$ ac$ive: # iptables -A IN"T -i lo -; AE"T # iptables -A 7T"T -o lo -; AE"T
-+ ee( a Lo of !ro((ed %etwor$ Pa1$ets on IPtables /! you )an$ $o lo( $he dro''ed 'ace$s on ne$)or in$er!ace et!0, you can use $he !ollo)in( co##and: # iptables -A IN"T -i et!0 -; L7G --lo-pre=i1
ou can chan(e $he value a!$er <--lo-pre=i1< )i$h so#e$hin( by your choice+ The #essa(es are lo((ed in /var/lo/messaes and you can search !or $he# )i$h: # rep
-,+ #lo1$ A11ess to S(e1ifi1 4A0 Address on IPtables ou can bloc access $o your sys$e# !ro# s'eci!ic M" address by usin(: # iptables -A IN"T -m mac --mac-sorce 00300300300300300 -; 9R7"
;! course, you )ill need $o chan(e <00300300300300300< )i$h $he ac$ual M" address $ha$ you )an$ $o bloc+
-5+ Limit the %umber of 0on1urrent 0onne1tions (er IP Address /! you don3$ )an$ $o have $oo #any concurren$ connec$ion es$ablished !ro# sin(le /P address on (iven 'or$ you can use $he co##and belo): # iptables -A IN"T -p tcp --syn --dport && -m connlimit --connlimit-above 4 -; RE@ET
The above co##and allo)s no #ore $han 4 connec$ions 'er clien$+ ;! course, you can chan(e $he 'or$ nu#ber $o #a$ch di!!eren$ service+ "lso $he --connlimit-above should be chan(ed $o #a$ch your reuire#en$+
-3+ Sear1h within IPtables Rule ;nce you have de!ined your i'$ables rules, you )ill )an$ $o search !ro# $i#e $o $i#e and #ay need $o al$er $he#+ "n easy )ay $o search )i$hin your rules is $o use: # iptables -L table -v -n ? rep strin
/n $he above exa#'le, you )ill need $o chan(e table )i$h $he ac$ual $able )i$hin )hich you )ish $o search and strin )i$h $he ac$ual s$rin( !or )hich you are looin( !or+ 6
ere is an exa#'le: # iptables -L IN"T -v -n ? rep %'&.%5:.0.%00
-6+ !efine %ew IP)ables 0hain 5i$h i'$ables, you can de!ine your o)n chain and s$ore cus$o# rules in i$+ To de!ine a chain, use: # iptables -N cstom-=ilter
!ain IN"T $policy AE"T taret prot opt sorce destination !ain F7R8AR9 $policy AE"T taret prot opt sorce destination !ain 7T"T $policy AE"T taret prot opt sorce destination !ain custom-filter $0 re=erences taret prot opt sorce destination
-7+ Flush IPtables Firewall 0hains or Rules /! you )an$ $o !lush your !ire)all chains, you can use: # iptables -F
ou can !lush chains !ro# s'eci!ic $able )i$h: # iptables -t nat -F
ou can chan(e
-8+ Save IPtables Rules to a File /! you )an$ $o save your !ire)all rules, you can use $he iptables-save co##and+ ou can use $he !ollo)in( $o save and s$ore your rules in a !ile: # iptables-save B C/iptables.rles
/$3s u' $o you )here )ill you s$ore $he !ile and ho) you )ill na#e i$+
29+ Restore IPtables Rules from a File
7
/! you )an$ $o res$ore a lis$ o! i'$ables rules, you can use iptables-restore + The co##and loos lie $his: # iptables-restore D C/iptables.rles
;! course $he 'a$h $o your rules !ile #i(h$ be di!!eren$+
2-+ Setu( IPtables Rules for P0I 0om(lian1e &o#e sys$e# ad#inis$ra$ors #i(h$ be reuired $o con!i(ure $heir servers $o be P/ co #'ilian$+ There are #any reuire#en$s by di!!eren$ P/ co#'liance vendors, bu$ $here are !e) co##on ones+ /n #any o! $he cases, you )ill need $o have #ore $han one /P address+ ou )ill need $o a''ly $he rules belo) !or $he si$e3s /P address+ Be ex$ra care!ul )hen usin( $he rules belo) and use $he# only i! you are sure )ha$ you are doin(: # iptables -I IN"T -d ITE -p tcp -m mltiport --dports &%*&,*%%0*%+4*+5,*,:6*''4*'', -; 9R7"
/! you use cPanel or si#ilar con$rol 'anel, you #ay need $o bloc i$3s3 'or$s as )ell+ ere is an exa#'le: # iptables -I ins -d 9E9II" -p tcp -m mltiport --dports &0:&*&0:4*&0',*&0'5*&,&,*&0:5*&0:6 -; 9R7"
%ote: To #ae sure you #ee$ your P/ vendor3s reuire#en$s, chec $heir re'or$ care!ully and a''ly $he reuired rules+ /n so#e cases you #ay need $o bloc 4=P $ra!!ic on cer$ain 'or$s as )ell+
22+ Allow Established and Related 0onne1tions "s $he ne$)or $ra!!ic is se'ara$e on inco#in( and ou$(oin(, you )ill )an$ $o allo) es$ablished and rela$ed inco#in( $ra!!ic+ For inco#in( connec$ions do i$ )i$h: # iptables -A IN"T -m conntrac) --ctstate ETALIHE9*RELATE9 -; AE"T
For ou$(oin( use: # iptables -A 7T"T -m conntrac) --ctstate ETALIHE9 -; AE"T
2+ !ro( Invalid Pa1$ets in IPtables /$3s 'ossible $o have so#e ne$)or 'ace$s #ared as invalid+ &o#e 'eo'le #ay 're!er $o lo( $hose 'aca(es, bu$ o$hers 're!er $o dro' $he#+ To dro' invalid $he 'ace$s, you can use: # iptables -A IN"T -m conntrac) --ctstate INALI9 -; 9R7" 8
2,+ #lo1$ 0onne1tion on %etwor$ Interfa1e &o#e sys$e#s #ay have #ore $han one ne$)or in$er!ace+ ou can li#i$ $he access $o $ha$ ne$)or in$er!ace or bloc connec$ions !ro# cer$ain /P address+ For exa#'le: # iptables -A IN"T -i et!0 -s 111.111.111.111 -; 9R7"
han(e ;xxx+xxx+xxx+xxx< )i$h $he ac$ual /P address 9or ne$)or7 $ha$ you )ish $o bloc+
25+ !isable &utoin 4ails throuh IP)ables /! your sys$e# should no$ be sendin( an y e#ails, you can bloc ou$(oin( 'or$s on &MTP 'or$s+ For exa#'le you can use $his: # iptables -A 7T"T -p tcp --dports &,*+5,*,:6 -; RE@ET
0on1lusion I(tables is a 'o)er!ul !ire)all $ha$ you can easily bene!i$ !ro#+ /$ is vi$al !or every sys$e# ad#inis$ra$or $o learn a$ leas$ $he basics o! i'$ables+ /! you )an$ $o !ind #ore de$ailed in!or#a$ion abou$ i'$ables and i$s o'$ions i$ is hi(hly reco##end $o read i$3s #anual: # man iptables
/! you $hin )e should add #ore co##ands $o $his lis$, 'lease share $he# )i$h us, b y sub#i$$in( $he# in $he co##en$ sec$ion belo)+
9
Linux Firewall =i(tables> system?1onfi? firewall@ This ar$icle covers basic Linux !ire)all #ana(e#en$, )i$h s'eci!ic re!erence $o $he in!or#a$ion needed !or $he &" >?200 cer$i!ica$ion exa#+ >x$ra in!or#a$ion is reuired !or $he > >?00 cer$i!ica$ion exa#, )hich )ill be su''lied b y ano$her ar$icle+ e#e#ber, $he exa#s are hands-on, so i$ doesn@$ #a$$er )hich #e$hod you use $o achieve $he resul$, so lon( as $he end 'roduc$ is correc$+ •
/ns$alla$ion
•
sys$e#-con!i(-!ire)all
•
sys$e#-con!i(-!ire)all-$ui
•
i'$ables
•
Auic =a$abase &e$u'
ela$ed ar$icles+ •
Linux Fire)all 9!ire)alld, !ire)all-c#d, !ire)all-con!i(7
Installation
10
Mos$ ins$alla$ions )ill include $he !ire)all !unc$ionali$y+ /! you need $o #anually ins$all i$, $he !ollo)in( co##ands )ill ins$all $he /P% and /P6 !ire)all !unc$ionali$y+ /n $his ar$icle )e )ill only consider $he /P% se$$in(s+ # ym install iptables # ym install iptables-ipv5
Mae sure $he service is s$ar$ed and )ill au$o-s$ar$ on reboo$+ # service iptables start # c!)con=i --level 4+, iptables on
ou can chec $he curren$ s$a$us o! $he service usin( $he !ollo)in( co##and+ # service iptables stats Table3 =ilter !ain IN"T $policy AE"T nm taret prot opt sorce % AE"T all -- 0.0.0.0/0 RELATE9*ETALIHE9 & AE"T icmp -- 0.0.0.0/0 4 AE"T all -- 0.0.0.0/0 + AE"T tcp -- 0.0.0.0/0 tcp dpt3&% , AE"T tcp -- 0.0.0.0/0 tcp dpt3&& 5 AE"T tcp -- 0.0.0.0/0 tcp dpt3:0 6 AE"T tcp -- 0.0.0.0/0 tcp dpt3++4 : RE@ET all -- 0.0.0.0/0 icmp-!ost-pro!ibited !ain F7R8AR9 $policy AE"T nm taret prot opt sorce % RE@ET all -- 0.0.0.0/0 icmp-!ost-pro!ibited !ain 7T"T $policy AE"T nm taret prot opt sorce
destination 0.0.0.0/0
state
0.0.0.0/0 0.0.0.0/0 0.0.0.0/0
state NE8
0.0.0.0/0
state NE8
0.0.0.0/0
state NE8
0.0.0.0/0
state NE8
0.0.0.0/0
re;ect->it!
destination 0.0.0.0/0
re;ect->it!
destination
#
To disable $he !ire)all, run $he !ollo)in( co##ands+ # service iptables stop # c!)con=i iptables o==
system?1onfi?firewall
11
The 4/ screen $o con$rol $he !ire)all is available !ro# $he #enu 9&ys$e# C "d#inis$ra$ion C Fire)all7 or can be s$ar$ed !ro# $he co##and line usin( $he system-con=i-=ire>all co##and+ /! i$ is no$ already 'resen$, i$ can be ins$alled usin( $he !ollo)in( co##and+ # ym install system-con=i-=ire>all
;nce s$ar$ed, $he $oolbar 'rovides bu$$ons $o allo) $he !ire)all $o be enabledDdisabled+ ou can also con!i(ure basic $rus$ed services, such as &&, FTP and TTP, by 'u$$in( a $ic in $he a''ro'ria$e checbox and clicin( $he E"''lyE bu$$on on $he $oolbar+
The E;$her Por$sE sec$ion allo)s you $o o'en 'or$s $ha$ are no$ covered in $he ETrus$ed &ervicesE sec$ion+
system?1onfi?firewall?tui 12
The T4/ u$ili$y is si#ilar $o $he 4/ u$ili$y sho)n above, bu$ i$ !eels incredibly clu#sy in co#'arison+ /! i$ is no$ already 'resen$, i$ can b e ins$alled usin( $he !ollo)in( co##and+ # ym install system-con=i-=ire>all-ti
unnin( $he system-con=i-=ire>all-ti co##and !ro# $he co##and line 'roduces $he $o'-level screen, allo)in( you $o enableDdisable $he !ire)all+ 4se $he s'ace bar $o $o((le $he se$$in(, $he $ab ey $o navi(a$e be$)een bu$$ons and $he re$urn ey $o clic $he#+
To al$er $he Trus$ed &ervices, $ab $o $he Eus$o#ieE bu$$on and 'ress $he re$urn ey+ "#end $he lis$ usin( $he arro) and s'ace eys+
ou can close ou$ o! $he cus$o#ia$ion sec$ion a$ any 'oin$+ The o$her sec$ions o! $he 4/ $ool are available by clicin( $he EFor)ardE bu$$on on each successive screen+
i(tables 13
/n addi$ion $o $he 4/ and T4/ in$er!aces, $he !ire)all rules can be a#ended direc$ly usin( $he iptables co##and+ There are vas$ nu#ber o! 'ara#e$ers, so / )ill *us$ !ocus on $he ele#en$s necessary !or $he &" exa#+ The !ire)all consis$s o! chains o! rules $ha$ de$er#ine )ha$ ac$ion should be $aen !or 'ace$s 'rocessed by $he sys$e#+ By de!aul$, $here are $hree chains de!ined: •
IN"T : 4sed $o chec all 'ace$s co#in( in$o $he sys$e#+
•
7"T : 4sed $o chec all 'ace$s leavin( $he sys$e#+
•
F7R8AR9 : 4sed $o chec all 'ace$s bein( rou$ed by $he sys$e#+ 4nless you are usin(
your server as a rou$er, $his chain is unnecessary+ >ach chain can con$ain #ul$i'le ex'lici$ rules $ha$ are checed in order+ /! a rule #a$ches, $he associa$ed ac$ion 9AE"T and 9R7" bein( $he #os$ co##on7 is $aen+ /! no s'eci!ic rule is !ound, $he de!aul$ 'olicy is used $o de$er#ine $he ac$ion $o $ae+ &ince $he de!aul$ 'olicy is a ca$ch-all, one o! $)o basic #e$hods can be chosen !or each chain+ •
&e$ $he de!aul$ 'olicy $o AE"T and ex'lici$ly 9R7" $hin(s you don@$ )an$+
•
&e$ $he de!aul$ 'olicy $o 9R7" and ex'lici$ly AE"T $hin(s you do )an$+
The sa!es$ o'$ion is $o se$ $he de!aul$ 'olicy $o 9R7" !or $he IN"T and F7R8AR9 chains, so i$ is 'erha's a li$$le sur'risin( $ha$ $he 4/ and T4/ $ools se$ $he de!aul$ 'olicies $o AE"T, $hen use an ex'lici$ RE@ET as $he las$ rule in $hese chains+ # iptables -L -v --line-nmbers !ain IN"T $policy AE"T 0 pac)ets* 0 bytes nm p)ts bytes taret prot opt in ot sorce destination % %% :%& AE"T all -- any any any>!ere any>!ere state RELATE9*ETALIHE9 & 0 0 AE"T icmp -- any any any>!ere any>!ere 4 0 0 AE"T all -- lo any any>!ere any>!ere + % %00 AE"T tcp -- any any any>!ere any>!ere state NE8 tcp dpt3ss! , 0 0 RE@ET all -- any any any>!ere any>!ere re;ect->it! icmp-!ost-pro!ibited !ain F7R8AR9 $policy AE"T 0 pac)ets* 0 bytes nm p)ts bytes taret prot opt in ot sorce destination % 0 0 RE@ET all -- any any any>!ere any>!ere re;ect->it! icmp-!ost-pro!ibited
14
!ain 7T"T $policy AE"T 5 pac)ets* 6++ bytes nm p)ts bytes taret prot opt in ot destination #
sorce
This )ors !ine, bu$ i! you acciden$ally (e$ rid o! $he las$ rule in $he chain you are in $rouble+ For $his reason, !or $he re#ainder o! $his sec$ion / )ill assu#e $ha$ $he de!au l$ 'olicy !or IN"T and F7R8AR9 is 9R7"+ For $he 7T"T chain / )ill assu#e any 'ace$s ori(ina$in( !ro# $he sys$e# are sa!e, so / )ill AE"T any ou$(oin( 'ace$s+ The de!aul$ 'olicy !or a chain is se$ usin( $he E-PE !la(+ /n $he !ollo)in( exa#'le, assu#in( no s'eci!ic rules )ere 'resen$, all co##unica$ion $o and !ro# $he server )ould be 'reven$ed+ # iptables -" IN"T 9R7" # iptables -" F7R8AR9 9R7" # iptables -" 7T"T 9R7"
5arnin(: /! you are ad#inis$erin( $he !ire)all via &&, havin( a de!aul$ IN"T 'olicy o! 9R7" )ill cu$ your session o!! i! you (e$ rid o! $he ex'lici$ rules $ha$ a cce'$ && access+ "s a resul$, i$ #aes sense $o s$ar$ any ad#inis$ra$ion by se$$in( $he de!aul$ 'olicies $o AE"T and only s)i$ch $he# bac $o 9R7" once $he chains have been buil$ $o your sa$is!ac$ion+ The !ollo)in( exa#'le $e#'orarily se$s $he de!aul$ 'olicies $o AE"T+ # iptables -" IN"T AE"T # iptables -" F7R8AR9 AE"T # iptables -" 7T"T AE"T
The nex$ $hin( )e )an$ $o do i! !lush any exis$in( rules, leavin( *us$ $he de!aul$ 'olicies+ This is done usin( $he E-FE !la(+ # iptables -F
iptables -A IN"T -p tcp --dport && -; AE"T # Accept pac)ets =rom connections in a speci=ic state. iptables -A IN"T -m state --state ETALIHE9*RELATE9 -; AE"T # ombinations o= all o= t!e above. iptables -A IN"T -i et!0 -p tcp -s %'&.%5:.%&&.0/&+ --dport && -m state --state NE8*ETALIHE9 -; AE"T
;nce $he ex'lici$ rules are de!ined, )e need $o se$ $he real de!aul$ 'olicies+ # iptables -" IN"T 9R7" # iptables -" F7R8AR9 9R7" # iptables -" 7T"T AE"T
ule and 'olicy de!ini$ions $ae e!!ec$ i##edia$ely+To #ae sure $hey 'ersis$s beyond reboo$ $he curren$ con!i(ura$ion #us$ be saved $o $he EDe$cDsyscon!i(Di'$ablesE !ile usin( $he !ollo)in( co##and+ # service iptables save
/! you are usin( Fedora, you #ay need $o use $he !ollo)in( co##and ins$ead+ # iptables-save B /etc/syscon=i/iptables
"s you can i#a(ine, even in a si#'le con!i(ura$ion $his 'rocess can (e$ a bi$ lon(-)inded, so i$ #aes sense $o co#bine all $he ele#en$s o! $he !ire)all de!ini$ion in$o a sin(le !ile so i$ can be a#ended and run re'ea$edly+ rea$e a !ile called EDroo$D!ire)all+shE )i$h $he !ollo)in( con$en$s+ Thin o! $his as your s$ar$in( 'oin$ !or each server+ #J/bin/bas! # et t!e de=alt policies to allo> everyt!in >!ile >e set p ne> rles. # "revents cttin yorsel= o== >!en rnnin =rom remote H. iptables -" IN"T AE"T iptables -" F7R8AR9 AE"T iptables -" 7T"T AE"T # Fls! any e1istin rles* leavin ;st t!e de=alts iptables -F # 7pen port &% =or incomin FT" reKests. iptables -A IN"T -p tcp --dport &% -; AE"T # 7pen port && =or incomin H connections. iptables -A IN"T -p tcp --dport && -; AE"T # Limit to et!0 =rom a speci=ic I" sbnet i= reKired. #iptables -A IN"T -i et!0 -p tcp -s %'&.%5:.%&&.0/&+ --dport && -m state --state NE8*ETALIHE9 -; AE"T # 7pen port :0 =or incomin HTT" reKests. iptables -A IN"T -p tcp --dport :0 -; AE"T # 7pen port ++4 =or incomin HTT" reKests. $ncomment i= reKired 16
#iptables -A IN"T -p tcp --dport ++4 -; AE"T # 222 "t any additions to t!e IN"T c!ain !ere. # # 222 End o= additions to IN"T c!ain. # Accept any local!ost $loopbac) calls. iptables -A IN"T -i lo -; AE"T # Allo> any e1istin connection to remain. iptables -A IN"T -m state --state ETALIHE9*RELATE9 -; AE"T # Reset t!e de=alt policies to stop all incomin and =or>ard reKests. iptables -" IN"T 9R7" iptables -" F7R8AR9 9R7" # Accept any otbond reKests =rom t!is server. iptables -" 7T"T AE"T # ave t!e settins. service iptables save # se t!e =ollo>in command in Fedora #iptables-save B /etc/syscon=i/iptables # 9isplay t!e settins. iptables -L -v --line-nmbers
Mae $he !ile execu$able+ # c!mod 1 /root/=ire>all.s!
un $he !ile $o se$ $he reuired !ire)all rules+ # /root/=ire>all.s! iptables3 avin =ire>all rles to /etc/syscon=i/iptables3 !ain IN"T $policy 9R7" ++,6 pac)ets* ,&&( bytes nm p)ts bytes taret prot opt in ot sorce destination % 0 0 AE"T tcp -- any any any>!ere any>!ere tcp dpt3=tp & %4'+ %%5( AE"T tcp -- any any any>!ere any>!ere tcp dpt3ss! 4 0 0 AE"T tcp -- any any any>!ere any>!ere tcp dpt3!ttp + : +00 AE"T all -- lo any any>!ere any>!ere , '54,: %4:M AE"T all -- any any any>!ere any>!ere state RELATE9*ETALIHE9 !ain F7R8AR9 $policy 9R7" 0 pac)ets* 0 bytes nm p)ts bytes taret prot opt in ot destination
sorce
!ain 7T"T $policy AE"T ,0:'0 pac)ets* &:'0( bytes nm p)ts bytes taret prot opt in ot sorce destination 17
7(
#
The iptables co##and also allo)s you $o inser$ 9-/7, dele$e 9-=7 and re'lace 9-7 rules, bu$ i! you )or usin( a !ile as described above, you never need $o use $hese varia$ions+
ui1$ !atabase Setu( /! you are usin( $he server as an ;racle da$abase server, you )ill 'robably )an$ $o #ae sure $he && and ;racle lis$ener 'or$s are accessible+ ou could loc $hese do)n $o s'eci!ic source /P addresses, bu$ !or a uic se$u', you could *us$ do $he !ollo)in(, )here E1.21E is $he 'or$ used !or $he lis$ener+ # # # # # #
service iptables start c!)con=i iptables on iptables -A IN"T -p tcp --dport && -; AE"T iptables -A IN"T -p tcp --dport %,&% -; AE"T service iptables save service iptables stats
18
