Google Plus

Iptables: Some howto`s

Written by Mel Kham on . Posted in Linux tutorials

linux-logoIptables is a user space application program that allows a system administrator to configure the tables provided by Xtables (which in turn uses Netfilter) and the chains and rules it stores. Because iptables requires elevated privileges to operate, it must be executed by user root, otherwise it fails to function.

On most Linux systems, iptables is installed as /usr/sbin/iptables and documented in its man page , which can be opened using

“man iptables” when installed. iptables is also commonly used to inclusively refer to the kernel-level component Xtables that does the actual table traversal and provides an API for kernel-level extensions.

working with iptables from the command line requires root privileges, so you will need to be root for most things that you will do.

To check if the IPtables modules are already running with this command :

#lsmod | grep ip_tables

To see the firewall : blocked and allowed services

# iptables -L

example to alow SSH over your network you have to add this line :

#iptables -A INPUT -p tcp –dport ssh -j ACCEPT allow ssh to connect to external address : iptables -A OUTPUT -p tcp –sport 22 -j ACCEPT save the change with : #/sbin/service iptables save

Now, let’s allow all incoming web traffic

iptables -A INPUT -p tcp –dport 80 -j ACCEPT

ETHERNET INTERFACES eth0 eth1 and ppp0 for modems

To allow all packets from internet and Intranet :

iptables -A INPUT -i eth0 -j ACCEPT  (for  eth0)
iptables -A INPUT -i eth1   -j ACCEPT (for  ethermet card 2)
iptables -A INPUT -i  ppp0  -j ACCEPT  (from modem)

How to block some services or ports

# Allow loop-back access. This rule must come before the rules denying port access!!

 iptables -A INPUT -i lo -p all -j ACCEPT  - Rule for your computer to be able to access itself via the loopback
iptables -A OUTPUT -o lo -p all -j ACCEPT  
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP       - Block NFS 
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP       - Block NFS 
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP  - Block X-Windows 
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP       - Block X-Windows font server 
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP        - Block printer port 
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP        - Block printer port
 iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP        - Block Sun rpc/NFS 
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP        - Block Sun rpc/NFS 
iptables -A INPUT -p all -s localhost  -i eth0 -j DROP  - Deny packets which claim to be from your loopback interface.

Another approach to firewalls is to drop everything and then garant access to each port you may need: 

iptables -F iptables -A INPUT -i lo -p all -j ACCEPT                       - Allow self access by loopback interface
 iptables -A OUTPUT -o lo -p all -j ACCEPT 
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT - Accept established connections
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset 
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT          - Open ftp port 
iptables -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT 
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT          - Open secure shell port 
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT 
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT          - Open HTTP port 
iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT 
iptables -A INPUT -p tcp --syn -s 192.168.10.0/24 --destination-port 139 -j ACCEPT   - Accept local Samba connection 
iptables -A INPUT -p tcp --syn -s trancas --destination-port 139 -j ACCEPT
iptables -P INPUT DROP               - Drop all other connection attempts. Only connections defined above are allowed.

If you have any other question about iptables . just read the linux with this command

#man iptables

Or post your question in the forum .

For questions please refer to our Q/A forum at : http://ask.unixmen.com

Related posts:

  1. Setup a transparent proxy with Squid in three easy steps
  2. How do I install vsftpd for RHEL Cen tos and Fedora
  3. Install Squid Proxy Server
  4. Howto : Add user and Secure your ssh access
  5. HowTo Instal Nessus on Debian

0 Comment(s)

Mel Kham

Founder of Unixmen, Living in Amsterdam. Am working in my free time to help people to understand the Opensource and to explain them in easy way how to make the fist steps to the the light. Working day and night with my Co-founder Zinovsky to keep this website live even with less resources.

Like us on Facebook

This week Top Posts

Write for us

Recent Posts

Recent Posts

Recent Comments

Snake

|

Wow, great. That’s what i’m waiting for too. I want to make DC with LDAP ( Active Directory alternative) and SAMBA on Ubuntu. :-)

Blawer

|

Thanks!!!!!!!!!!!!!!!!!! you rules!!! all the other “help” in google are useless… yours was very helpful. Thanks again

piCool

|

Great ! we have another another master trick :-)

Yilmaz Ulugtekin

|

Just delete the space after the slash (/) it will work.

Pat L

|

I tried it and it works with a regular zip file, but if you password-protect the .zip file it does NOT work.

 

Favorite Links

Unixmen Archive

Tags Cloud

android apache browser Centos chrome Debian eyecandy Fedora firefox games gaming gnome google karmic koala kde libreoffice Linux linux distribution LinuxMint lucid lynx maverick meerkat media player mysql Natty Narwhal news oneiric ocelot openoffice opensource opensuse oracle ppa Precise Pangolin release RHEL security server software themes tools ubuntu unix upgrade virtualbox windows wine

Unixmen Twitts

IDG Tech Network
Copyright © 2008-2013 Unixmen.com .
Maintained by Anblik .