Iptables: Some howto`s

by
Share this Article: Facebook0Google+0Twitter0LinkedIn0Reddit0StumbleUpon0

linux-logoIptables is a user space application program that allows a system administrator to configure the tables provided by Xtables (which in turn uses Netfilter) and the chains and rules it stores. Because iptables requires elevated privileges to operate, it must be executed by user root, otherwise it fails to function.

On most Linux systems, iptables is installed as /usr/sbin/iptables and documented in its man page , which can be opened using

“man iptables” when installed. iptables is also commonly used to inclusively refer to the kernel-level component Xtables that does the actual table traversal and provides an API for kernel-level extensions.

working with iptables from the command line requires root privileges, so you will need to be root for most things that you will do.

To check if the IPtables modules are already running with this command :

#lsmod | grep ip_tables

To see the firewall : blocked and allowed services

# iptables -L

example to alow SSH over your network you have to add this line :

#iptables -A INPUT -p tcp –dport ssh -j ACCEPT allow ssh to connect to external address : iptables -A OUTPUT -p tcp –sport 22 -j ACCEPT save the change with : #/sbin/service iptables save

Now, let’s allow all incoming web traffic

iptables -A INPUT -p tcp –dport 80 -j ACCEPT

ETHERNET INTERFACES eth0 eth1 and ppp0 for modems

To allow all packets from internet and Intranet :

iptables -A INPUT -i eth0 -j ACCEPT  (for  eth0)
iptables -A INPUT -i eth1   -j ACCEPT (for  ethermet card 2)
iptables -A INPUT -i  ppp0  -j ACCEPT  (from modem)  

How to block some services or ports

# Allow loop-back access. This rule must come before the rules denying port access!!

 iptables -A INPUT -i lo -p all -j ACCEPT  - Rule for your computer to be able to access itself via the loopback
iptables -A OUTPUT -o lo -p all -j ACCEPT  
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP       - Block NFS 
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP       - Block NFS 
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP  - Block X-Windows 
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP       - Block X-Windows font server 
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP        - Block printer port 
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP        - Block printer port
 iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP        - Block Sun rpc/NFS 
iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP        - Block Sun rpc/NFS 
iptables -A INPUT -p all -s localhost  -i eth0 -j DROP  - Deny packets which claim to be from your loopback interface.                     

Another approach to firewalls is to drop everything and then garant access to each port you may need:

iptables -F iptables -A INPUT -i lo -p all -j ACCEPT                       - Allow self access by loopback interface
 iptables -A OUTPUT -o lo -p all -j ACCEPT 
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT - Accept established connections
iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset 
iptables -A INPUT -p tcp -i eth0 --dport 21 -j ACCEPT          - Open ftp port 
iptables -A INPUT -p udp -i eth0 --dport 21 -j ACCEPT 
iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT          - Open secure shell port 
iptables -A INPUT -p udp -i eth0 --dport 22 -j ACCEPT 
iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT          - Open HTTP port 
iptables -A INPUT -p udp -i eth0 --dport 80 -j ACCEPT 
iptables -A INPUT -p tcp --syn -s 192.168.10.0/24 --destination-port 139 -j ACCEPT   - Accept local Samba connection 
iptables -A INPUT -p tcp --syn -s trancas --destination-port 139 -j ACCEPT
iptables -P INPUT DROP               - Drop all other connection attempts. Only connections defined above are allowed.

If you have any other question about iptables . just read the linux with this command

#man iptables   

Or post your question in the forum .

For questions please refer to our Q/A forum at : http://ask.unixmen.com/

Share this Article: Facebook0Google+0Twitter0LinkedIn0Reddit0StumbleUpon0