Iptables Essentials - Mutual Firewall Rules Too Commands

Tools to aid you lot configure Iptables
  Shorewall - advanced gateway/firewall configuration tool for GNU/Linux.
  Firewalld - provides a dynamically managed firewall.
  UFW - default firewall configuration tool for Ubuntu.
  FireHOL - offering elementary in addition to powerful configuration for all Linux firewall in addition to traffic shaping requirements.

Manuals/Howtos/Tutorials
  Advanced Features of netfilter/iptables
  Linux Firewalls Using iptables
  Debugging iptables in addition to mutual firewall pitfalls?
  Netfilter Hacking HOWTO
  Per-IP charge per unit of measurement limiting amongst iptables

How it works?

Iptables Rules

Saving Rules

Debian Based

netfilter-persistent save

RedHat Based

service iptables save

List out all of the active iptables rules amongst verbose

iptables -n -L -v

List out all of the active iptables rules amongst numeric lines in addition to verbose

iptables -n -L -v --line-numbers

Print out all of the active iptables rules

iptables -S

List Rules every bit Tables for INPUT chain

iptables -L INPUT

Print all of the dominion specifications inwards the INPUT chain

iptables -S INPUT

Show Packet Counts in addition to Aggregate Size

iptables -L INPUT -v

To display INPUT or OUTPUT chain rules amongst numeric lines in addition to verbose

iptables -L INPUT -n -v iptables -L OUTPUT -n -v --line-numbers

Delete Rule past times Chain in addition to Number

iptables -D INPUT 10

Delete Rule past times Specification

iptables -D INPUT -m conntrack --ctstate INVALID -j DROP

Flush All Rules, Delete All Chains, in addition to Accept All

iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT  iptables -t nat -F iptables -t mangle -F iptables -F iptables -X

Flush All Chains

iptables -F

Flush a Single Chain

iptables -F INPUT

Insert Firewall Rules

iptables -I INPUT 2 -s 202.54.1.2 -j DROP

Allow Loopback Connections

iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT

Allow Established in addition to Related Incoming Connections

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Allow Established Outgoing Connections

iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

Internal to External

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

Drop Invalid Packets

iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

Block an IP Address

iptables -A INPUT -s 192.168.252.10 -j DROP

Block in addition to IP Address in addition to Reject

iptables -A INPUT -s 192.168.252.10 -j REJECT

Block Connections to a Network Interface

iptables -A INPUT -i eth0 -s 192.168.252.10 -j DROP

Allow All Incoming SSH

iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow Incoming SSH from Specific IP address or subnet

iptables -A INPUT -p tcp -s 192.168.240.0/24 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow Outgoing SSH

iptables -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow Incoming Rsync from Specific IP Address or Subnet

iptables -A INPUT -p tcp -s 192.168.240.0/24 --dport 873 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 873 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow All Incoming HTTP

iptables -A INPUT -p tcp --dport eighty -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport eighty -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow All Incoming HTTPS

iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow All Incoming HTTP in addition to HTTPS

iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow MySQL from Specific IP Address or Subnet

iptables -A INPUT -p tcp -s 192.168.240.0/24 --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow MySQL to Specific Network Interface

iptables -A INPUT -i eth1 -p tcp --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT

PostgreSQL from Specific IP Address or Subnet

iptables -A INPUT -p tcp -s 192.168.240.0/24 --dport 5432 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 5432 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow PostgreSQL to Specific Network Interface

iptables -A INPUT -i eth1 -p tcp --dport 5432 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth1 -p tcp --sport 5432 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Block Outgoing SMTP Mail

iptables -A OUTPUT -p tcp --dport 25 -j REJECT

Allow All Incoming SMTP

iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow All Incoming IMAP

iptables -A INPUT -p tcp --dport 143 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 143 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow All Incoming IMAPS

iptables -A INPUT -p tcp --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 993 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow All Incoming POP3

iptables -A INPUT -p tcp --dport 110 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 110 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Allow All Incoming POP3S

iptables -A INPUT -p tcp --dport 995 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp --sport 995 -m conntrack --ctstate ESTABLISHED -j ACCEPT

Drop Private Network Address On Public Interface

iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

Drop All Outgoing to Facebook Networks
Get Facebook AS:

whois -h v4.whois.cymru.com " -v $(host facebook.com | grep "has address" | cutting -d " " -f4)" | tail -n1 | awk '{print $1}'

Drop:

for i inwards $(whois -h whois.radb.net -- '-i source AS32934' | grep "^route:" | cutting -d ":" -f2 | sed -e 's/^[ \t]*//' | form -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4 | cutting -d ":" -f2 | sed 's/$/;/') ; produce    iptables -A OUTPUT -s "$i" -j REJECT  done

Log in addition to Drop Packets

iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-prefix "IP_SPOOF A: " iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

By default everything is logged to /var/log/messages file:

tail -f /var/log/messages grep --color 'IP SPOOF' /var/log/messages

Log in addition to Drop Packets amongst Limited Number of Log Entries

iptables -A INPUT -i eth1 -s 10.0.0.0/8 -m boundary --limit 5/m --limit-burst vii -j LOG --log-prefix "IP_SPOOF A: " iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

Drop or Accept Traffic From Mac Address

iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT

Block or Allow ICMP Ping Request

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP

Specifying Multiple Ports amongst multiport

iptables -A INPUT -i eth0 -p tcp -m solid seat down --state NEW -m multiport --dports ssh,smtp,http,https -j ACCEPT

Load Balancing amongst random* or nth*

_ips=("172.31.250.10" "172.31.250.11" "172.31.250.12" "172.31.250.13")  for ip inwards "${_ips[@]}" ; produce   iptables -A PREROUTING -i eth0 -p tcp --dport eighty -m solid seat down --state NEW -m nth --counter 0 --every four --packet 0 \     -j DNAT --to-destination ${ip}:80 done

_ips=("172.31.250.10" "172.31.250.11" "172.31.250.12" "172.31.250.13")  for ip inwards "${_ips[@]}" ; produce   iptables -A PREROUTING -i eth0 -p tcp --dport eighty -m solid seat down --state NEW -m random --average 25 \     -j DNAT --to-destination ${ip}:80 done

Restricting the Number of Connections amongst limit in addition to iplimit*

iptables -A FORWARD -m solid seat down --state NEW -p tcp -m multiport --dport http,https -o eth0 -i eth1 \     -m boundary --limit 20/hour --limit-burst five -j ACCEPT

iptables -A INPUT -p tcp -m solid seat down --state NEW --dport http -m iplimit --iplimit-above five -j DROP

Maintaining a List of recent Connections to Match Against

iptables -A FORWARD -m recent --name portscan --rcheck --seconds 100 -j DROP iptables -A FORWARD -p tcp -i eth0 --dport 443 -m recent --name portscan --set -j DROP

Matching Against a string* inwards a Packet's Data Payload

iptables -A FORWARD -m string --string '.com' -j DROP iptables -A FORWARD -m string --string '.exe' -j DROP

Time-based Rules amongst time*

iptables -A FORWARD -p tcp -m multiport --dport http,https -o eth0 -i eth1 \     -m fourth dimension --timestart 21:30 --timestop 22:30 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT

Packet Matching Based on TTL Values

iptables -A INPUT -s 1.2.3.4 -m ttl --ttl-lt forty -j REJECT

Protection against port scanning

iptables -N port-scanning iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m boundary --limit 1/s --limit-burst 2 -j RETURN iptables -A port-scanning -j DROP

SSH brute-force protection

iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --set iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -m recent --update --seconds lx --hitcount 10 -j DROP

Syn-flood protection

iptables -N syn_flood  iptables -A INPUT -p tcp --syn -j syn_flood iptables -A syn_flood -m boundary --limit 1/s --limit-burst three -j RETURN iptables -A syn_flood -j DROP  iptables -A INPUT -p icmp -m boundary --limit  1/s --limit-burst 1 -j ACCEPT  iptables -A INPUT -p icmp -m boundary --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP: iptables -A INPUT -p icmp -j DROP  iptables -A OUTPUT -p icmp -j ACCEPT

Mitigating SYN Floods With SYNPROXY

iptables -t raw -A PREROUTING -p tcp -m tcp --syn -j CT --notrack iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale vii --mss 1460 iptables -A INPUT -m conntrack --ctstate INVALID -j DROP

Block New Packets That Are Not SYN

iptables -A INPUT -p tcp ! --syn -m solid seat down --state NEW -j DROP

iptables -t mangle -A PREROUTING -p tcp ! --syn -m conntrack --ctstate NEW -j DROP

Force Fragments packets check

iptables -A INPUT -f -j DROP

XMAS packets

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

Drop all NULL packets

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

Block Uncommon MSS Values

iptables -t mangle -A PREROUTING -p tcp -m conntrack --ctstate NEW -m tcpmss ! --mss 536:65535 -j DROP

Block Packets With Bogus TCP Flags

iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,SYN FIN,SYN -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,RST FIN,RST -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags FIN,ACK FIN -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,URG URG -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,FIN FIN -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ACK,PSH PSH -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL ALL -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL NONE -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL FIN,PSH,URG -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,FIN,PSH,URG -j DROP iptables -t mangle -A PREROUTING -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

Block Packets From Private Subnets (Spoofing)

_subnets=("224.0.0.0/3" "169.254.0.0/16" "172.16.0.0/12" "192.0.2.0/24" "192.168.0.0/16" "10.0.0.0/8" "0.0.0.0/8" "240.0.0.0/5")  for _sub inwards "${_subnets[@]}" ; produce   iptables -t mangle -A PREROUTING -s "$_sub" -j DROP done iptables -t mangle -A PREROUTING -s 127.0.0.0/8 ! -i lo -j DROP

Iptables Essentials

Nexus

Iptables Essentials - Mutual Firewall Rules Too Commands

Recent Posts

Facebook

Nexus

Iptables Essentials - Mutual Firewall Rules Too Commands

You Might Also Like

Recent Posts

Facebook