How to configure iptables

| | 2 min read

The iptables is nothing but a program that controls the linux based firewall that handles filtering for IPV4 and ip6tables for handling IPV6.

Delete existing rules in IP tables

 iptables -F (or) iptables --flush 

Before we start entering new set of iptable rules it would be better for us to flush the old default set of rules in iptables. The iptables flush command will help to do this.

Allow all incoming SSH connections

 iptables -A INPUT -i eth1 -p tcp --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT 
 iptables -A OUTPUT -o eth1 -p tcp --sport 2222 -m state --state ESTABLISHED -j ACCEPT 

This iptable entries will allow all incoming SSH connections to the eth1 interface.

Allow outgoing SSH connections

 iptables -A OUTPUT -o eth1 -p tcp --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT 
 iptables -A INPUT -i eth1 -p tcp --sport 2222 -m state --state ESTABLISHED -j ACCEPT 

This iptable entry will allow all outgoing SSH connections through eth1 interface.

Allow ping from outside to the server

 iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT 
 iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT 

This iptable entry will allow ping from outside users our server

Allow ping from inside to outside

 iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
 iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT   

These entries will allow ping from our server to outside.

Block a specific ipaddress

 IPADDRESS_TO_BE_BLOCKED = "x.x.x.x" 
 iptables -A INPUT -s "$IPADRESS_TO_BE_BLOCKED" -j DROP 

This iptable entry will block the ipaddress that needs to be blocked.

Allow rsync from a specific network

 iptables -A INPUT -i eth1 -p tcp -s *.*.*.*/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT 
 iptables -A OUTPUT -o eth1 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT 

The above iptable entry will allow rsync from a specific network (*.*.*.*/24 defines the ipaddress range )

Allow postfix and sendmail

 iptables -A INPUT -i eth1 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT 
 iptables -A OUTPUT -o eth1 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT 

This iptable entry will allow mail traffic

Prevent DoS attack

 iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

This iptable entry will prevent the DOS(Denial of service) attack on our webserver.

Allow port forwarding

 iptables -t nat -A PREROUTING -p tcp -d *.*.*.* --dport 537 -j DNAT --to *.*.*.*:22 

This iptable entry will route all traffic that comes to 537 to the port 22. This means that both the port will accept packets.

These are some of the main iptable rules that are configured