How to configure iptables
The iptables is nothing but a program that controls the linux based firewall that handles filtering for IPV4 and ip6tables for handling IPV6.
Delete existing rules in IP tables
iptables -F (or) iptables --flush
Before we start entering new set of iptable rules it would be better for us to flush the old default set of rules in iptables. The iptables flush command will help to do this.
Allow all incoming SSH connections
iptables -A INPUT -i eth1 -p tcp --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --sport 2222 -m state --state ESTABLISHED -j ACCEPT
This iptable entries will allow all incoming SSH connections to the eth1 interface.
Allow outgoing SSH connections
iptables -A OUTPUT -o eth1 -p tcp --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --sport 2222 -m state --state ESTABLISHED -j ACCEPT
This iptable entry will allow all outgoing SSH connections through eth1 interface.
Allow ping from outside to the server
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
This iptable entry will allow ping from outside users our server
Allow ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
These entries will allow ping from our server to outside.
Block a specific ipaddress
IPADDRESS_TO_BE_BLOCKED = "x.x.x.x"
iptables -A INPUT -s "$IPADRESS_TO_BE_BLOCKED" -j DROP
This iptable entry will block the ipaddress that needs to be blocked.
Allow rsync from a specific network
iptables -A INPUT -i eth1 -p tcp -s *.*.*.*/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT
The above iptable entry will allow rsync from a specific network (*.*.*.*/24 defines the ipaddress range )
Allow postfix and sendmail
iptables -A INPUT -i eth1 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
This iptable entry will allow mail traffic
Prevent DoS attack
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
This iptable entry will prevent the DOS(Denial of service) attack on our webserver.
Allow port forwarding
iptables -t nat -A PREROUTING -p tcp -d *.*.*.* --dport 537 -j DNAT --to *.*.*.*:22
This iptable entry will route all traffic that comes to 537 to the port 22. This means that both the port will accept packets.
These are some of the main iptable rules that are configured