Technical Solution

How to configure iptables

Sandeep Sasikumar | | 2 min read

The iptables is nothing but a program that controls the linux based firewall that handles filtering for IPV4 and ip6tables for handling IPV6.

Delete existing rules in IP tables

 iptables -F (or) iptables --flush

Before we start entering new set of iptable rules it would be better for us to flush the old default set of rules in iptables. The iptables flush command will help to do this.

Allow all incoming SSH connections 

 iptables -A INPUT -i eth1 -p tcp --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT 
 iptables -A OUTPUT -o eth1 -p tcp --sport 2222 -m state --state ESTABLISHED -j ACCEPT

This iptable entries will allow all incoming SSH connections to the eth1 interface.

Allow outgoing SSH connections 

 iptables -A OUTPUT -o eth1 -p tcp --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT 
 iptables -A INPUT -i eth1 -p tcp --sport 2222 -m state --state ESTABLISHED -j ACCEPT

This iptable entry will allow all outgoing SSH connections through eth1 interface.

Allow ping from outside to the server 

 iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT 
 iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

This iptable entry will allow ping from outside users our server

Allow ping from inside to outside 

 iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
 iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

These entries will allow ping from our server to outside.

Block a specific ipaddress 

 IPADDRESS_TO_BE_BLOCKED = "x.x.x.x" 
 iptables -A INPUT -s "$IPADRESS_TO_BE_BLOCKED" -j DROP

This iptable entry will block the ipaddress that needs to be blocked.

Allow rsync from a specific network 

 iptables -A INPUT -i eth1 -p tcp -s *.*.*.*/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT 
 iptables -A OUTPUT -o eth1 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT

The above iptable entry will allow rsync from a specific network (*.*.*.*/24 defines the ipaddress range )

Allow postfix and sendmail 

 iptables -A INPUT -i eth1 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT 
 iptables -A OUTPUT -o eth1 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

This iptable entry will allow mail traffic

Prevent DoS attack 

 iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

This iptable entry will prevent the DOS(Denial of service) attack on our webserver.

Allow port forwarding 

 iptables -t nat -A PREROUTING -p tcp -d *.*.*.* --dport 537 -j DNAT --to *.*.*.*:22

This iptable entry will route all traffic that comes to 537 to the port 22. This means that both the port will accept packets.

These are some of the main iptable rules that are configured

 

 

Related Topics