Most Frequently Used Linux IPTables Rules with Examples


This article will help you to create IPtables rules that you can directly use for your daily or routine needs, These examples will act as basic templates for you to work on iptables with these rules which suit your specific requirement.

Deleting the IPtables or Existing Rules

Before you start building new IPtables set of rules, you should clean up all the default rules, and existing rules. Use the IPtables flush command, below are some examples –

#iptables --flush
(or)
# iptables --F 

Default Policies Chain

The default policy is ACCEPT, change the policy to DROP for all the INPUT, FORWARD, OUTPUT.

# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT DROP

For every firewall rule, we need to define two rules, i.e., one for In-coming and another for Out-going.

If we trust the internal users, we can use the DROP for incoming rules, and the default outgoing will be ACCEPT.

Allowing HTTP & HTTPS  Incoming Connections

The below rules will allow all the incoming traffic of HTTP & HTTPS (80 & 443)

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

Allowing only SSH to a Network

The below rules will allow only outgoing ssh connection from the internal network means we can ssh only from 192.168.87.0/24 network only

iptables -A OUTPUT -o eth0 -p tcp -d 192.168.100.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

Allowing the Incoming MySQL port (3306) for TCP  Traffic.

Below is the example which has incoming & outgoing  traffic on port 3306  (mysql) for eth0 adaptor.

iptables -A INPUT -i eth0 -p tcp --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

Allowing Incoming MySQL Port (3306) for a Specific Network

The below example will allow 3306 (mysql) for a specific network 192.168.87.x.

iptables -A INPUT -i eth0 -p tcp -s 192.168.87.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

Allowing Multiple Ports with a Single Rule

The below rules will allow incoming connections from outside to multiple ports, instead of writing multiple rules, we can also write rules with multiple ports together as shown below.

Here, were are allowing mysql, Http & Https in a single rule.

iptables -A INPUT -i eth0 -p tcp -m multiport --dports 3306,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 3306,80,443 -m state --state ESTABLISHED -j ACCEPT

Allowing Outgoing MySQL

This is different from the incoming connection, we allow both new and established connections on the OUTPUT chain, but whereas in INPUT, we allow only the established chain.

This rule will allow only outgoing connection to MySQL when we try to connect to MySQL server from our Linux box.

iptables -A OUTPUT -o eth0 -p tcp --dport 3306-m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

Allow Sendmail Traffic

These rules will allow mails using sendmail or postfix port 25.

iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

Allowing IMAP & POP3 Ports

This rule will allow to send or receive emails from IMAP or POP3

iptables -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT

Forward a Port to 5722 to 22(SSH)

These rules will forward  the total traffic which comes from port 5722 to port 22. That means, the incoming connection for ssh can come from both 5722 and 22.

iptables -t nat -A PREROUTING -p tcp -d 192.168.87.100 --dport 5722 -j DNAT --to 192.168.87.200:22

Allowing Port 873 (rsync) for Backups

These rules will allow to you to take backups or copy data using rsync from a specific network

iptables -A INPUT -i eth0 -p tcp -s 192.168.87.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT

Blocking an IP address

If we want to block a particular IP address.

BLOCK_ADDRESS="192.168.87.100"
# iptables -A INPUT -s "$BLOCK_ADDRESS" -j DROP

This will be useful if we want to block some IP address where they are downloading or trying to access the server, where we can block the IP for further investigation.

# iptables -A INPUT -i eth0 -s “$ BLOCK_ADDRESS ” -j DROP
# iptables -A INPUT -i eth0 -p tcp -s “$ BLOCK_ADDRESS ” -j DROP

This above example will block the TCP/IP traffic on the eth0 for that particular IP address.

We can add a network in the variable if you want to restrict access to the server from outside

By using the above iptables rules or modifying the rules and ports, we can secure the connection or network/server. We can also modify the network or ports accordingly to fit our environment. And these iptables rules are written in a simple shell script format, so we can use them in writing the shell scripts to apply on multiple servers.

 

Advertisements