Iptable is the administration tool for IPv4 packet filtering and NAT. Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined.Each table contains a number of built-in chains and may also contain user-defined chains.Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a `target’,which may be a jump to a user-defined chain in the same table.
A firewall rule specifies criteria for a packet and a target. If the packet does not match, the next rule in the chain is the examined; if it does match,then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values ACCEPT, DROP, QUEUE or RETURN.
- ACCEPT means to let the packet through.
- DROP means to drop the packet on the floor
- QUEUE means to pass the packet to userspace
- RETURN means stop traversing this chain and resume at the next rule in the previous chain.
There are total 4 chains:
- INPUT – The default chain is used for packets addressed to the system. Use this to open or close incoming ports and ip addresses / subnet
- OUTPUT – The default chain is used when packets are generating from the system. Use this open or close outgoing ports and ip addresses / subnets
- FORWARD – The default chains is used when packets send through another interface. Usually used when you setup Linux as router
- RH-Firewall-1-INPUT - This is a user-defined custom chain. It is used by the INPUT, OUTPUT and FORWARD chains.
Installation of Iptables
We can install iptables via following command.
[root@vpn ~]# yum install iptables -y

Check iptable version :
[root@vpn ~]# iptables –versioniptables v1.3.5
Check iptables status :
[root@vpn ~]# service iptables status
Start iptables :
[root@vpn ~]# service iptables startFlushing firewall rules: [ OK ]Setting chains to policy ACCEPT: filter [ OK ]Unloading iptables modules: [ OK ]
To set iptables start at boot :
[root@vpn ~]# chkconfig iptables on
The default configuration file of CentOS is /etc/sysconfig/iptables. It is the system scriptsthat activate the firewall by reading this file
Iptable Rules
1. Reset all rules (F) and chains (X), necessary if have already defined iptables rules
#iptables -t filter -F#iptables -t filter -X
2. Display Status of the firewall
#iptables -L -n -v
3. Blocking null packets.
#iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
4. Reject SYN -FLOOD attack.
#iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
5. Reject a recon Packet
#iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP
6. Adding localhost interface to the firewall filter
#iptables -A INPUT -i lo -j ACCEPT
7. Allow web server traffic
#iptables -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT#iptables -A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
8. Allow users to use SMTP servers
#iptables -A INPUT -p tcp -m tcp –dport 25 -j ACCEPT#iptables -A INPUT -p tcp -m tcp –dport 465 -j ACCEPT
9. Allow the users read email on their server
allow POP3 traffic
#iptables -A INPUT -p tcp -m tcp –dport 110 -j ACCEPT#iptables -A INPUT -p tcp -m tcp –dport 995 -j ACCEPT
allow POP3 traffic
#iptables -A INPUT -p tcp -m tcp –dport 143 -j ACCEPT#iptables -A INPUT -p tcp -m tcp –dport 993 -j ACCEPT
10. Allow ssh traffic
#iptables -A INPUT -p tcp -m tcp –dport 22 -j ACCEPT
allow traffic to SSH port if it comes from one source
#iptables -A INPUT -p tcp -s YOUR_IP_ADDRESS -m tcp –dport 22 -j ACCEPT
11. Allow any established outgoing connections to receive replies from the server
#iptables -I INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
12. Block an IP address
#iptables -A INPUT -s IP_ADDRESS -j DROP
13. Block a Port for a specific IP Address
#iptables -A INPUT -p tcp -s IP_ADDRESS –dport PORT -j DROP
14. Open a port for a Specific IP Address
#iptables -A INPUT -p tcp -s IP_ADDRESS –dport PORT -j ACCEPT
15. Allow Printer for a Specific IP address
#iptables -A INPUT -s IP_ADDRESS -p udp -m udp –dport 631 -j ACCEPT
16. Open DNS
#iptables -A INPUT -m state –state NEW -p tcp –dport 53 -j ACCEPT
17. Open MYSQL Port
#iptables -A INPUT -p tcp –dport 3306 -j ACCEPT
18. Open a Range of Ports (eg : 7000-7100 )
#iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 7000:7100 -j ACCEPT
After setting all the rules , you need to save the rules and restart the iptables
#service iptables save#service iptables restartGIT – Iptable is the administration tool for IPv4 packet filtering and NAT. Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined.Each table contains a number of built-in chains and may also contain user-defined chains.Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a `target’,which may be a jump to a user-defined chain in the same table.A firewall rule specifies criteria for a packet and a target. If the packet does not match, the next rule in the chain is the examined; if it does match,then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values ACCEPT, DROP, QUEUE or RETURN.
- ACCEPT means to let the packet through.
- DROP means to drop the packet on the floor
- QUEUE means to pass the packet to userspace
- RETURN means stop traversing this chain and resume at the next rule in the previous chain.
There are total 4 chains:
- INPUT – The default chain is used for packets addressed to the system. Use this to open or close incoming ports and ip addresses / subnet
- OUTPUT – The default chain is used when packets are generating from the system. Use this open or close outgoing ports and ip addresses / subnets
- FORWARD – The default chains is used when packets send through another interface. Usually used when you setup Linux as router
- RH-Firewall-1-INPUT - This is a user-defined custom chain. It is used by the INPUT, OUTPUT and FORWARD chains.
Installation of Iptables
We can install iptables via following command.[root@vpn ~]# yum install iptables -yCheck iptable version :[root@vpn ~]# iptables –versioniptables v1.3.5Check iptables status :[root@vpn ~]# service iptables statusStart iptables :[root@vpn ~]# service iptables startFlushing firewall rules: [ OK ]Setting chains to policy ACCEPT: filter [ OK ]Unloading iptables modules: [ OK ]To set iptables start at boot :[root@vpn ~]# chkconfig iptables onThe default configuration file of CentOS is /etc/sysconfig/iptables. It is the system scriptsthat activate the firewall by reading this fileIptable Rules
1. Reset all rules (F) and chains (X), necessary if have already defined iptables rules#iptables -t filter -F#iptables -t filter -X2. Display Status of the firewall#iptables -L -n -v3. Blocking null packets.#iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP4. Reject SYN -FLOOD attack.#iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP5. Reject a recon Packet#iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP6. Adding localhost interface to the firewall filter#iptables -A INPUT -i lo -j ACCEPT7. Allow web server traffic#iptables -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT#iptables -A INPUT -p tcp -m tcp –dport 443 -j ACCEPT8. Allow users to use SMTP servers#iptables -A INPUT -p tcp -m tcp –dport 25 -j ACCEPT#iptables -A INPUT -p tcp -m tcp –dport 465 -j ACCEPT9. Allow the users read email on their serverallow POP3 traffic#iptables -A INPUT -p tcp -m tcp –dport 110 -j ACCEPT#iptables -A INPUT -p tcp -m tcp –dport 995 -j ACCEPTallow POP3 traffic#iptables -A INPUT -p tcp -m tcp –dport 143 -j ACCEPT#iptables -A INPUT -p tcp -m tcp –dport 993 -j ACCEPT10. Allow ssh traffic#iptables -A INPUT -p tcp -m tcp –dport 22 -j ACCEPTallow traffic to SSH port if it comes from one source#iptables -A INPUT -p tcp -s YOUR_IP_ADDRESS -m tcp –dport 22 -j ACCEPT11. Allow any established outgoing connections to receive replies from the server#iptables -I INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT12. Block an IP address#iptables -A INPUT -s IP_ADDRESS -j DROP13. Block a Port for a specific IP Address#iptables -A INPUT -p tcp -s IP_ADDRESS –dport PORT -j DROP14. Open a port for a Specific IP Address#iptables -A INPUT -p tcp -s IP_ADDRESS –dport PORT -j ACCEPT15. Allow Printer for a Specific IP address#iptables -A INPUT -s IP_ADDRESS -p udp -m udp –dport 631 -j ACCEPT16. Open DNS#iptables -A INPUT -m state –state NEW -p tcp –dport 53 -j ACCEPT17. Open MYSQL Port#iptables -A INPUT -p tcp –dport 3306 -j ACCEPT18. Open a Range of Ports (eg : 7000-7100 )#iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 7000:7100 -j ACCEPTAfter setting all the rules , you need to save the rules and restart the iptables#service iptables save#service iptables restart
Blogger Comment
Facebook Comment