Basic and most common iptables rules

Giedrius
Giedrius
edited November 15 in Performance and Security
Tagged:
Iptables is basically a powerful firewall, which can allow a user to set specific rules to control incoming and outgoing traffic. You can use it to block specific port, IP addresses and much more. In this article we present most common uses of iptables.

The iptables rules can be specified with 3 blocks, which are used for specific purpose (called Chains):

INPUT - All packets destined for the host computer.
OUTPUT - All packets originating from the host computer.
FORWARD - All packets neither destined for nor originating from the host computer, but passing through (routed by) the host computer. This chain is used if you are using your computer as a router.

The first command we present is used to flush the existing iptables rules, this can be useful if we want to start with new rules or if we have accidentally blocked ourselves (Our Clients Area has a button for this case specifically - "Flush iptables"):
iptables -F
Note. If you want to flush a single Chain, specific rules. You can use this:
sudo iptables -F INPUT

Next commands are used to check current rules that are active within your server:
iptables -L
iptables -S
Note. You can add specific word, like: INPUT, FORWARD OR OUTPUT. For example:
iptables -L INPUT
This will let you specify the rules by their purpose (Chains).

Note. You can also add "-v" to your command (iptables -L -v), this will let you check the packets and their size matched with each rule.

Now we can continue with more specific rules to make some simple rules. Usually Firewall is used to block something first, and only then to allow something. So here are some rules which helps you to block the connections.

In order to block a connection from specific IP address you can use this:
iptables -A INPUT -s 1.1.1.1 -j DROP 
iptables -A OUTPUT -s 1.1.1.1 -j DROP
iptables -A INPUT -s 1.1.1.1 -j REJECT
Note. REJECT is used to give a respond that the connection is not blocked and sends a message "connection refused".

If you want to block specific port, for example SMTP port 25, you can use this:
iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -I OUTPUT -p tcp --dport 25 -j DROP

Allow Incoming SSH connection only from a specific IP:
iptables -A INPUT -i venet0 -p tcp -s 1.1.1.1 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o venet0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
This actually allows only specific IP to connect to server using 22 port. Also, every time it happens, it establish a status, which will be used in the second rule to allow the same IP the outgoing traffic.

Following sets of rules are for HTTP and HTTPS connections:
iptables -A INPUT -i venet0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o venet0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i venet0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o venet0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

First set of rules allows HTTP and the second set of rules allows HTTPS connection using the default ports 80 and 443

Next rules allows outside users to ping to your server:
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
The same applies for blocking it:
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP

To allow loopback access to your server, for example using local host:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
Allowing MySQL connection from specific IP address:
iptables -A INPUT -i venet0 -p tcp -s 1.1.1.1 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o venet0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

Allowing POP3 or IMAP traffic:
iptables -A INPUT -i venet0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o venet0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i venet0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o venet0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT

Also, this can be applied for POP3/IMAP using secure connection:
iptables -A INPUT -i venet0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o venet0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i venet0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o venet0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT

Note. When you describe network interface in the rules, for example venet0, do not forget to change it, if you server uses different network interface, for example: eth0 or other.

One last use of iptables  is that it can be used to prevent the DDoS as well, by limiting the connections per minute:
iptables -A INPUT -p tcp --dport 80 -m limit --limit 10/minute --limit-burst 100 -j ACCEPT
More details about this one:

-m limit: This uses the limit iptables extension
–limit 25/minute: This limits only maximum of 10 connection per minute.
–limit-burst 100: This value indicates that the limit/minute will be enforced only after the total number of connection have reached the limit-burst level.

You can change the details based on your requirements, to prevent some attacks.
Tagged:
Sign In or Register to comment.
© 2013 - 2017 Time4VPS. All rights reserved. Powered by Vanilla
The opinions or views of users on the forum are those of the author and not of Time4VPS.