iptables examples: Comprehensive Guide

-

Introduction

iptables is a powerful tool for protecting Linux systems from unauthorized access and cyber threats. 
In this article, we guide you through configuring and using iptables to manage firewall rules, from basic to advanced levels, ensuring maximum security for your server. Whether you're a beginner or an experienced system administrator, this post provides practical, detailed examples on how to use iptables to control IP access, manage ports, and set up effective connection limits for enhanced server protection.
 You may reading link as below:

1. Basic iptables Rules

Below is a sample iptables configuration to manage incoming and outgoing connections effectively:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
#### Mail port ###
-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 110 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 143 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -j ACCEPT -s 10.10.9.0/24
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 465 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 993 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 7071 -j ACCEPT -s 10.10.9.0/24
####End mail ports###
####To limit the connectios per ip we use####
-A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
#####To set the connection rate-limit to reject 4 or more connections attempts within 60 seconds#####
-A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
-A INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update \ --seconds 60 --hitcount 4 -j REJECT
# Limit the number of incoming tcp connections
# Interface 0 incoming syn-flood protection
-N syn_flood
-A INPUT -p tcp --syn -j syn_flood
-A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
-A syn_flood -j DROP
#Limiting the incoming icmp ping request:
-A INPUT -p icmp -m limit --limit  1/s --limit-burst 1 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
-A INPUT -p icmp -j DROP
-A OUTPUT -p icmp -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -j DROP
COMMIT

2. Time-Based Access Control

Use the following commands to restrict SSH access based on specific timeframes (e.g., weekdays from 1:00 AM to 3:00 AM):

Input Rule
iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d 192.168.131.129 --dport 22 -m state --state NEW,ESTABLISHED -m time --timestart 01:00 --timestop 03:00 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT
Output Rule
iptables -A OUTPUT -p tcp -s 192.168.131.129 --sport 22 -d 0/0 --dport 513:65535 -m state --state ESTABLISHED -m time --timestart 01:00 --timestop 03:00 --days Mon,Tue,Wed,Thu,Fri -j ACCEPT

3. Configuring DNS Access Rules

For DNS, iptables rules can help ensure secure communication through specific ports:

# UDP
iptables -A INPUT -i eth0 -p udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
# TCP
iptables -A INPUT -i eth0 -p tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT

Conclusion

With this guide, you've gained essential knowledge on setting up iptables on Linux to enhance server security. Equipped with detailed access control rules and flexible customization options, iptables is an indispensable tool for anyone aiming to safeguard data and maintain system performance. Start implementing these practices now to build a secure and stable environment for your system.

Comments

  1. tmhoang, Ho Chi Minh City, VietnamMarch 2, 2018 at 3:49 PM

    Why do we need specific rules for DNS in INPUT chain if we already have "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"?

    Thanks.

    ReplyDelete
  2. HuuPVMarch 4, 2018 at 9:29 PM

    "Why do we need specific rules for DNS in INPUT chain if we already have "-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
    Yes, you're right! you test environment ok ?

    ReplyDelete

Post a Comment

Popular posts from this blog

zimbra some services are not running [Solve problem]

-
How to solved zimbra some services are not running. That after, to installed zimbra mail server. The display a some admin console status red in environment multiple server ( zimbra ldap, zimbra mailbox, zimbra mta etc.). Link to below you maybe likes: How to install and configure zimbra multi server.   How to restrict to user sending mail on zimbra 8.6. How to Restrict Sending to Distribution list in zimbra mail. How to change last login time for all accounts in zimbra ldap. How to zimbra reject authenticated sender login mismatch. Error zimbra some services are not running as bellow Step by step guide the solve problem zimbra some services are not running the following: To restart and enable cron service the permanently. service crond restart chkconfig crond on Opening rsyslog.conf file and uncomment the following. vim /etc/rsyslog.conf Uncomment these two lines $modload imupd $UDPServerRun514   To restart and enable rsyslog service the permanently. servic
Read more

Bash script list all IP addresses connected to Server with Country Information

-
Introduction Learn how to create a Bash script to list all IP addresses connected to your server. This comprehensive guide covers everything from basic to advanced examples, helping you master server monitoring with Bash scripting. This script is designed to list all IP addresses connected to your server, retrieve geographical information for each IP using ipinfo.io , and display the results in a clean format. This guide will walk you through the script, explaining each part in detail, and ensuring you understand how to implement and use it effectively. What is Bash? Bash (Bourne Again Shell) is a Unix shell and command language written by Brian Fox for the GNU Project as a free software replacement for the Bourne shell. It has since become the default login shell for most Linux distributions. Bash can execute commands, read and execute commands from a file, and provide constructs for condition testing, looping, and functions. Prerequisites A Linux-based server with administrative pri
Read more

Zimbra Client host rejected Access denied fixed

-
Introduction While using Zimbra Zimbra , you might encounter the "Client host rejected: Access denied" error, which can disrupt your workflow. This is a common issue that can be resolved easily if you understand the causes and the solutions. This article provides a detailed guide on how to fix this error on Zimbra, helping you quickly resume your work smoothly. Zimbra client host rejected Access denied error log Dec 19 01:21:28 mail postfix/amavisd/smtpd[5106]: NOQUEUE: reject: CONNECT from unknown[192.168.1.113]: 554 5.7.1 <unknown[192.168.1.113]>: Client host rejected: Access denied; proto=SMTP Dec 19 01:21:28 mail postfix/amavisd/smtpd[5106]: lost connection after CONNECT from unknown[192.168.1.113] Dec 19 01:21:28 mail postfix/amavisd/smtpd[5106]: disconnect from unknown[192.168.1.113] Allow the network " 192.168.1.0/24 " of client host for zimbraMtaMyNetworks attribute [zimbra@mail ~]$ zmprov ms `zmhostname` zimbraMtaMyNetworks "127.0.0.0/
Read more