Basic iptables rules

Centos

Remove firewalld and install iptables-services to restore rules on boot.

sudo remove firewalld -y

sudo yum install iptables-services -y
sudo systemctl enable iptables
sudo systemctl enable ip6tables
sudo systemctl start ip6tables

sudo vi /etc/sysconfig/iptables

Debian/Ubuntu

Install iptables-persistent to restore rules on boot.

sudo apt-get install iptables-persistent
sudo vi /etc/iptables/rules.v4

Edit rules

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type 0 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmp --icmp-type 3 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p icmp --icmp-type 11 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
COMMIT

Start iptables service

Centos

sudo systemctl start iptables

Tips and Tricks

Comment

You should always add comment who or what service is using the port

-m comment --comment "Comment"

example: Open HTTP/HTTPS

-A INPUT -p tcp -m conntrack --ctstate NEW -m multiport --dports 80,443 -m comment --comment "Webserver" -j ACCEPT

Allow from IP or multiple IPs

-s IP, IP, IP

example: Allow HTTP/HTTPS from 192.168.0.1, 192.168.0.2, 192.168.0.3

-A INPUT -s 192.168.0.1,192.168.0.2,192.168.0.3 -p tcp -m conntrack --ctstate NEW -m multiport --dports 80,443 -m comment --comment "Webserver" -j ACCEPT

Allow from IP range

-m iprange --src-range IPfrom-IPto

example: Allow HTTP/HTTPS from 192.168.0.1 – 192.168.0.3

-A INPUT -p tcp -m iprange --src-range 192.168.0.1-192.1680.3 -m conntrack --ctstate NEW -m multiport --dports 80,443 -m comment --comment "Webserver" -j ACCEPT

Allow multiple ports

-m multiport --dports PORT,PORT

Range

-m multiport --dports PORTfrom:PORTto

example: Open HTTP/HTTPS

-A INPUT -p tcp -m conntrack --ctstate NEW -m multiport --dports 80,443 -m comment --comment "Webserver" -j ACCEPT

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.