Monday, April 26, 2010

Just a Quick Guide For iptables

For adding a chain entry:

    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT
    iptables -A INPUT -p tcp --dport 21 -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -p tcp --dport 110 -j ACCEPT
    iptables -A INPUT -p tcp --dport 143 -j ACCEPT
    iptables -A INPUT -p tcp --dport 3000 -j ACCEPT
    iptables -A INPUT -j DROP
    iptables -I INPUT 8 -p tcp --dport 9999 -j ACCEPT

First entry, adds port 80 (http) to be accepted, port 443 (https), port 21 (ftp), port 22 (ssh,scp, sftp), port 110 (pop3), port 143 (imap), port 3000 (custom set port for thin server--a ruby web server).

iptables -A INPUT -j DROP
 will drop everything that would connect to the server.

The last entry
iptables -I INPUT 8 -p tcp --dport 9999 -j ACCEPT
will insert into the list at the 8 row of the entry, this is useful when you will be setting a specific priority of filtering a port.

To delete an entry, you can do,
 iptables -D INPUT 2
 to delete the second row of the list, list can be viewed by issuing the command
iptables -L
 To flush all the result, you can do
iptables -F

To add a chain that would only be specific to port intervals, let say, ban all the port that goes from port 20 - port 80, you can execute or add
iptables -A INPUT -p tcp --dport 20:80 -m state --state NEW,ESTABLISHED -j REJECT

where --dport specifies the 20:80 (colon as the delimiter), and -m for extended match and may load extension (here the state), and --state for specifying the states (valid states are INVALID, NEW, ESTABLISHED), and -j to reject the attempt of opening a connection.

 To save your rules, you can execute
iptables-save > /etc/sysconfig/iptables
if your iptables config is in that directory path.

No comments: