Just a Quick Guide For iptables
For adding a chain entry:
First entry, adds port 80 (http) to be accepted, port 443 (https), port 21 (ftp), port 22 (ssh,scp, sftp), port 110 (pop3), port 143 (imap), port 3000 (custom set port for thin server--a ruby web server).
Then,
The last entry
To delete an entry, you can do,
To add a chain that would only be specific to port intervals, let say, ban all the port that goes from port 20 - port 80, you can execute or add
where --dport specifies the 20:80 (colon as the delimiter), and -m for extended match and may load extension (here the state), and --state for specifying the states (valid states are INVALID, NEW, ESTABLISHED), and -j to reject the attempt of opening a connection.
To save your rules, you can execute
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j ACCEPT
iptables -A INPUT -j DROP
iptables -I INPUT 8 -p tcp --dport 9999 -j ACCEPT
First entry, adds port 80 (http) to be accepted, port 443 (https), port 21 (ftp), port 22 (ssh,scp, sftp), port 110 (pop3), port 143 (imap), port 3000 (custom set port for thin server--a ruby web server).
Then,
iptables -A INPUT -j DROPwill drop everything that would connect to the server.
The last entry
iptables -I INPUT 8 -p tcp --dport 9999 -j ACCEPTwill insert into the list at the 8 row of the entry, this is useful when you will be setting a specific priority of filtering a port.
To delete an entry, you can do,
iptables -D INPUT 2to delete the second row of the list, list can be viewed by issuing the command
iptables -LTo flush all the result, you can do
iptables -F
To add a chain that would only be specific to port intervals, let say, ban all the port that goes from port 20 - port 80, you can execute or add
iptables -A INPUT -p tcp --dport 20:80 -m state --state NEW,ESTABLISHED -j REJECT
where --dport specifies the 20:80 (colon as the delimiter), and -m for extended match and may load extension (here the state), and --state for specifying the states (valid states are INVALID, NEW, ESTABLISHED), and -j to reject the attempt of opening a connection.
To save your rules, you can execute
iptables-save > /etc/sysconfig/iptables
if your iptables config is in that directory path.
Comments