# 1. Delete all existing rules
Iptables-f
# 2. Set the default chain policy
Iptables-p INPUT DROP
Iptables-p FORWARD DROP
Iptables-p OUTPUT DROP
# 3. Block a specific IP address
#BLOCK_THIS_IP = "x.x.x.x"
#iptables-A input-s "$BLOCK _this_ip"-j DRO
# 4. Allow all incoming (incoming) SSH
Iptables-a input-i eth0-p TCP--dport 22-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 22-m State--state established-j ACCEPT
# 5. Allow SSH to come in only for a particular network
#iptables-A input-i eth0-p tcp-s 192.168.200.0/24--dport 22-m State--state new,established-j ACCEPT
#iptables-A output-o eth0-p TCP--sport 22-m State--state established-j ACCEPT
# 6. Allowed in (incoming) HTTP
Iptables-a input-i eth0-p TCP--dport 80-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 80-m State--state established-j ACCEPT
# 7. Multiport (Allow incoming SSH, HTTP, and HTTPS)
Iptables-a input-i eth0-p tcp-m multiport--dports 22,80,443-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p tcp-m multiport--sports 22,80,443-m State--state established-j ACCEPT
# 8. Allowed to go out (outgoing) SSH
Iptables-a output-o eth0-p TCP--dport 22-m State--state new,established-j ACCEPT
Iptables-a input-i eth0-p TCP--sport 22-m State--state established-j ACCEPT
# 9. Allow out-of-office (outgoing) SSH, but access only to a specific network
#iptables-A output-o eth0-p tcp-d 192.168.101.0/24--dport 22-m State--state new,established-j ACCEPT
#iptables-A input-i eth0-p TCP--sport 22-m State--state established-j ACCEPT
# 10. Allow out-of-office (outgoing) HTTPS
Iptables-a output-o eth0-p TCP--dport 443-m State--state new,established-j ACCEPT
Iptables-a input-i eth0-p TCP--sport 443-m State--state established-j ACCEPT
# 11. Load balancing of incoming HTTPS traffic
#iptables-A prerouting-i eth0-p TCP--dport 443-m State--state new-m nth--counter 0--every 3--packet 0-j DNAT-- To-destination 192.168.1.101:443
#iptables-A prerouting-i eth0-p TCP--dport 443-m State--state new-m nth--counter 0--every 3--packet 1-j DNAT-- To-destination 192.168.1.102:443
#iptables-A prerouting-i eth0-p TCP--dport 443-m State--state new-m nth--counter 0--every 3--packet 2-j DNAT-- To-destination 192.168.1.103:443
# 12. Ping from inside to outside
Iptables-a output-p ICMP--icmp-type echo-request-j ACCEPT
Iptables-a input-p ICMP--icmp-type echo-reply-j ACCEPT
# 13. Ping from outside to inside
Iptables-a input-p ICMP--icmp-type echo-request-j ACCEPT
Iptables-a output-p ICMP--icmp-type echo-reply-j ACCEPT
# 14. Allow loopback (loopback) Access
Iptables-a input-i lo-j ACCEPT
Iptables-a Output-o lo-j ACCEPT
# 15. Allow packets to access extranet from intranet
# if ETH1 is connected to external network (Internet)
# if Eth0 is connected to internal network (192.168.1.x)
Iptables-a forward-i eth0-o eth1-j ACCEPT
# 16. Allow out-of-office DNS
Iptables-a output-p udp-o eth0--dport 53-j ACCEPT
Iptables-a input-p udp-i eth0--sport 53-j ACCEPT
# 17. Allow NIS connections
# Rpcinfo-p | grep ypbind; This port is 853 and 850
#iptables-A input-p TCP--dport 111-j ACCEPT
#iptables-A input-p UDP--dport 111-j ACCEPT
#iptables-A input-p TCP--dport 853-j ACCEPT
#iptables-A input-p UDP--dport 853-j ACCEPT
#iptables-A input-p TCP--dport 850-j ACCEPT
#iptables-A input-p UDP--dport 850-j ACCEPT
# 18. Allow a specific network rsync to enter the machine
#iptables-A input-i eth0-p tcp-s 192.168.101.0/24--dport 873-m State--state new,established-j ACCEPT
#iptables-A output-o eth0-p TCP--sport 873-m State--state established-j ACCEPT
# 19. Allow only links from MySQL on a specific network
#iptables-A input-i eth0-p tcp-s 192.168.200.0/24--dport 3306-m State--state new,established-j ACCEPT
#iptables-A output-o eth0-p TCP--sport 3306-m State--state established-j ACCEPT
# 20. Allow Sendmail or Postfix
Iptables-a input-i eth0-p TCP--dport 25-m State--state new,established-j ACCEPT
Iptables-a output-o eth0-p TCP--sport 25-m State--state established-j ACCEPT
# 21. Allow IMAP and IMAPS
#iptables-A input-i eth0-p TCP--dport 143-m State--state new,established-j ACCEPT
#iptables-A output-o eth0-p TCP--sport 143-m State--state established-j ACCEPT
#iptables-A input-i eth0-p TCP--dport 993-m State--state new,established-j ACCEPT
#iptables-A output-o eth0-p TCP--sport 993-m State--state established-j ACCEPT
# 22. Allow POP3 and pop3s
#iptables-A input-i eth0-p TCP--dport 110-m State--state new,established-j ACCEPT
#iptables-A output-o eth0-p TCP--sport 110-m State--state established-j ACCEPT
#iptables-A input-i eth0-p TCP--dport 995-m State--state new,established-j ACCEPT
#iptables-A output-o eth0-p TCP--sport 995-m State--state established-j ACCEPT
# 23. Prevent DoS attacks
Iptables-a input-p tcp--dport 80-m limit--limit 25/minute--limit-burst 100-j ACCEPT
# 24. Set 422 port forwarding to 22 port
#iptables-T nat-a prerouting-p tcp-d 192.168.102.37--dport 422-j DNAT--to 192.168.102.37:22
#iptables-A input-i eth0-p TCP--dport 422-m State--state new,established-j ACCEPT
#iptables-A output-o eth0-p TCP--sport 422-m State--state established-j ACCEPT
# 25. Log for discarded packets
Iptables-n LOGGING
Iptables-a input-j LOGGING
Iptables-a logging-m limit--limit 2/min-j LOG--log-prefix "iptables Packet Dropped:"--log-level 7
Iptables-a logging-j DROP
Common Linux iptables rules