Sharing the most common 25 iptables policies

Source: Internet
Author: User
Tags custom name

This article will introduce 25 most commonly used iptables policies to you. I hope these methods will be helpful to your friends' server security.

1. Clear existing policies
When you create a new policy, you may want to clear all default policies and existing policies. You can do this:

The Code is as follows: Copy code
Iptables-F or iptables-flush

2. Set the Default policy
The default chain policy is ACCEPT, and all chain policies are changed to DROP:

The Code is as follows: Copy code
Iptables-P INPUT DROP
Iptables-P FORWARD DROP
Iptables-P OUTPUT DROP

3. Block A specified ip Address

The Code is as follows: Copy code
BLOCK_THIS_IP = "x. x"
Iptables-a input-s "$ BLOCK_THIS_IP"-j DROP
Iptables-a input-I eth0-s "$ BLOCK_THIS_IP"-j DROP
Iptables-a input-I eth0-p tcp-s "$ BLOCK_THIS_IP"-j DROP

4. Allow SSH
Allow all users to connect to the local machine using the ssh protocol through the eth0 interface:

The Code is as follows: Copy code
Iptables-a input-I eth0-p tcp-dport 22-m state-state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp-sport 22-m state-state ESTABLISHED-j ACCEPT

5. Allow a CIDR block to be connected through ssh

The Code is as follows: Copy code
Iptables-a input-I eth0-p tcp-s 192.168.100.0/24-dport 22-m state-state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp-sport 22-m state-state ESTABLISHED-j ACCEPT

6. http and https are allowed.
Allow all incoming web traffic: Port 80 of the http protocol

The Code is as follows: Copy code
Iptables-a input-I eth0-p tcp-dport 80-m state-state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp-sport 80-m state-state ESTABLISHED-j ACCEPT

Allow all incoming web traffic: port 443 of the https protocol

The Code is as follows: Copy code
Iptables-a input-I eth0-p tcp-dport 443-m state-state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp-sport 443-m state-state ESTABLISHED-j ACCEPT

7. Join multiple policies
Allow ssh, http, and https:

The Code is as follows: Copy code
Iptables-a input-I eth0-p tcp-m multiport-dports 22,80, 443-m state-state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp-m multiport-sports 22,80, 443-m state-state ESTABLISHED-j ACCEPT

8. Allow SSH to connect to other hosts

The Code is as follows: Copy code
Iptables-a output-o eth0-p tcp-dport 22-m state-state NEW, ESTABLISHED-j ACCEPT
Iptables-a input-I eth0-p tcp-sport 22-m state-state ESTABLISHED-j ACCEPT

9. Allow SSH to connect to the specified CIDR Block

The Code is as follows: Copy code
Iptables-a output-o eth0-p tcp-d 192.168.100.0/24-dport 22-m state-state NEW, ESTABLISHED-j ACCEPT
Iptables-a input-I eth0-p tcp-sport 22-m state-state ESTABLISHED-j ACCEPT

10. allow https access

The Code is as follows: Copy code
Iptables-a output-o eth0-p tcp-dport 443-m state-state NEW, ESTABLISHED-j ACCEPT
Iptables-a input-I eth0-p tcp-sport 443-m state-state ESTABLISHED-j ACCEPT

11. Load Balancing web requests (iptables needs to be extended for every three packets to be balanced to the specified server)

The Code is as follows: Copy code
Iptables-a prerouting-I eth0-p tcp-dport 443-m state-state NEW-m nth-counter 0-every 3-packet 0-j DNAT-to-destination 192.168.1.101: 443
Iptables-a prerouting-I eth0-p tcp-dport 443-m state-state NEW-m nth-counter 0-every 3-packet 1-j DNAT-to-destination 192.168.1.102: 443
Iptables-a prerouting-I eth0-p tcp-dport 443-m state-state NEW-m nth-counter 0-every 3-packet 2-j DNAT-to-destination 192.168.1.103: 443

12. ping allowed

The Code is as follows: Copy code
Iptables-a input-p icmp-type echo-request-j ACCEPT
Iptables-a output-p icmp-type echo-reply-j ACCEPT

13. Allow Remote ping

The Code is as follows: Copy code
Iptables-a output-p icmp-type echo-request-j ACCEPT
Iptables-a input-p icmp-type echo-reply-j ACCEPT

14. Allow local loopback

The Code is as follows: Copy code
Iptables-a input-I lo-j ACCEPT
Iptables-a output-o lo-j ACCEPT

15. Allow Intranet access to external networks
In this example, eth1 is connected to the external network and eth0 is connected to the internal network.

The Code is as follows: Copy code
Iptables-a forward-I eth0-o eth1-j ACCEPT

16. Allow DNS to exit

The Code is as follows: Copy code
Iptables-a output-p udp-o eth0-dport 53-j ACCEPT
Iptables-a input-p udp-I eth0-sport 53-j ACCEPT

17. allow NIS connection
The NIS port is dynamic. When ypbind is started, it allocates a port.
Run rpcinfo-p to obtain the port number. In this example, port 850,853 is used.

The Code is as follows: Copy code
Iptables-a input-p tcp-dport 111-j ACCEPT
Iptables-a input-p udp-dport 111-j ACCEPT
Iptables-a input-p tcp-dport 853-j ACCEPT
Iptables-a input-p udp-dport 853-j ACCEPT
Iptables-a input-p tcp-dport 850-j ACCEPT
Iptables-a input-p udp-dport 850-j ACCEPT

In the preceding example, when ypbind is restarted, it will become invalid. There are two solutions:
(1) Allocating static IP addresses of the nis Service (2) using exquisite scripts
18. Allow the specified CIDR block to connect to Rsync

The Code is as follows: Copy code
Iptables-a input-I eth0-p tcp-s 192.168.101.0/24-dport 873-m state-state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp-sport 873-m state-state ESTABLISHED-j ACCEPT

19. Allow mysql to connect from the specified CIDR Block

The Code is as follows: Copy code
Iptables-a input-I eth0-p tcp-s 192.168.100.0/24-dport 3306-m state-state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp-sport 3306-m state-state ESTABLISHED-j ACCEPT

20. sendmail or postfix is allowed.

The Code is as follows: Copy code
Iptables-a input-I eth0-p tcp-dport 25-m state-state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp-sport 25-m state-state ESTABLISHED-j ACCEPT

21. Allow IMAP and IMAPS

The Code is as follows: Copy code
IMAP:
Iptables-a input-I eth0-p tcp-dport 143-m state-state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp-sport 143-m state-state ESTABLISHED-j ACCEPT
IMAPS:
Iptables-a input-I eth0-p tcp-dport 993-m state-state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp-sport 993-m state-state ESTABLISHED-j ACCEPT

22. POP3 and POP3S are allowed.
POP3:

The Code is as follows: Copy code
Iptables-a input-I eth0-p tcp-dport 110-m state-state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp-sport 110-m state-state ESTABLISHED-j ACCEPT
POP3S:
Iptables-a input-I eth0-p tcp-dport 995-m state-state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp-sport 995-m state-state ESTABLISHED-j ACCEPT

23. Prevent DOS Attacks

The Code is as follows: Copy code
Iptables-a input-p tcp-dport 80-m limit-limit 25/minute-limit-burst 100-j ACCEPT

-M: Use iptables Extension
-Limit 25/minute: limit the number of connection requests per minute
-Limit-burst: trigger threshold value, number of incoming packets at a time
24. port forwarding
All requests from Port 442 are forwarded to port 22.

The Code is as follows: Copy code
Iptables-t nat-a prerouting-p tcp-d 192.168.102.37-dport 422-j DNAT-to 192.168.102.37: 22

You must also explicitly allow port 442

The Code is as follows: Copy code
Iptables-a input-I eth0-p tcp-dport 422-m state-state NEW, ESTABLISHED-j ACCEPT
Iptables-a output-o eth0-p tcp-sport 422-m state-state ESTABLISHED-j ACCEPT

25. Packet discard logs
You may want to view logs of all discarded packets.

The Code is as follows: Copy code
First, create a new chain called LOGGING.
Iptables-N LOGGING
Make sure all connections are redirected to LOGGING.
Iptables-a input-j LOGGING
Record these packages using the custom name "log-prefix"
Iptables-a logging-m limit-limit 2/min-j LOG-log-prefix "IPTables Packet Dropped:"-log-level 7
Finally, discard these packets.
Iptables-a logging-j DROP

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.