Sharing the most common 25 iptables policies

This article will introduce 25 most commonly used iptables policies to you. I hope these methods will be helpful to your friends' server security.

1. Clear existing policies
When you create a new policy, you may want to clear all default policies and existing policies. You can do this:

The Code is as follows:	Copy code
Iptables-F or iptables-flush

2. Set the Default policy
The default chain policy is ACCEPT, and all chain policies are changed to DROP:

The Code is as follows:	Copy code
Iptables-P INPUT DROP Iptables-P FORWARD DROP Iptables-P OUTPUT DROP

3. Block A specified ip Address

The Code is as follows:	Copy code
BLOCK_THIS_IP = "x. x" Iptables-a input-s "$ BLOCK_THIS_IP"-j DROP Iptables-a input-I eth0-s "$ BLOCK_THIS_IP"-j DROP Iptables-a input-I eth0-p tcp-s "$ BLOCK_THIS_IP"-j DROP

4. Allow SSH
Allow all users to connect to the local machine using the ssh protocol through the eth0 interface:

The Code is as follows:	Copy code
Iptables-a input-I eth0-p tcp-dport 22-m state-state NEW, ESTABLISHED-j ACCEPT Iptables-a output-o eth0-p tcp-sport 22-m state-state ESTABLISHED-j ACCEPT

5. Allow a CIDR block to be connected through ssh

The Code is as follows:	Copy code
Iptables-a input-I eth0-p tcp-s 192.168.100.0/24-dport 22-m state-state NEW, ESTABLISHED-j ACCEPT Iptables-a output-o eth0-p tcp-sport 22-m state-state ESTABLISHED-j ACCEPT

6. http and https are allowed.
Allow all incoming web traffic: Port 80 of the http protocol

The Code is as follows:	Copy code
Iptables-a input-I eth0-p tcp-dport 80-m state-state NEW, ESTABLISHED-j ACCEPT Iptables-a output-o eth0-p tcp-sport 80-m state-state ESTABLISHED-j ACCEPT

Allow all incoming web traffic: port 443 of the https protocol

The Code is as follows:	Copy code
Iptables-a input-I eth0-p tcp-dport 443-m state-state NEW, ESTABLISHED-j ACCEPT Iptables-a output-o eth0-p tcp-sport 443-m state-state ESTABLISHED-j ACCEPT

7. Join multiple policies
Allow ssh, http, and https:

The Code is as follows:	Copy code
Iptables-a input-I eth0-p tcp-m multiport-dports 22,80, 443-m state-state NEW, ESTABLISHED-j ACCEPT Iptables-a output-o eth0-p tcp-m multiport-sports 22,80, 443-m state-state ESTABLISHED-j ACCEPT

8. Allow SSH to connect to other hosts

The Code is as follows:	Copy code
Iptables-a output-o eth0-p tcp-dport 22-m state-state NEW, ESTABLISHED-j ACCEPT Iptables-a input-I eth0-p tcp-sport 22-m state-state ESTABLISHED-j ACCEPT

9. Allow SSH to connect to the specified CIDR Block

The Code is as follows:	Copy code
Iptables-a output-o eth0-p tcp-d 192.168.100.0/24-dport 22-m state-state NEW, ESTABLISHED-j ACCEPT Iptables-a input-I eth0-p tcp-sport 22-m state-state ESTABLISHED-j ACCEPT

10. allow https access

The Code is as follows:	Copy code
Iptables-a output-o eth0-p tcp-dport 443-m state-state NEW, ESTABLISHED-j ACCEPT Iptables-a input-I eth0-p tcp-sport 443-m state-state ESTABLISHED-j ACCEPT

11. Load Balancing web requests (iptables needs to be extended for every three packets to be balanced to the specified server)

The Code is as follows:

Copy code

Iptables-a prerouting-I eth0-p tcp-dport 443-m state-state NEW-m nth-counter 0-every 3-packet 0-j DNAT-to-destination 192.168.1.101: 443 Iptables-a prerouting-I eth0-p tcp-dport 443-m state-state NEW-m nth-counter 0-every 3-packet 1-j DNAT-to-destination 192.168.1.102: 443 Iptables-a prerouting-I eth0-p tcp-dport 443-m state-state NEW-m nth-counter 0-every 3-packet 2-j DNAT-to-destination 192.168.1.103: 443

12. ping allowed

The Code is as follows:	Copy code
Iptables-a input-p icmp-type echo-request-j ACCEPT Iptables-a output-p icmp-type echo-reply-j ACCEPT

13. Allow Remote ping

The Code is as follows:	Copy code
Iptables-a output-p icmp-type echo-request-j ACCEPT Iptables-a input-p icmp-type echo-reply-j ACCEPT

14. Allow local loopback

The Code is as follows:	Copy code
Iptables-a input-I lo-j ACCEPT Iptables-a output-o lo-j ACCEPT

15. Allow Intranet access to external networks
In this example, eth1 is connected to the external network and eth0 is connected to the internal network.

The Code is as follows:	Copy code
Iptables-a forward-I eth0-o eth1-j ACCEPT

16. Allow DNS to exit

The Code is as follows:	Copy code
Iptables-a output-p udp-o eth0-dport 53-j ACCEPT Iptables-a input-p udp-I eth0-sport 53-j ACCEPT

17. allow NIS connection
The NIS port is dynamic. When ypbind is started, it allocates a port.
Run rpcinfo-p to obtain the port number. In this example, port 850,853 is used.

The Code is as follows:	Copy code
Iptables-a input-p tcp-dport 111-j ACCEPT Iptables-a input-p udp-dport 111-j ACCEPT Iptables-a input-p tcp-dport 853-j ACCEPT Iptables-a input-p udp-dport 853-j ACCEPT Iptables-a input-p tcp-dport 850-j ACCEPT Iptables-a input-p udp-dport 850-j ACCEPT

In the preceding example, when ypbind is restarted, it will become invalid. There are two solutions:
(1) Allocating static IP addresses of the nis Service (2) using exquisite scripts
18. Allow the specified CIDR block to connect to Rsync

The Code is as follows:	Copy code
Iptables-a input-I eth0-p tcp-s 192.168.101.0/24-dport 873-m state-state NEW, ESTABLISHED-j ACCEPT Iptables-a output-o eth0-p tcp-sport 873-m state-state ESTABLISHED-j ACCEPT

19. Allow mysql to connect from the specified CIDR Block

The Code is as follows:	Copy code
Iptables-a input-I eth0-p tcp-s 192.168.100.0/24-dport 3306-m state-state NEW, ESTABLISHED-j ACCEPT Iptables-a output-o eth0-p tcp-sport 3306-m state-state ESTABLISHED-j ACCEPT

20. sendmail or postfix is allowed.

The Code is as follows:	Copy code
Iptables-a input-I eth0-p tcp-dport 25-m state-state NEW, ESTABLISHED-j ACCEPT Iptables-a output-o eth0-p tcp-sport 25-m state-state ESTABLISHED-j ACCEPT

21. Allow IMAP and IMAPS

The Code is as follows:	Copy code
IMAP: Iptables-a input-I eth0-p tcp-dport 143-m state-state NEW, ESTABLISHED-j ACCEPT Iptables-a output-o eth0-p tcp-sport 143-m state-state ESTABLISHED-j ACCEPT IMAPS: Iptables-a input-I eth0-p tcp-dport 993-m state-state NEW, ESTABLISHED-j ACCEPT Iptables-a output-o eth0-p tcp-sport 993-m state-state ESTABLISHED-j ACCEPT

22. POP3 and POP3S are allowed.
POP3:

The Code is as follows:	Copy code
Iptables-a input-I eth0-p tcp-dport 110-m state-state NEW, ESTABLISHED-j ACCEPT Iptables-a output-o eth0-p tcp-sport 110-m state-state ESTABLISHED-j ACCEPT POP3S: Iptables-a input-I eth0-p tcp-dport 995-m state-state NEW, ESTABLISHED-j ACCEPT Iptables-a output-o eth0-p tcp-sport 995-m state-state ESTABLISHED-j ACCEPT

23. Prevent DOS Attacks

The Code is as follows:	Copy code
Iptables-a input-p tcp-dport 80-m limit-limit 25/minute-limit-burst 100-j ACCEPT

-M: Use iptables Extension
-Limit 25/minute: limit the number of connection requests per minute
-Limit-burst: trigger threshold value, number of incoming packets at a time
24. port forwarding
All requests from Port 442 are forwarded to port 22.

The Code is as follows:	Copy code
Iptables-t nat-a prerouting-p tcp-d 192.168.102.37-dport 422-j DNAT-to 192.168.102.37: 22

You must also explicitly allow port 442

The Code is as follows:	Copy code
Iptables-a input-I eth0-p tcp-dport 422-m state-state NEW, ESTABLISHED-j ACCEPT Iptables-a output-o eth0-p tcp-sport 422-m state-state ESTABLISHED-j ACCEPT

25. Packet discard logs
You may want to view logs of all discarded packets.

The Code is as follows:	Copy code
First, create a new chain called LOGGING. Iptables-N LOGGING Make sure all connections are redirected to LOGGING. Iptables-a input-j LOGGING Record these packages using the custom name "log-prefix" Iptables-a logging-m limit-limit 2/min-j LOG-log-prefix "IPTables Packet Dropped:"-log-level 7 Finally, discard these packets. Iptables-a logging-j DROP