How to Setup IPtables in Linux

1. Iptable in Debian7



Viewing current configuration

See what rules are already configured. Issue this command:

#iptables -L -vn

The output will be similar to this:

Chain INPUT (policy ACCEPT)
 target     prot opt source               destination

 Chain FORWARD (policy ACCEPT)
 target     prot opt source               destination

 Chain OUTPUT (policy ACCEPT)
 target     prot opt source               destination
 
This allows anyone access to anything from anywhere. 
we need to create iptable rule store in file
#vim /etc/iptable.up.rule
add this:
-------------------------------------------------------------------------
# Generated by iptables-save v1.4.14 on Sun Jul 5 11:20:08 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
 
#this line will allow tcp port
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
#this line will block all ip address and tcp port 25 but allow only ip 10.105.9.23 with tcp 25 
-A INPUT -p tcp -m tcp --dport 25 -s 10.105.9.23 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j REJECT
-I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#block icmp ping for ip 9.23client request but allow ping for other ip
-A INPUT -p icmp --icmp-type echo-request -s 10.105.9.23 -j REJECT

-A OUTPUT -j ACCEPT
COMMIT

----------------------------------------------------------------------------
Save and exite.


Activate these new rules:




 iptables-save > /etc/iptables.up.rules




To make sure the iptables rules are started on a reboot we'll create a new file: 




 editor /etc/network/if-pre-up.d/iptables




Add these lines to it: 




#!/bin/sh
 /sbin/iptables-restore < /etc/iptables.up.rules




The file needs to be executable so change the permissions: 




 chmod +x /etc/network/if-pre-up.d/iptables


 


================================================================================  



2. Iptable in Centos 6



Iptables Config File



 



Turn On Firewall


 Type the following two commands to turn on firewall:


 


chkconfig iptables on
service iptables start
# restart the firewall
service iptables restart 





Understanding Firewall

There are total 4 chains:


    

  1. INPUT
 - The default chain is used for packets addressed to the system. Use 
this to open or close incoming ports (such as 80,25, and 110 etc) and ip
 addresses / subnet (such as 202.54.1.20/29).
    2. 

  2. OUTPUT
 - The default chain is used when packets are generating from the 
system.  Use this open or close outgoing ports and ip addresses / 
subnets.
    3. 

  3. FORWARD - The default chains is used 
when packets send through another interface. Usually used when you setup
 Linux as router. For example, eth0 connected to ADSL/Cable modem and 
eth1 is connected to local LAN. Use FORWARD chain to send and receive 
traffic from LAN to the Internet.
    4. 

  4. RH-Firewall-1-INPUT - This is a user-defined custom chain. It is used by the INPUT, OUTPUT and FORWARD chains.
    5. 




Packet Matching Rules


    

  1. Each packet starts at the first rule in the chain .
    2. 

  2. A packet proceeds until it matches a rule.
    3. 

  3. If a match found, then control will jump to the specified target (such as REJECT, ACCEPT, DROP).
    4. 




Target Meanings


    

  1. The target ACCEPT means allow packet.
    2. 

  2. The target REJECT means to drop the packet and send an error message to remote host.
    3. 

  3. The target DROP means drop the packet and do not send an error message to remote host or sending host.
    4. 




/etc/sysconfig/iptables

Edit /etc/sysconfig/iptables, enter:

# vi /etc/sysconfig/iptables



You will see default rules as follows:


*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT




edit rule more then save and exit.



then restart iptable service 

#/etc/init.d/iptable restart

then use command to check iptables

#iptable -L -vn






=============================================================


Reference:


- https://wiki.debian.org/iptables


- http://www.cyberciti.biz/tips/linux-iptables-examples.html 


- http://www.cyberciti.biz/faq/rhel-fedorta-linux-iptables-firewall-configuration-tutorial/ 
























        

      












Subscribe to:
Posts (Atom)