RHEL 6, CentOS 6, and Oracle Linux 6 netfilter iptables Syntax:
iptables (-p|-A|-I) (INPUT|OUTPUT) (-p tcp|udp) (–dport port#)
(-j ACCEPT|DROP)
Where:
(-p|-A|-I)
–p Policy
–A Append
–I Insert
The iptables rule for Network packets:
ACCEPT—Network packet is accepted into the server.
REJECT—Network packet is dropped and not allowed into the server. A rejection message is sent.
DROP—Network packet is dropped and not allowed into the server. No rejection message is sent.
While REJECT gives a rejection message, DROP is quiet. You may consider using REJECT for internal network.
iptables configuration example:
Example of an iptables rules that would Deny all packets except the following:
ssh, ftp, http, https, and loopback.
iptables Best Practice – Set a policy to DROP (deny) all and Allow only the require packets.
1. Clear the current rules. Allow all connection temporary and flush all.
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -F
Start with the INPUT rules (incoming packets)
2. Allow the loopback traffic:
# iptables -A INPUT -i lo -j ACCEPT
3. Allow the ssh port:
# iptables -A INPUT -p tcp –dport 22 -j ACCEPT
4. Allow the http and https ports:
# iptables -A INPUT -p tcp –dport 80 -j ACCEPT
# iptables -A INPUT -p tcp –dport 443 -j ACCEPT
5. Allow the ftp ports:
# iptables -A INPUT -m multiport -p tcp –port 21,20 -j ACCEPT
6. Allow Established and Related Connections to pass through
# iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
Now with the OUTPUT rules (outgoing packets)
7. Allow icmp and DNS:
# iptables -A OUTPUT -p icmp -j ACCEPT
# iptables -A OUTPUT -p udp –dport 53 -j ACCEPT
8. Allow the loopback traffic:
# iptables -A OUTPUT -o lo -j ACCEPT
9. Allow icmp and DNS:
# iptables -A OUTPUT -p icmp -j ACCEPT
# iptables -A OUTPUT -p udp –dport 53 -j ACCEPT
10. Allow the ssh port:
# iptables -A OUTPUT -p tcp –dport 22 -j ACCEPT
11. Allow the http and https ports:
# iptables -A OUTPUT -p tcp –dport 80 -j ACCEPT
# iptables -A OUTPUT -p tcp –dport 443 -j ACCEPT
12. Allow the ftp ports:
# iptables -A OUTPUT -m multiport -p tcp –port 21,20 -j ACCEPT
13. Allow Established and Related Connections to pass through
# iptables -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
14. Now that all required ports are allowed, alter the policy to DROP all other packets:
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP
15. To view the iptables rule:
# iptables -v -L
16. Save the iptables:
# iptables-save > /etc/sysconfig/iptables
Here’s a scrip of the above iptables rules:
#!/bin/sh
#Flush previous iptables rules
iptables -F
#Drop all packages by default, allow only the ones specified explicitly
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
##### INPUT #####
#Accept trafic to local interface
iptables -A INPUT -i lo -j ACCEPT
## LAMP Server iptables ###
#Allow HTTP and HTTPS
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
iptables -A INPUT -p tcp –dport 443 -j ACCEPT
#Allow FTP
iptables -A INPUT -p tcp –dport 20:21 -j ACCEPT
# Allow the ssh:
iptables -A INPUT -p tcp –dport 22 -j ACCEPT
#Allow Established and Related Connections to pass through
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
##### OUTPUT #####
#Accept trafic from local interface
iptables -A OUTPUT -o lo -j ACCEPT
#Allow ICMP and DNS
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p udp –dport 53 -j ACCEPT
#Allow browsing HTTP and HTTPS
iptables -A OUTPUT -p tcp –dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp –dport 443 -j ACCEPT
#Allow FTP
iptables -A OUTPUT -p tcp –dport 20:21 -j ACCEPT
#Allow Related and Established packets to pass through
iptables -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
#Save and restart iptables
iptables-save > /etc/sysconfig/iptables
service iptables restart