netfilter iptables Rules




RHEL 6, CentOS 6, and Oracle Linux 6 netfilter iptables Syntax:

iptables (-p|-A|-I) (INPUT|OUTPUT) (-p tcp|udp) (–dport port#)
(-j ACCEPT|DROP)

Where:
(-p|-A|-I)
p    Policy
A    Append
I     Insert

The iptables rule for Network packets:
ACCEPT—Network packet is accepted into the server.
REJECT—Network packet is dropped and not allowed into the server. A rejection message is sent.
DROP—Network packet is dropped and not allowed into the server. No rejection message is sent.
While REJECT gives a rejection message, DROP is quiet. You may consider using REJECT for internal network.

iptables configuration example:
Example of an iptables rules that would Deny all packets except the following:
ssh, ftp, http, https, and loopback.

iptables Best Practice – Set a policy to DROP (deny) all and Allow only the require packets.

1. Clear the current rules. Allow all connection temporary and flush all.
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD ACCEPT
# iptables -F

Start with the INPUT rules (incoming packets)

2. Allow the loopback traffic:
# iptables -A INPUT -i lo -j ACCEPT

3. Allow the ssh port:
# iptables -A INPUT -p tcp –dport 22 -j ACCEPT

4. Allow the http and https ports:
# iptables -A INPUT -p tcp –dport 80 -j ACCEPT
# iptables -A INPUT -p tcp –dport 443 -j ACCEPT

5. Allow the ftp ports:
# iptables -A INPUT -m multiport -p tcp –port 21,20 -j ACCEPT

6. Allow Established and Related Connections to pass through
# iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

Now with the OUTPUT rules (outgoing packets)

7. Allow icmp and DNS:
# iptables -A OUTPUT -p icmp -j ACCEPT
# iptables -A OUTPUT -p udp –dport 53 -j ACCEPT

8. Allow the loopback traffic:
# iptables -A OUTPUT -o lo -j ACCEPT

9. Allow icmp and DNS:
# iptables -A OUTPUT -p icmp -j ACCEPT
# iptables -A OUTPUT -p udp –dport 53 -j ACCEPT

10. Allow the ssh port:
# iptables -A OUTPUT -p tcp –dport 22 -j ACCEPT

11. Allow the http and https ports:
# iptables -A OUTPUT -p tcp –dport 80 -j ACCEPT
# iptables -A OUTPUT -p tcp –dport 443 -j ACCEPT

12. Allow the ftp ports:
# iptables -A OUTPUT -m multiport -p tcp –port 21,20 -j ACCEPT

13. Allow Established and Related Connections to pass through
# iptables -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

14. Now that all required ports are allowed, alter the policy to DROP all other packets:
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP

15. To view the iptables rule:
# iptables -v -L

16. Save the iptables:
# iptables-save > /etc/sysconfig/iptables

Here’s a scrip of the above iptables rules:

#!/bin/sh

#Flush previous iptables rules
iptables -F

#Drop all packages by default, allow only the ones specified explicitly
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

##### INPUT #####
#Accept trafic to local interface
iptables -A INPUT -i lo -j ACCEPT
## LAMP Server iptables ###
#Allow HTTP and HTTPS
iptables -A INPUT -p tcp –dport 80 -j ACCEPT

iptables -A INPUT -p tcp –dport 443 -j ACCEPT

#Allow FTP
iptables -A INPUT -p tcp –dport 20:21 -j ACCEPT
# Allow the ssh: 
iptables -A INPUT -p tcp –dport 22 -j ACCEPT
#Allow Established and Related Connections to pass through
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

##### OUTPUT #####
#Accept trafic from local interface
iptables -A OUTPUT -o lo -j ACCEPT
#Allow ICMP and DNS
iptables -A OUTPUT -p icmp -j ACCEPT
iptables -A OUTPUT -p udp –dport 53 -j ACCEPT
#Allow browsing HTTP and HTTPS
iptables -A OUTPUT -p tcp –dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp –dport 443 -j ACCEPT
#Allow FTP
iptables -A OUTPUT -p tcp –dport 20:21 -j ACCEPT
#Allow Related and Established packets to pass through
iptables -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

#Save and restart iptables
iptables-save > /etc/sysconfig/iptables
service iptables restart