skimpydog.com - Forums - Services

skimpydog.com Forum Index

Services

IPTABLES

Browsing this Thread: 1 Anonymous Users

Bottom

Previous Topic

Next Topic

Topic options

Rate Thread

Rate this Thread
Excellent Good Average Bad Terrible

Search Forum

Search Forum

Advanced Search

View mode

View mode
Threaded
Newest First

Poster	Thread

skimpydog

IPTABLES

Webmaster

Joined: 2007/6/10

From Dallas, TX

Posts: 79
Level : 7
HP : 0 / 170

MP : 26 / 8763

EXP : 83

Group:
Webmasters
Registered Users

iptables is really quite a responsibility to maintain.

In too many regards it is not necessary to block entire countries, or to allow only specified countries.
-- This can put a strain on your server - and it is not good practice.
--- There are other applications such as APF to take care of things dynamically

A Few basic tips for applying, and removing iptables rules are as follows:

Allow a few basic services:

/sbin/iptables -A INPUT -p icmp -i eth0 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp -i eth0 --dport 20:21 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp -i eth0 --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -m tcp -i eth0 --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -s 127.0.0.1 -j ACCEPT
/sbin/iptables -A INPUT -j REJECT

Save your settings (2 ways - depends on your Linux/UNIX flavor):
1:

/sbin/iptables-save > /etc/sysconfig/iptables

/sbin/service iptables save

Let's say I want to allow udp port 27960 to line 5:

/sbin/iptables -I INPUT 5 -p udp -m udp -i eth0 --dport 27960 -j ACCEPT

-- Again, don't forget to save your settings!

If you are running RHEL, CENTOS, Fedora - Redhat flavors, you may make sure the service starts upon reboot as it should, by doing:

/sbin/chkconfig iptables on

-- This will allow iptables to start on all run levels.

If you want to view the iptables rules, again you have 2 options here depending on your flavor:
1:

/sbin/iptables --list
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:ftp-data:ftp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:rockwell-csp2
ACCEPT     udp  --  anywhere             anywhere            udp dpt:27960
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  localhost.localdomain.domain  anywhere
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

/sbin/service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:20:21
3    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80
4    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:2222
5    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:27960
6    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
23   ACCEPT     all  --  127.0.0.1            0.0.0.0/0
24   REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

Posted on: 2008/10/4 17:08