Differences

This shows you the differences between two versions of the page.

--- iptables:basic_commands [2016/10/07 14:22] – peter
+++ iptables:basic_commands [2019/11/29 16:34] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== IPTables - Basic commands ======
-===== Install iptables. =====
-<code bash>
-sudo apt-get install iptables
-</code>
-===== Policy Chain Default Behavior. =====
-iptables --policy INPUT DROP
-iptables --policy OUTPUT DROP
-iptables --policy FORWARD DROP
-===== Accept all traffic on your loopback interface. =====
-iptables -A INPUT -i lo -j ACCEPT
-sudo iptables -A OUTPUT -o lo -j ACCEPT
-===== Allow Established and Related Incoming Connections. =====
-<code bash>
-iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -m state --state NEW,ESTABLISHED -j ACCEPT
-</code>
-===== Allow Established Outgoing Connections =====
-<code bash>
-iptables -A OUTPUT -p tcp --sport 22 -d 10.10.10.10 -m state --state ESTABLISHED -j ACCEPT
-</code>
-===== Allow Internal to External =====
-<code bash>
-iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
-</code>
-===== Drop Invalid Packets =====
-<code bash>
-iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
-</code>
-===== Block all connections from the IP address 10.10.10.10. =====
-<code bash>
-iptables -A INPUT -s 10.10.10.10 -j DROP
-</code>
-===== Block all of the IP addresses in the 10.10.10.0/24 network range. =====
-<code bash>
-iptables -A INPUT -s 10.10.10.0/24 -j DROP
-</code>
-or
-<code bash>
-iptables -A INPUT -s 10.10.10.0/255.255.255.0 -j DROP
-</code>
-===== Block Connections to a Network Interface =====
-<code bash>
-iptables -A INPUT -i eth0 -s 15.15.15.51 -j DROP
-</code>
-===== Allow All Incoming SSH =====
-<code bash>
-iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-</code>
-===== Allow Incoming SSH from Specific IP address or subnet =====
-<code bash>
-iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-</code>
-===== Block SSH connections from 10.10.10.10. =====
-<code bash>
-iptables -A INPUT -p tcp --dport ssh -s 10.10.10.10 -j DROP
-</code>
-===== Block SSH connections from any IP address. =====
-<code bash>
-iptables -A INPUT -p tcp --dport ssh -j DROP
-</code>
-===== Allow Outgoing SSH =====
-<code bash>
-iptables -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-iptables -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-</code>
-===== Allow Incoming Rsync from Specific IP Address or Subnet =====
-<code bash>
-iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 873 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-iptables -A OUTPUT -p tcp --sport 873 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-</code>
-===== Allow All Incoming HTTP =====
-<code bash>
-iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-</code>
-===== Allow All Incoming HTTPS =====
-<code bash>
-iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-</code>
-===== Allow All Incoming HTTP and HTTPS =====
-<code bash>
-iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-</code>
-===== Allow MySQL from Specific IP Address or Subnet =====
-<code bash>
-iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-iptables -A OUTPUT -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-</code>
-===== Allow MySQL to Specific Network Interface =====
-<code bash>
-iptables -A INPUT -i eth1 -p tcp --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-iptables -A OUTPUT -o eth1 -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-</code>
-===== Allow PostgreSQL from Specific IP Address or Subnet =====
-<code bash>
-iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 5432 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-iptables -A OUTPUT -p tcp --sport 5432 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-</code>
-===== Allow PostgreSQL to Specific Network Interface =====
-<code bash>
-iptables -A INPUT -i eth1 -p tcp --dport 5432 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-iptables -A OUTPUT -o eth1 -p tcp --sport 5432 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-</code>
-===== Allow All Incoming SMTP =====
-<code bash>
-iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-iptables -A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-</code>
-===== Block Outgoing SMTP Mail =====
-<code bash>
-iptables -A OUTPUT -p tcp --dport 25 -j REJECT
-</code>
-===== Allow All Incoming IMAP =====
-<code bash>
-iptables -A INPUT -p tcp --dport 143 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-iptables -A OUTPUT -p tcp --sport 143 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-</code>
-===== Allow All Incoming IMAPS =====
-<code bash>
-iptables -A INPUT -p tcp --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-iptables -A OUTPUT -p tcp --sport 993 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-</code>
-===== Allow All Incoming POP3 =====
-<code bash>
-iptables -A INPUT -p tcp --dport 110 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-iptables -A OUTPUT -p tcp --sport 110 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-</code>
-===== Allow All Incoming POP3S =====
-<code bash>
-iptables -A INPUT -p tcp --dport 995 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-iptables -A OUTPUT -p tcp --sport 995 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-</code>