Home > centOS, Fedora 12 > centOS – iptables short cheat

centOS – iptables short cheat

Q. How do i see my iptables list?

–line-number = show the line numbers of every chains
-nL = list and more options
-v = verbose mode
So we check it as following: ( ex cisco: show config )

[root@www shamun]# iptables –line-numbers -nL -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination
1 0 0 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0
2 8 528 ACCEPT all — eth0 * 0.0.0.0/0 0.0.0.0/0
3 0 0 ACCEPT all — * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
4 0 0 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 9 packets, 1504 bytes)
num pkts bytes target prot opt in out source destination

Chain RH-Firewall-1-INPUT (0 references)
num pkts bytes target prot opt in out source destination
[root@www shamun]#

Q. How to remove the rule before final save?
A. we put -D (which chain? input or output or forward ) which line number so:

[root@www shamun]# iptables -D INPUT 6
[root@www shamun]# iptables -D INPUT 5

Q. How to make one and keep it?
A. we use syntax iptables or vi /etc/sysconfig/iptables

# Clean old iptables
iptables -F
iptables -X
iptables -Z

# Allow forwarding through the internal interface
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 

# Default forward policy to DROP
iptables -P FORWARD DROP

# Do masquerading through eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

# Port Forwarding
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 2222 -j DNAT --to-destination 192.168.100.2:22

# Firewall Rules

# Loopback - Allow unlimited traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# SYN-Flooding Protection
iptables -N syn-flood
iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP

# Make sure that new TCP connections are SYN packets
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP

# Fragments : Don't trust the little buggers. Send 'em to hell.
iptables -A INPUT -i eth0 -f -j LOG --log-level debug --log-prefix "IPTABLES FRAGMENTS: "
iptables -A INPUT -i eth0 -f -j DROP

# Refuse spoofed packets claiming to be the loopback
iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP

# Allow BootP/DHCP UDP requests
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 67:68 -j ACCEPT

# DNS
# Allow UDP packets in for DNS client from nameservers
iptables -A INPUT -i eth0 -p udp -s 0/0 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 53 -j ACCEPT

# SSH
# allow all sshd incoming connections (including the port fw)
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2222 -j ACCEPT

# HTTP
# allow all http/https incoming/return connections
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 443 -j ACCEPT

# FTP
# allow all ftpd incoming connections
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 21 -j ACCEPT

# Enable active ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enable passive ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Enable ident probes (IRC)
iptables -t filter -A INPUT -i eth0 -p tcp -d 0/0 --dport 113 -j ACCEPT

# Allow ICMP in if it is related to other connections
iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow bot traffic through
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 8676 -j ACCEPT

# enable dcc
iptables -A INPUT -i eth0 -p tcp -m state --state RELATED -j ACCEPT  

# LOGGING:

# UDP, log & drop
iptables -A INPUT -i eth0 -p udp -j LOG --log-level debug --log-prefix "IPTABLES UDP-IN: "
iptables -A INPUT -i eth0 -p udp -j DROP

# ICMP, log & drop
iptables -A INPUT -i eth0 -p icmp -j LOG --log-level debug --log-prefix "IPTABLES ICMP-IN: "
iptables -A INPUT -i eth0 -p icmp -j DROP

# Windows NetBIOS noise, log & drop
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j LOG --log-level debug --log-prefix "IPTABLES NETBIOS-IN: "
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j DROP

# IGMP noise, log & drop
iptables -A INPUT -i eth0 -p 2 -j LOG --log-level debug --log-prefix "IPTABLES IGMP-IN: "
iptables -A INPUT -i eth0 -p 2 -j DROP

# TCP, log & drop
iptables -A INPUT -i eth0 -p tcp -j LOG --log-level debug --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT -i eth0 -p tcp -j DROP

# Anything else not allowed, log & drop
iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "IPTABLES UNKNOWN-IN: "
iptables -A INPUT -i eth0 -j DROP
Advertisements
Categories: centOS, Fedora 12
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: