Sébastien Wains

Posted in Howto Iptables Linux Security

Basic iptables configuration

May 3, 2006 - 2 comments

This is the most basic iptables configuration one would set on a CentOS/RHEL gateway (eth0 = WAN, eth1 = LAN)

/etc/sysconfig/iptables :

01. *filter
02. :INPUT DROP [0:0]
03. :FORWARD DROP [0:0]
04. :OUTPUT ACCEPT [0:0]
05. -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
06. -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
07. -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
08. -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
09. -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
10. -A INPUT -i lo -j ACCEPT
11. -A INPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
12. -A INPUT -p tcp -m tcp --syn -j REJECT
13. -A INPUT -p udp -m udp -j REJECT
14. COMMIT

Explanations :

Anything in INPUT will be dropped, except for :
- line 06 : we will accept any input traffic in relation to traffic generated by the gateway to the internet (useful for passive ftp)
- line 09 : we will accept connections on port 22 at anytime
- line 11 : pings to the gateway will be allowed at a rate of 1 per second
- line 10 : anything generated in input on the local interface will be allowed, the localhost should be considered safe by definition

FORWARD traffic will be dropped, except for :
- line 07 : anything flowing from the LAN to the internet will be allowed
- line 08 : anything related to the traffic generated by the internal network will be considered safe and be allowed

The OUTPUT traffic will be considered safe (not always a good thing, think about it)

Any other TCP and UDP traffic will be rejected with an icmp-port-unreachable response

“iptables -L -n -v” output :

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
 7412  656K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
  132  7908 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED icmp type 8 limit: avg 1/sec burst 5
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x16/0x02 reject-with icmp-port-unreachable
 3093  391K REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp reject-with icmp-port-unreachable 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x16/0x02 limit: avg 1/sec burst 5 

    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

Chain OUTPUT (policy ACCEPT 11347 packets, 12M bytes)
 pkts bytes target     prot opt in     out     source               destination

Comments

Obinna

July 3, 2009 - 19:41

Plz I will like to have a firewall script that will block a particular ip address in my network not to browse the internet but can chat.

Assuing the p address is 192.168.0.202. I dont want this ip address to open any website but can only chat.

Again i want to block some sites for this ip address 192.168.0.205, but will allow other sites to open on that computer. Plz reply me thru my email, obinna4god@yahoo.com

July 3, 2009 - 20:25

You need a transparent web proxy, this gives you control over who can access what on the web.
Check this link : http://www.wains.be/index.php/2007/10/27/squid-26-transparent-proxy/

Trackback URI Comments RSS

Leave Comment

Please consider visiting the partners below if you enjoyed this article :

If this post saved you time and money, please consider checking my Amazon wishlist.

« Issues with Iptables and frox (ftp transparent proxy) Loading additional iptables modules under CentOS 4.x »

Search

About me

Internet & Technology junkie.
Photographer.
Backpacker.

I'm the Linux registered user #350986 and RedHat Certified Engineer #804007797825578 (Verify).

This « blog » is some kind of personal notebook about my discoveries in the IT world.

While some tips may seem obvious (we learn a new thing every day eh), hopefully you'll find some of them informative !

Check out my wishlist at Amazon !

sip:dummy@voip.wains.be

Categories

Android (1)

Apache (18)

Apple/Mac OS (7)

Asterisk (5)

Bash (15)

DNS (7)

Debian/Ubuntu (27)

Firefox (5)

Gnome (7)

Hardware (16)

High-Availability (2)

Howto (112)

Iptables (7)

LDAP (9)

Linux (240)

Linux-Anti-Theft (1)

Misc (11)

NSLU2 (5)

Networking (16)

Postfix (24)

Proxy (10)

RADIUS (2)

RHCE (22)

RRDWeather (5)

Red Hat/CentOS (31)

Rewards (2)

SQL (12)

SSH (13)

Scripts (4)

Security (63)

Tools (15)

VPN (7)

Versioning (10)

Virtualization (2)

VoIP (6)

Wifi (9)

Windows (12)

Links

Belgian spammers

Christopher Murray

Dedicated Servers

Open Source Heaven

RRDWeather

The Admin Blogger

Yannick

My favorite projects

The NSLU2 Linux Project

Unless stated otherwise, the work presented on this website is licensed under a
Creative Commons Attribution-Noncommercial-Share Alike 3.0 Unported License.
Copyright © Sébastien Wains