iptables examples on CentOS

Overview

“iptables is a user space application program that allows a system administrator to configure the tables provided by the Linux kernel firewall (implemented as different Netfilter modules) and the chains and rules it stores.
Different kernel modules and programs are currently used for different protocols; iptables applies to IPv4, ip6tables to IPv6, arptables to ARP, and ebtables to Ethernet frames.”

In this tutorial I will give a few essential examples of how to use iptables on CentOS

iptables

There are several ways to configure iptables on CentOS.
The simplest way is to use the command system-config-firewall/system-config-firewall-tui, it will help you set up standard rules like Web Server, FTP Server and a few more.
The second way is to use iptables command to edit the configuration – this method is best for testing since it will NOT save the settings until you run the command:
[code]/etc/init.d/iptables save[/code]
The third way is to edit the file /etc/sysconfig/iptables and that is what I will show you today.

iptables chains

First we clear the content of /etc/sysconfig/iptables using:
[code]echo > /etc/sysconfig/iptables[/code]

Set all the default chains to DROP and save the file:

[code]
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
[/code]

Now we are ready to insert the necessary rules to our chains.

Stateful configuration

Using a stateful rule to allow all established connections:
[code]
#Allow all Established connections
-A INPUT -p all -m state –state ESTABLISHED -j ACCEPT
-A OUTPUT -p all -m state –state ESTABLISHED -j ACCEPT
[/code]

Some services requires you to allow related connections (ftp,tftp…):
[code]
#Allow all Related connections
-A INPUT -p all -m state –state RELATED -j ACCEPT
-A OUTPUT -p all -m state –state RELATED -j ACCEPT
[/code]

iptables examples

Allow LocalHost

First we need to insert a rule to allow localhost to communicate:
[code]
#All localhost
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
[/code]

Allow Web Browsing

[code]
#Out Internet Access
-A OUTPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT

#Out Internet Access SSL
-A OUTPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT
[/code]

Allow Outgoing SSH

[code]
#Out SSH
-A OUTPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT
[/code]

Allow Incoming SSH

Allow Incoming SSH from a specified subnet/ip address

[code]
#In SSH
-A INPUT -p tcp -s 10.0.0.0/24 –dport 22 -m state –state NEW -j ACCEPT
[/code]

Allow Incoming SSH from all

[code]
#In SSH
-A INPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT
[/code]

Allow Incoming Web Server

[code]
#In Internet Access Port 80
-A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT

#In Internet Access SSL Port 443
-A INPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT
[/code]

Allow DHCP Client

[code]
#In/Out DHCP Client
-A INPUT -p udp –sport 67 –dport 68 -j ACCEPT
-A OUTPUT -p udp –sport 68 –dport 67 -j ACCEPT
[/code]

Allow DHCP Server

[code]
#In/Out DHCP Server
-A INPUT -p udp –sport 68 –dport 67 -j ACCEPT
-A OUTPUT -p udp –sport 67 –dport 68 -j ACCEPT
[/code]

Allow DNS requests

[code]
#Out DNS
-A OUTPUT -p udp –dport 53 -m state –state NEW -j ACCEPT
[/code]

Allow Incoming ping

[code]
#In ping
-A INPUT -p icmp –icmp-type echo-request -j ACCEPT
-A OUTPUT -p icmp –icmp-type echo-reply -j ACCEPT
[/code]

Allow Outgoing ping

[code]
#Out ping
-A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT
-A INPUT -p icmp –icmp-type echo-reply -j ACCEPT
[/code]

Allow Zabbix Agent

[code]
#In Zabbix Agent
-A INPUT -p tcp –dport 10050 -m state –state NEW -j ACCEPT
[/code]

Allow Outgoing RDP

[code]
#Out RDP
-A OUTPUT -p tcp –dport 3389 -m state –state NEW -j ACCEPT
[/code]

Allow Incoming RDP Server

[code]
#In RDP
-A INPUT -p tcp –dport 3389 -m state –state NEW -j ACCEPT
[/code]

Allow SMTP Server

[code]
#In SMTP
-A INPUT -p tcp –dport 25 -m state –state NEW -j ACCEPT
[/code]

Allow SMTP Client

[code]
#Out SMTP
-A OUTPUT -p tcp –dport 25 -m state –state NEW -j ACCEPT
[/code]

Allow SMTPs Server

[code]
#In SMTPs
-A INPUT -p tcp –dport 465 -m state –state NEW -j ACCEPT
[/code]

Allow SMTPs Client

[code]
#Out SMTPs
-A OUTPUT -p tcp –dport 465 -m state –state NEW -j ACCEPT
[/code]

Allow SMTP TLS Server

[code]
#In SMTP TLS
-A INPUT -p tcp –dport 587 -m state –state NEW -j ACCEPT
[/code]

Allow SMTP TLS Client

[code]
#Out SMTP TLS
-A OUTPUT -p tcp –dport 587 -m state –state NEW -j ACCEPT
[/code]

Allow POP Server

[code]
#In POP
-A INPUT -p tcp –dport 110 -m state –state NEW -j ACCEPT
[/code]

Allow POP Client

[code]
#Out POP
-A OUTPUT -p tcp –dport 110 -m state –state NEW -j ACCEPT
[/code]

Allow POPs Server

[code]
#In POPs
-A INPUT -p tcp –dport 995 -m state –state NEW -j ACCEPT
[/code]

Allow POPs Client

[code]
#Out POPs
-A OUTPUT -p tcp –dport 995 -m state –state NEW -j ACCEPT
[/code]

Allow IMAP Server

[code]
#In IMAP
-A INPUT -p tcp –dport 143 -m state –state NEW -j ACCEPT
[/code]

Allow IMAP Client

[code]
#Out IMAP
-A OUTPUT -p tcp –dport 143 -m state –state NEW -j ACCEPT
[/code]

Allow IMAPs Server

[code]
#In IMAPs
-A INPUT -p tcp –dport 993 -m state –state NEW -j ACCEPT
[/code]

Allow IMAPs Client

[code]
#Out IMAPs
-A OUTPUT -p tcp –dport 993 -m state –state NEW -j ACCEPT
[/code]

Allow mySQL Server

[code]
#In mySQL
-A INPUT -p tcp –dport 3306 -m state –state NEW -j ACCEPT
[/code]

Allow mySQL Client

[code]
#Out mySQL
-A OUTPUT -p tcp –dport 3306 -m state –state NEW -j ACCEPT
[/code]

Allow NTP Server

[code]
#In NTP
-A INPUT -p udp –dport 123 -m state –state NEW -j ACCEPT
[/code]

Allow NTP Client

[code]
#Out NTP
-A OUTPUT -p udp –dport 123 -m state –state NEW -j ACCEPT
[/code]

Allow rsync

[code]
#In rsync
-A INPUT -p tcp –dport 873 -m state –state NEW -j ACCEPT

#Out rsync
-A OUTPUT -p tcp –dport 873 -m state –state NEW -j ACCEPT
[/code]

Allow rsyslogd

[code]
#In rsyslogd
-A INPUT -p tcp –dport 514 -m state –state NEW -j ACCEPT
-A INPUT -p udp –dport 514 -m state –state NEW -j ACCEPT

#Out rsyslogd
-A OUTPUT -p tcp –dport 514 -m state –state NEW -j ACCEPT
-A OUTPUT -p udp –dport 514 -m state –state NEW -j ACCEPT
[/code]

Allow SAMBA Server

[code]
#In Samba
-A INPUT -p udp –dport 137:139 -m state –state NEW -j ACCEPT
-A INPUT -p tcp -m multiport –dport 139,445 -m state –state NEW -j ACCEPT
[/code]

Allow NFS Server

NFS uses random ports on startup so we need to fix the port numbers, add the following lines to ‘/etc/sysconfig/nfs’:
[code]
RQUOTAD_PORT=875
LOCKD_TCPPORT=32803
LOCKD_UDPPORT=32769
MOUNTD_PORT=892
STATD_PORT=662
STATD_OUTGOING_PORT=2020
RDMA_PORT=20049
[/code]

[code]
#In NFS
-A INPUT -p tcp -m multiport –dport 111,662,875,892,2020,2049,20049,32803 -m state –state NEW -j ACCEPT
-A INPUT -p udp -m multiport –dport 111,662,875,892,2020,2049,20049,32769 -m state –state NEW -j ACCEPT
[/code]

Allow TFTP Server

TFTP needs an iptables module called “nf_conntrack_tftp”, edit ‘/etc/sysconfig/iptables-config’ and make sure you have:
[code]
IPTABLES_MODULES=”nf_conntrack_tftp”
[/code]

[code]
#In TFTP
-A INPUT -p tcp –dport 69 -m state –state NEW -j ACCEPT
-A INPUT -p udp –dport 69 -m state –state NEW -j ACCEPT

#You also need to allow related OUTPUT
-A OUTPUT -p all -m state –state RELATED -j ACCEPT
[/code]

Allow Routing

Allow routing between Network-1 to Network-2 using 2 different NICs:
[code]
#Allow routing from eth0 to eth1
-A FORWARD -i eth0 -o eth1 -j ACCEPT
[/code]

Specify port range

For example allow all communication from ports 100-200 to ports 200-300:
[code]
-A OUTPUT –sport 100:200 –dport 200:300 -j ACCEPT
[/code]

Speciy IP Address range

IP Address range requires the ‘iprange’ module,
For example allow all communication to and from 10.0.0.1-10.0.0.100:
[code]
-A OUTPUT -m iprange –dst-range 10.0.0.1-10.0.0.100 -j ACCEPT
-A INPUT -m iprange –src-range 10.0.0.1-10.0.0.100 -j ACCEPT
[/code]

Enjoy!

1 thought on “iptables examples on CentOS

  1. Rodney Wienand

    Thank you Adam for a comprehensive explanation and variety of commands for various functions. I will have a copy of the link to this page saved as I am sure I will have to refer to it again. Thanks once again.

Comments are closed.