CentOS / Redhat Iptables Firewall Configuration Tutorial

by on November 10, 2009 · 38 comments· LAST UPDATED June 17, 2010

in , ,

How do I configure a host-based firewall called Netfilter (iptables) under CentOS / RHEL / Fedora / Redhat Enterprise Linux?

Netfilter is a host-based firewall for Linux operating systems. It is included as part of the Linux distribution and it is activated by default. This firewall is controlled by the program called iptables. Netfilter filtering take place at the kernel level, before a program can even process the data from the network packet.

Iptables Config File

The default config files for RHEL / CentOS / Fedora Linux are:

  • /etc/sysconfig/iptables - The system scripts that activate the firewall by reading this file.

Task: Display Default Rules

Type the following command:
iptables --line-numbers -n -L
Sample outputs:

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination
1    RH-Firewall-1-INPUT  all  --  0.0.0.0/0            0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
Chain RH-Firewall-1-INPUT (2 references)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0           icmp type 255
3    ACCEPT     udp  --  0.0.0.0/0            224.0.0.251         udp dpt:5353
4    ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:53
5    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
6    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22
7    ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:53
8    REJECT     all  --  0.0.0.0/0            0.0.0.0/0           reject-with icmp-host-prohibited

Task: Turn On Firewall

Type the following two commands to turn on firewall:

chkconfig iptables on
service iptables start
# restart the firewall
service iptables restart
# stop the firewall
service iptables stop

Understanding Firewall

There are total 4 chains:

  1. INPUT - The default chain is used for packets addressed to the system. Use this to open or close incoming ports (such as 80,25, and 110 etc) and ip addresses / subnet (such as 202.54.1.20/29).
  2. OUTPUT - The default chain is used when packets are generating from the system. Use this open or close outgoing ports and ip addresses / subnets.
  3. FORWARD - The default chains is used when packets send through another interface. Usually used when you setup Linux as router. For example, eth0 connected to ADSL/Cable modem and eth1 is connected to local LAN. Use FORWARD chain to send and receive traffic from LAN to the Internet.
  4. RH-Firewall-1-INPUT - This is a user-defined custom chain. It is used by the INPUT, OUTPUT and FORWARD chains.

Packet Matching Rules

  1. Each packet starts at the first rule in the chain .
  2. A packet proceeds until it matches a rule.
  3. If a match found, then control will jump to the specified target (such as REJECT, ACCEPT, DROP).

Target Meanings

  1. The target ACCEPT means allow packet.
  2. The target REJECT means to drop the packet and send an error message to remote host.
  3. The target DROP means drop the packet and do not send an error message to remote host or sending host.

/etc/sysconfig/iptables

Edit /etc/sysconfig/iptables, enter:
# vi /etc/sysconfig/iptables
You will see default rules as follows:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Drop All Traffic

Find lines:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

Update as follows to change the default policy to DROP from ACCEPT for the INPUT and FORWARD built-in chains:

:INPUT DROP [0:0]
:FORWARD DROP [0:0]

Log and Drop Spoofing Source Addresses

Append the following lines before final COMMIT line:

-A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -s 224.0.0.0/4 -j LOG --log-prefix "IP DROP MULTICAST "
-A INPUT -i eth0 -s 240.0.0.0/5 -j LOG --log-prefix "IP DROP SPOOF "
-A INPUT -i eth0 -d 127.0.0.0/8 -j LOG --log-prefix "IP DROP LOOPBACK "
-A INPUT -i eth0 -s 169.254.0.0/16  -j LOG --log-prefix "IP DROP MULTICAST "
-A INPUT -i eth0 -s 0.0.0.0/8  -j LOG --log-prefix "IP DROP "
-A INPUT -i eth0 -s  240.0.0.0/4  -j LOG --log-prefix "IP DROP "
-A INPUT -i eth0 -s  255.255.255.255/32  -j LOG --log-prefix "IP DROP  "
-A INPUT -i eth0 -s 168.254.0.0/16  -j LOG --log-prefix "IP DROP "
-A INPUT -i eth0 -s 248.0.0.0/5  -j LOG --log-prefix "IP DROP "

Log And Drop All Traffic

Find the lines:

-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT

Update it as follows:

-A RH-Firewall-1-INPUT -j LOG
-A RH-Firewall-1-INPUT -j DROP
COMMIT

Open Port

To open port 80 (Http server) add the following before COMMIT line:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 80 -j ACCEPT

To open port 53 (DNS Server) add the following before COMMIT line:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m udp -p tcp --dport 53 -j ACCEPT

To open port 443 (Https server) add the following before COMMIT line:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 443 -j ACCEPT

To open port 25 (smtp server) add the following before COMMIT line:

-A RH-Firewall-1-INPUT -m tcp -p tcp --dport 25 -j ACCEPT

Only allow SSH traffic From 192.168.1.0/24

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT

Enable Printing Access For 192.168.1.0/24

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT

Allow Legitimate NTP Clients to Access the Server

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT

Open FTP Port 21 (FTP)

-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 21 -j ACCEPT

Save and close the file. Edit /etc/sysconfig/iptables-config, enter:
# vi /etc/sysconfig/iptables-config
Make sure ftp module is loaded with the space-separated list of modules:

IPTABLES_MODULES="ip_conntrack_ftp"

To restart firewall, type the following commands:
# service iptables restart
# iptables -vnL --line-numbers

Edit /etc/sysctl.conf For DoS and Syn Protection

Edit /etc/sysctl.conf to defend against certain types of attacks and append / update as follows:

 
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
#net.ipv4.icmp_ignore_bogus_error_messages = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
 

See previous FAQ, "Linux Kernel /etc/sysctl.conf Security Hardening" for more details.

Alternate Configuration Option

You can skip /etc/sysconfig/iptables file and create a shell script from scratch as follows:

#!/bin/bash
# A sample firewall shell script 
IPT="/sbin/iptables"
SPAMLIST="blockedip"
SPAMDROPMSG="BLOCKED IP DROP"
SYSCTL="/sbin/sysctl"
BLOCKEDIPS="/root/scripts/blocked.ips.txt"
 
# Stop certain attacks
echo "Setting sysctl IPv4 settings..."
$SYSCTL net.ipv4.ip_forward=0
$SYSCTL net.ipv4.conf.all.send_redirects=0
$SYSCTL net.ipv4.conf.default.send_redirects=0
$SYSCTL net.ipv4.conf.all.accept_source_route=0
$SYSCTL net.ipv4.conf.all.accept_redirects=0
$SYSCTL net.ipv4.conf.all.secure_redirects=0
$SYSCTL net.ipv4.conf.all.log_martians=1
$SYSCTL net.ipv4.conf.default.accept_source_route=0
$SYSCTL net.ipv4.conf.default.accept_redirects=0
$SYSCTL net.ipv4.conf.default.secure_redirects=0
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts=1
#$SYSCTL net.ipv4.icmp_ignore_bogus_error_messages=1
$SYSCTL net.ipv4.tcp_syncookies=1
$SYSCTL net.ipv4.conf.all.rp_filter=1
$SYSCTL net.ipv4.conf.default.rp_filter=1
$SYSCTL kernel.exec-shield=1
$SYSCTL kernel.randomize_va_space=1
 
echo "Starting IPv4 Firewall..."
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
 
# load modules
modprobe ip_conntrack
 
[ -f "$BLOCKEDIPS" ] && BADIPS=$(egrep -v -E "^#|^$" "${BLOCKEDIPS}")
 
# interface connected to the Internet 
PUB_IF="eth0"
 
#Unlimited traffic for loopback
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
 
# DROP all incomming traffic
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
 
if [ -f "${BLOCKEDIPS}" ];
then
# create a new iptables list
$IPT -N $SPAMLIST
 
for ipblock in $BADIPS
do
   $IPT -A $SPAMLIST -s $ipblock -j LOG --log-prefix "$SPAMDROPMSG "
   $IPT -A $SPAMLIST -s $ipblock -j DROP
done
 
$IPT -I INPUT -j $SPAMLIST
$IPT -I OUTPUT -j $SPAMLIST
$IPT -I FORWARD -j $SPAMLIST
fi
 
# Block sync
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Drop Sync"
$IPT -A INPUT -i ${PUB_IF} -p tcp ! --syn -m state --state NEW -j DROP
 
# Block Fragments
$IPT -A INPUT -i ${PUB_IF} -f  -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fragments Packets"
$IPT -A INPUT -i ${PUB_IF} -f -j DROP
 
# Block bad stuff
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL ALL -j DROP
 
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "NULL Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL NONE -j DROP # NULL packets
 
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
 
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "XMAS Packets"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP #XMAS
 
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/m --limit-burst 7 -j LOG --log-level 4 --log-prefix "Fin Packets Scan"
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN packet scans
 
$IPT  -A INPUT -i ${PUB_IF} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
 
# Allow full outgoing connection but no incomming stuff
$IPT -A INPUT -i ${PUB_IF} -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o ${PUB_IF} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
 
# Allow ssh
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 22 -j ACCEPT
 
# Allow http / https (open port 80 / 443)
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 80 -j ACCEPT
#$IPT -A INPUT -o ${PUB_IF} -p tcp --destination-port 443 -j ACCEPT
 
# allow incomming ICMP ping pong stuff
$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPT -A OUTPUT -o ${PUB_IF} -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Allow port 53 tcp/udp (DNS Server)
$IPT -A INPUT -i ${PUB_IF} -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPT -A OUTPUT -o ${PUB_IF} -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED  -j ACCEPT
#$IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Open port 110 (pop3) / 143
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 110 -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 143 -j ACCEPT
 
##### Add your rules below ######
#
# 
##### END your rules ############
 
# Do not log smb/windows sharing packets - too much logging
$IPT -A INPUT -p tcp -i ${PUB_IF} --dport 137:139 -j REJECT
$IPT -A INPUT -p udp -i ${PUB_IF} --dport 137:139 -j REJECT
 
# log everything else and drop
$IPT -A INPUT -j LOG
$IPT -A FORWARD -j LOG
$IPT -A INPUT -j DROP
 
exit 0

Recommend readings:

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 38 comments… read them below or add one }

1 Bill Baily November 10, 2009 at 12:16 pm

No mention of *all* the tables then. Mmmm. Perhaps this is just an iptable (rather than an iptables) guide, :-P

Reply

2 Marcus November 10, 2009 at 1:50 pm

I’m curious, can you set it up so a certain program is authorized to send/receive data? This is a feature of the Windows Firewall. It makes it easier for programs that don’t publish the ports they work on.

Reply

3 nixCraft November 10, 2009 at 2:11 pm

@Marcus,

I don’t think so there are any such program under Linux. Almost all network program open privileged or unprivileged ports. You can run netstat program to find out port number and add rule manually.

Reply

4 yoander (sedlav) November 10, 2009 at 2:35 pm

Easy Firewall Generator for IPTables is an iptables script generator, you can play with different options is an excellent tool for newbie.

Reply

5 gorfou November 17, 2009 at 4:48 pm

Hi,
I am trying to install a custom iptables configuration within a fresh centos/kickstart install.
I have my custom package which installs the file /etc/sysconfig/iptables during kickstart installation.
However, this file is erased by the default one upon first reboot.

Does anyone know what script is responsible for resetting it ?

Reply

6 pd January 11, 2010 at 1:44 am

I run this firewall script on centos 5.4 and got these errors

[root@localhost scripts]# ./iptables.sh
Setting sysctl IPv4 settings...
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
error: "net.ipv4.icmp_ignore_bogus_error_messages" is an unknown key
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
kernel.exec-shield = 1
kernel.randomize_va_space = 1
Starting IPv4 Firewall...
iptables v1.3.5: Can't use -i with OUTPUT
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: Can't use -i with OUTPUT
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: Can't use -i with OUTPUT
Try `iptables -h' or 'iptables --help' for more information.

Reply

7 pd January 11, 2010 at 1:55 am

Yes, I found the problem in below lines, OUTPUT should be with “-o” not “-i”

# allow incomming ICMP ping pong stuff
$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -i ${PUB_IF} -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow port 53 tcp/udp (DNS Server)
$IPT -A INPUT -i ${PUB_IF} -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -i ${PUB_IF} -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED  -j ACCEPT
$IPT -A OUTPUT -i ${PUB_IF} -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

Vivek need to update this script.

Reply

8 nixCraft January 11, 2010 at 4:41 am

@pd,

Thanks, I’ve commented out those lines in script, since output policy is set to established.

HTH

Reply

9 Lekensteyn June 17, 2010 at 4:52 pm

You’ve got a typo in your section ‘Edit /etc/sysctl.conf For DoS and Syn Protection’:
“et.ipv4.conf.all.log_martians = 1″
should be:
“net.ipv4.conf.all.log_martians = 1″

Reply

10 nixCraft June 17, 2010 at 5:52 pm

Thanks for the heads up!

Reply

11 nixlike July 22, 2010 at 10:29 am

Great article, but as for me it’s better to use iptables-{save,restore} commands instead of direct editing of /etc/sysconfig/iptables

Reply

12 James August 17, 2010 at 12:16 am

I have 601 lines in iptables, is that normal?

I found that after using apf, the iptables -L gave too many drops

Reply

13 nixCraft August 17, 2010 at 4:22 pm

apf may add additional rules so you got 601 lines which is normal. However, on really busy servers you may get performance issue.

Reply

14 James August 17, 2010 at 6:13 pm

But it does seem to alleviate the DDOS attacks today. I only worry that some of my regular users got blocked by mistake.

So by default, why there is not an iptables file? I used save to generate one.

But then where this file exist if it doesn’t exist? (default)

Reply

15 James August 17, 2010 at 4:17 pm

*mangle
:PREROUTING ACCEPT [20736884:2763721632]
:INPUT ACCEPT [20736866:2763715671]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [17305648:26071886184]
:POSTROUTING ACCEPT [17300520:26071636822]
-A PREROUTING -p tcp -m tcp –sport 21 -j TOS –set-tos 0×08
-A PREROUTING -p tcp -m tcp –sport 20 -j TOS –set-tos 0×08
-A PREROUTING -p tcp -m tcp –sport 80 -j TOS –set-tos 0×08
-A PREROUTING -p tcp -m tcp –sport 25 -j TOS –set-tos 0×10
-A PREROUTING -p tcp -m tcp –sport 110 -j TOS –set-tos 0×10
-A PREROUTING -p tcp -m tcp –sport 143 -j TOS –set-tos 0×10
-A PREROUTING -p tcp -m tcp –sport 512:65535 -j TOS –set-tos 0×00
-A POSTROUTING -p tcp -m tcp –dport 21 -j TOS –set-tos 0×08
-A POSTROUTING -p tcp -m tcp –dport 20 -j TOS –set-tos 0×08
-A POSTROUTING -p tcp -m tcp –dport 80 -j TOS –set-tos 0×08
-A POSTROUTING -p tcp -m tcp –dport 25 -j TOS –set-tos 0×10
-A POSTROUTING -p tcp -m tcp –dport 110 -j TOS –set-tos 0×10
-A POSTROUTING -p tcp -m tcp –dport 143 -j TOS –set-tos 0×10
-A POSTROUTING -p tcp -m tcp –dport 512:65535 -j TOS –set-tos 0×00
COMMIT

-A INPUT -s 0.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 5.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 23.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 36.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 37.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 39.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 42.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 100.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 102.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 103.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 104.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 105.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 106.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 127.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 169.254.0.0/255.255.0.0 -j DROP
-A INPUT -s 179.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 185.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 192.0.0.0/255.255.255.0 -j DROP

Reply

16 JD December 13, 2011 at 1:34 pm

GREAT article on Netfilter, there are several good books on amazon’s website that can help with creating custom chains as well.

I create a custom chain called ‘uw’ for unwanted, it includes all the DROP’s for rogue countries and/or ISP’s/Hosting companies.

It is critical that you do not allow rogue traffic to your server(s), it should be dropped and and not allowed.

Reply

17 Haekon December 22, 2011 at 8:22 am

” It is included as part of the Linux distribution and it is activated by default.”

fail….Each distro is its own, and some disable this.

Reply

18 adep January 9, 2012 at 6:48 pm

Most distribution kernels have it compiled in (/module) at the very least. But that doesn’t mean that the rules help anything. Also, a lot of distros like ubuntu use a gui like ufw which is still using iptables.

Reply

19 Jesus January 12, 2012 at 10:04 pm

Really useful stuff. Thanks a lot

Reply

20 nicole March 20, 2012 at 6:25 am

vivek, really useful

i want to allow all 192.168.1.0/24 ip’s to access this machine (0-65550), and for external users only port 80 tobe allowed

I have only eth0 in this machine which is connected to my 8 port switch and in gateway i use port forwarding to this webserver, if i need to allow port 80 for external users and all for internal users how can i proceed with the above script?

nic

Reply

21 Rob April 14, 2012 at 1:32 pm

Sorry for my ignorance but I have a question about the shell script you wrote about in the article.
What is the right procedure to run it?
I have just copied and pasted its code into an empty file (with no extension) and just run it with ./my-script-name . Is this right? Or do I have to do it another way (I have read about giving it the .sh extension and copying something in rc.local file)?
Thank you

Reply

22 yoander April 16, 2012 at 5:52 pm

After running your script you can persist it after reboot with this command
# service iptables save

Reply

23 Jonas Lundberg August 21, 2012 at 10:48 am

Apache mod_evasive does a good job at stopping DDOS attacks and some hacks

Reply

24 Ashil John January 14, 2013 at 7:18 am

Hey man, thanks for the post. I have a question though.

I installed nginx by following your tutorial. But i couldn’t find the iptables file in the sysconfig folder.

So, when i typed “vi /etc/sysconfig/iptables” a new file is opened. And i copy pasted the default info i found here and created that page. And then modified it by adding port 80 etc.

And after typing “service iptables restart”, i get this message.

iptables: Saving firewall rules to /etc/sysconfig/iptables: /etc/init.d/iptables : line 268: restorecon: command not found
[FAILED]
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: nat mangle filte[ OK ]
iptables: Unloading modules: [ OK ]
iptables: Applying firewall rules: iptables-restore v1.4.7: Couldn’t load target `RH-Firewall-1-INPUT’:/lib/xtables/libipt_RH-Firewall-1-INPUT.so: cannot open s hared object file: No such file or directory

Error occurred at line: 6
Try `iptables-restore -h’ or ‘iptables-restore –help’ for more information.
[FAILED]
============================================

and alsp, at first after installing nginx and restarting it, i received this message:

[root@server1 ~]# service nginx restart
Stopping nginx: [FAILED]
Starting nginx: nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use)
nginx: [emerg] still could not bind()
[FAILED]
for which i typed in: ” sudo fuser -k 80/tcp ; sudo /etc/init.d/nginx restart ”

and it was fixed:

[root@server1 ~]# sudo fuser -k 80/tcp ; sudo /etc/init.d/nginx restart
80/tcp: 499 502
Stopping nginx: [FAILED]
Starting nginx: [ OK ]
================================================

Could you please point me in the right direction regarding what it is that I’m messing up.

Thanks and Regards.

Reply

25 yoander January 14, 2013 at 1:45 pm

Are you using a VPS?

Reply

26 Ashil John January 15, 2013 at 4:13 pm

Thanks for the reply man. I am using a VPS. And initially, I had installed nginx, php and mysql on centOS. But discarded that as I wasn’t able to properly install phpmyadmin. So finally installed the LEMP stack with phpmyadmin on Ubuntu 12.04.

So now, will i be able to do the stuff you’ve mentioned here with the iptables of Ubuntu?

Reply

27 yoander January 15, 2013 at 5:19 pm

I had similar issue with a VPS (Gandi Provider). I solved it following this instructions:
http://wiki.gandi.net/en/hosting/troubleshooting/update-kernel-modules

Maybe you must find out similiar doc in your VPS provider

Reply

28 Ashil John January 17, 2013 at 2:47 am

I will man, thank you for your help.

Reply

29 Eddie G. February 17, 2013 at 6:30 pm

As someone who’s just starting out looking to get a cert in Red Hat (RHCSA) I am installing CEntOS 6 on my old Dell and going to try playing with as many options and packages as possible. SO this helped me out immensely, as I had no idea how to configure a firewall for Linux. I’m wondering if there’s a GUI instead of all command line stuff? and why is it that most of the Linux “guru’s” out there insist that you learn everything at the CLI? Isn’t the effect still the same minus having to try to memorize a MILLION different commands….their switches?…and other options? Just sayin’ is all…LoL!

Reply

30 Flora November 20, 2013 at 6:46 am

Can iptables and ip6tables run simultaneousl. Of does one or other need to be stppoed

Reply

31 nixCraft November 20, 2013 at 8:54 am

Yes, you need to run both simultaneously.

Reply

32 david February 2, 2014 at 5:25 am

I trying to open port so my LAN users to connect to a PPTP server located outside the office, I added next rule to iptables , but still cannot connect to VPN server
iptables -A INPUT -p 47 -j ACCEPT

thanks for your help

Reply

33 david February 2, 2014 at 11:06 pm

sorry for typo mistake
iptables -A OUTPUT -p 47 -j ACCEPT

Reply

34 franzo February 5, 2014 at 2:03 pm

Thanks for your post.
my /etc/sysconfig/iptables of a VPS centos 6.5 is as follows:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
An application (openemm) requires to add the following 3 lines:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8044 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT

my question is: where should I paste these lines, just before COMMIT?
thanks

Reply

35 Nix Craft February 5, 2014 at 3:55 pm

Yes, put it before COMMIT or after:

-A INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT

Reply

36 franzo February 5, 2014 at 6:48 pm

I tried both before COMMIT and after the line you indicated, but I get the same in both case:

[root@ns3098622 sysconfig]# /etc/init.d/iptables restart
Opening /proc/modules: No such file or directory
iptables: Setting chains to policy ACCEPT: raw nat mangle f[ OK ]
iptables: Flushing firewall rules: [ OK ]
iptables: Unloading modules: Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory
Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory
Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory
Opening /proc/modules: No such file or directory
grep: /proc/modules: No such file or directory
[ OK ]
iptables: Applying firewall rules: iptables-restore: line 12 failed

The only thing that changes is the line when it fails.

Any idea what this means?

Reply

37 Nix Craft February 6, 2014 at 4:22 am

Replace RH-Firewall-1-INPUT with INPUT:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8044 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT

Are you running RHEL on a physical server or inside virtual machine?

Reply

38 franzo February 7, 2014 at 3:30 pm

Yes, this way it works. Your help is great!!
It is inside a VPS
many thanks
best

Reply

Leave a Comment

Tagged as: , , , , , , , ,

Previous Faq:

Next Faq: