Comments on: CentOS / Redhat Iptables Firewall Configuration Tutorial

By: Jesus

Jesus — Thu, 12 Jan 2012 22:04:13 +0000

Really useful stuff. Thanks a lot

By: adep

adep — Mon, 09 Jan 2012 18:48:03 +0000

Most distribution kernels have it compiled in (/module) at the very least. But that doesn’t mean that the rules help anything. Also, a lot of distros like ubuntu use a gui like ufw which is still using iptables.

By: Haekon

Haekon — Thu, 22 Dec 2011 08:22:50 +0000

” It is included as part of the Linux distribution and it is activated by default.”

fail….Each distro is its own, and some disable this.

By: JD

JD — Tue, 13 Dec 2011 13:34:05 +0000

GREAT article on Netfilter, there are several good books on amazon’s website that can help with creating custom chains as well.

I create a custom chain called ‘uw’ for unwanted, it includes all the DROP’s for rogue countries and/or ISP’s/Hosting companies.

It is critical that you do not allow rogue traffic to your server(s), it should be dropped and and not allowed.

By: James

James — Tue, 17 Aug 2010 18:13:05 +0000

But it does seem to alleviate the DDOS attacks today. I only worry that some of my regular users got blocked by mistake.

So by default, why there is not an iptables file? I used save to generate one.

But then where this file exist if it doesn’t exist? (default)

By: Vivek Gite

Vivek Gite — Tue, 17 Aug 2010 16:22:31 +0000

apf may add additional rules so you got 601 lines which is normal. However, on really busy servers you may get performance issue.

By: James

James — Tue, 17 Aug 2010 16:17:24 +0000

*mangle
:PREROUTING ACCEPT [20736884:2763721632]
:INPUT ACCEPT [20736866:2763715671]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [17305648:26071886184]
:POSTROUTING ACCEPT [17300520:26071636822]
-A PREROUTING -p tcp -m tcp –sport 21 -j TOS –set-tos 0×08
-A PREROUTING -p tcp -m tcp –sport 20 -j TOS –set-tos 0×08
-A PREROUTING -p tcp -m tcp –sport 80 -j TOS –set-tos 0×08
-A PREROUTING -p tcp -m tcp –sport 25 -j TOS –set-tos 0×10
-A PREROUTING -p tcp -m tcp –sport 110 -j TOS –set-tos 0×10
-A PREROUTING -p tcp -m tcp –sport 143 -j TOS –set-tos 0×10
-A PREROUTING -p tcp -m tcp –sport 512:65535 -j TOS –set-tos 0×00
-A POSTROUTING -p tcp -m tcp –dport 21 -j TOS –set-tos 0×08
-A POSTROUTING -p tcp -m tcp –dport 20 -j TOS –set-tos 0×08
-A POSTROUTING -p tcp -m tcp –dport 80 -j TOS –set-tos 0×08
-A POSTROUTING -p tcp -m tcp –dport 25 -j TOS –set-tos 0×10
-A POSTROUTING -p tcp -m tcp –dport 110 -j TOS –set-tos 0×10
-A POSTROUTING -p tcp -m tcp –dport 143 -j TOS –set-tos 0×10
-A POSTROUTING -p tcp -m tcp –dport 512:65535 -j TOS –set-tos 0×00
COMMIT

-A INPUT -s 0.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 5.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 23.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 36.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 37.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 39.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 42.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 100.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 102.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 103.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 104.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 105.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 106.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 127.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 169.254.0.0/255.255.0.0 -j DROP
-A INPUT -s 179.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 185.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 192.0.0.0/255.255.255.0 -j DROP

By: James

James — Tue, 17 Aug 2010 00:16:36 +0000

I have 601 lines in iptables, is that normal?

I found that after using apf, the iptables -L gave too many drops

By: nixlike

nixlike — Thu, 22 Jul 2010 10:29:07 +0000

Great article, but as for me it’s better to use iptables-{save,restore} commands instead of direct editing of /etc/sysconfig/iptables

By: Vivek Gite

Vivek Gite — Thu, 17 Jun 2010 17:52:21 +0000

Thanks for the heads up!

By: Lekensteyn

Lekensteyn — Thu, 17 Jun 2010 16:52:51 +0000

You’ve got a typo in your section ‘Edit /etc/sysctl.conf For DoS and Syn Protection’:
“et.ipv4.conf.all.log_martians = 1″
should be:
“net.ipv4.conf.all.log_martians = 1″

By: Vivek Gite

Vivek Gite — Mon, 11 Jan 2010 04:41:06 +0000

@pd,

Thanks, I’ve commented out those lines in script, since output policy is set to established.

HTH

By: pd

pd — Mon, 11 Jan 2010 01:55:00 +0000

Yes, I found the problem in below lines, OUTPUT should be with “-o” not “-i”

# allow incomming ICMP ping pong stuff
$IPT -A INPUT -i ${PUB_IF} -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -i ${PUB_IF} -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow port 53 tcp/udp (DNS Server)
$IPT -A INPUT -i ${PUB_IF} -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -i ${PUB_IF} -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED  -j ACCEPT
$IPT -A OUTPUT -i ${PUB_IF} -p tcp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT

Vivek need to update this script.

By: pd

pd — Mon, 11 Jan 2010 01:44:03 +0000

I run this firewall script on centos 5.4 and got these errors

[root@localhost scripts]# ./iptables.sh
Setting sysctl IPv4 settings...
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
error: "net.ipv4.icmp_ignore_bogus_error_messages" is an unknown key
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
kernel.exec-shield = 1
kernel.randomize_va_space = 1
Starting IPv4 Firewall...
iptables v1.3.5: Can't use -i with OUTPUT
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: Can't use -i with OUTPUT
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: Can't use -i with OUTPUT
Try `iptables -h' or 'iptables --help' for more information.

By: gorfou

gorfou — Tue, 17 Nov 2009 16:48:09 +0000

Hi,
I am trying to install a custom iptables configuration within a fresh centos/kickstart install.
I have my custom package which installs the file /etc/sysconfig/iptables during kickstart installation.
However, this file is erased by the default one upon first reboot.

Does anyone know what script is responsible for resetting it ?

By: yoander (sedlav)

yoander (sedlav) — Tue, 10 Nov 2009 14:35:41 +0000

Easy Firewall Generator for IPTables is an iptables script generator, you can play with different options is an excellent tool for newbie.

By: Vivek Gite

Vivek Gite — Tue, 10 Nov 2009 14:11:15 +0000

@Marcus,

I don’t think so there are any such program under Linux. Almost all network program open privileged or unprivileged ports. You can run netstat program to find out port number and add rule manually.

By: Marcus

Marcus — Tue, 10 Nov 2009 13:50:39 +0000

I’m curious, can you set it up so a certain program is authorized to send/receive data? This is a feature of the Windows Firewall. It makes it easier for programs that don’t publish the ports they work on.

By: Bill Baily

Bill Baily — Tue, 10 Nov 2009 12:16:42 +0000

No mention of *all* the tables then. Mmmm. Perhaps this is just an iptable (rather than an iptables) guide, :-P