≡ Menu

iptables command

Linux: Iptables Allow MYSQL server incoming request on port 3306

MySQL database is a popular for web applications and acts as the database component of the LAMP, MAMP, and WAMP platforms. Its popularity as a web application is closely tied to the popularity of PHP, which is often combined with MySQL. MySQL is open source database server and by default it listen on TCP port 3306. In this tutorial you will learn how to open TCP port # 3306 using iptables command line tool on Linux operating system.
[click to continue…]

Sysadmin because even developers need heroes!!!

Linux Iptables block or open DNS / bind service port 53

The domain name service provided by BIND (named) software. It uses both UDP and TCP protocol and listen on port 53. DNS queries less than 512 bytes are transferred using UDP protocol and large queries are handled by TCP protocol such as zone transfer.

i) named/bind server – TCP/UDP port 53

ii)Client (browser, dig etc) – port > 1023

Allow outgoing DNS client request:

Following iptables rules can be added to your shell script.

SERVER_IP is your server ip address

DNS_SERVER stores the nameserver (DNS) IP address provided by ISP or your own name servers.

Following rules are useful when you run single web/smtp server or even DSL/LL/dialup Internet connections:

for ip in $DNS_SERVER
iptables -A OUTPUT -p udp -s $SERVER_IP --sport 1024:65535 -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s $ip --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT-p tcp -s $SERVER_IP --sport 1024:65535 -d $ip --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s $ip --sport 53 -d $SERVER_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

(B) Allow incoming DNS request at port 53:

Use following rules only if you are protecting dedicated DNS server.

SERVER_IP is IP address where BIND(named) is listing on port 53 for incoming DNS queries.

Please note that here I’m not allowing TCP protocol as I don’t have secondary DNS server to do zone transfer.

iptables -A INPUT -p udp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s $SERVER_IP --sport 53 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -s 0/0 --sport 53 -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s $SERVER_IP --sport 53 -d 0/0 --dport 53 -m state --state ESTABLISHED -j ACCEPT

Please note if you have secondary server, add following rules to above rules so that secondary server can do zone transfer from primary DNS server:

iptables -A INPUT -p tcp -s $DNS2_IP --sport 1024:65535 -d $SERVER_IP --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 53 -d $DNS2_IP --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

How to: Linux Iptables block common attacks

Following list summaries the common attack on any type of Linux computer:

Syn-flood protection

In this attack system is floods with a series of SYN packets. Each packets causes system to issue a SYN-ACK responses. Then system waits for ACK that follows the SYN+ACK (3 way handshake). Since attack never sends back ACK again entire system resources get fulled aka backlog queue. Once the queue is full system will ignored incoming request from legitimate users for services (http/mail etc). Hence it is necessary to stop this attack with iptables.

Force SYN packets check

Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Force Fragments packets check

Packets with incoming fragments drop them. This attack result into Linux server panic such data loss.

iptables -A INPUT -f -j DROP

XMAS packets

Incoming malformed XMAS packets drop them:

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

Drop all NULL packets

Incoming malformed NULL packets:

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

Block Spoofing and bad addresses

Using iptables you can filter to drop suspicious source address. Network server should not accept packets claiming from the Internet that claim to originate from inside your network. Spoofing can be classified as:
a) IP spoofing – Disable the source address of authentication, for example rhosts based authentication. Filter RPC based services such as portmap and NFS,
b) DNS spoofing
Please see Iptables: How to avoid Spoofing and bad addresses attack tip for more information.

Also use NAT for your internal network. This makes difficult for attacker to spoof IP address from outside.

Filter incoming ICMP, PING traffic

It includes the ping of death attack and ICMP floods. You should block all ICMP and PING traffic for outside except for your own internal network (so that you can ping to see status of your own server) . See Linux : Iptables Allow or block ICMP ping request article.

Once system is secured, test your firewall with nmap or hping2 command:
# nmap -v -f FIREWALL-IP
# nmap -v -sX FIREWALL-IP
# nmap -v -sN FIREWALL-IP
# hping2 -X FIREWALL-IP

Further readings

  • Man page : hping2(8), nmap(1), iptables(8)

Linux Iptables allow or block ICMP ping request

The Internet Control Message Protocol (ICMP) has many messages that are identified by a “type” field. You need to use 0 and 8 ICMP code types.

=> Zero (0) is for echo-reply

=> Eight (8) is for echo-request.

To enable ICMP ping incoming client request use following iptables rule (you need to add following rules to script).

My default firewall policy is blocking everything.

Task: Enable or allow ICMP ping incoming client request

Rule to enable ICMP ping incoming client request ( assuming that default iptables policy is to drop all INPUT and OUTPUT packets)

iptables -A INPUT -p icmp --icmp-type 8 -s 0/0 -d $SERVER_IP -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type 0 -s $SERVER_IP -d 0/0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Task: Allow or enable outgoing ping request

To enable ICMP ping outgoing request use following iptables rule:

iptables -A OUTPUT -p icmp --icmp-type 8 -s $SERVER_IP -d 0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 0 -s 0/0 -d $SERVER_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

How do I disable outgoing ICMP request?

Use the following rules:

iptables -A OUTPUT -p icmp --icmp-type echo-request -j DROP


iptables -A OUTPUT -p icmp --icmp-type 8 -j DROP

ICMP echo-request type will be block by above rule.

See ICMP TYPE NUMBERS (type fields). You can also get list of ICMP types, just type following command at shell prompt:
# /sbin/iptables -p icmp -h

Linux Iptables Avoid IP Spoofing And Bad Addresses Attacks

Spoofing and bad address attack tries to fool the server and try to claim that packets had come from local address/network.
[click to continue…]

Linux Iptables Block Outgoing Access To Selected or Specific IP Address / Port

You would like to block outgoing access to particular remote host/ip or port for all or selected service/port. In this quick tutorial I will explain how to use iptables to block outgoing access.
[click to continue…]

Linux Iptables block incoming access to selected or specific ip address

Sometime it is necessary to block incoming connection or traffic from specific remote host. iptables is administration tool for IPv4 packet filtering and NAT under Linux kernel. Following tip will help you to block attacker or spammers IP address.

How do I block specific incoming ip address?

Following iptable rule will drop incoming connection from host/IP

iptables -A INPUT -s -j DROP
iptables -A OUTPUT -d -j DROP

A simple shell script to block lots of IP address

If you have lots of IP address use the following shell script:

A) Create a text file:

# vi /root/ip.blocked
Now append IP address:

# Ip address block  file

B) Create a script as follows or add following script line to existing iptables shell script:

IPS=$(grep -Ev "^#" $BLOCKDB)
for i in $IPS
iptables -A INPUT -s $i -j DROP
iptables -A OUTPUT -d $i -j DROP  

C) Save and close the file.