Linux: Iptables Allow PostgreSQL server incoming request

Posted on in Categories Howto, Iptables, Linux, Postgresql last updated July 28, 2005

PostgreSQL is an object relational database system that has the features of traditional commercial database systems with enhancements to be found in next-generation DBMS systems. PostgreSQL is free and the complete source code is available.

Open port 5432

By default PostgreSQLt listen on TCP port 5432. Use the following iptables rules allows incoming client request (open port 5432) for server IP address 202.54.1.20 :

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 5432 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

As posted earlier, you do not wish give access to everyone. For example in web hosting company or in your own development center, you need to gives access to POSTGRES database server from web server only. Following example allows POSTGRES database server access (202.54.1.20) from Apache web server (202.54.1.50) only:

iptables -A INPUT -p tcp -s 202.54.1.50 --sport 1024:65535 -d 202.54.1.20 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 5432 -d 202.54.1.50 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Allow outgoing POSTGRES client request (made via postgresql command line client or perl/php script), from firewall host 202.54.1.20:

iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 1024:65535 -d 0/0 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 5432 -d 202.54.1.20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Linux Iptables: How to block or open mail server / SMTP protocol

Posted on in Categories CentOS, Debian Linux, Iptables, Linux, Networking, RedHat/Fedora Linux, Security last updated July 22, 2005

SMTP is used to send mail. Sendmail, Qmail, Postfix, Exim etc all are used on Linux as mail server. Mail server uses the TCP port 25. Following two iptable rule allows incoming SMTP request on port 25 for server IP address 202.54.1.20 (open port 25):
iptables -A INPUT -p tcp -s 0/0 –sport 1024:65535 -d 202.54.1.20 –dport 25 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s 202.54.1.20 –sport 25 -d 0/0 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT

In order to block port 25 simply use target REJECT instead of ACCEPT in above rules.

And following two iptables rules allows outgoing SMTP server request for server IP address 202.54.1.20:
iptables -A OUTPUT -p tcp -s 202.54.1.20 –sport 1024:65535 -d 0/0 –dport 25 -m state –state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -p tcp -s 0/0 –sport 25 -d 202.54.1.20 –dport 1024:65535 -m state –state ESTABLISHED -j ACCEPT

Linux Iptables block incoming access to selected or specific ip address

Posted on in Categories Debian Linux, Gentoo Linux, Iptables, Linux, Networking, RedHat/Fedora Linux, Security, Suse Linux, Ubuntu Linux last updated June 24, 2005

Sometime it is necessary to block incoming connection or traffic from specific remote host. iptables is administration tool for IPv4 packet filtering and NAT under Linux kernel. Following tip will help you to block attacker or spammers IP address.

How do I block specific incoming ip address?

Following iptable rule will drop incoming connection from host/IP 202.54.20.22:

iptables -A INPUT -s 202.54.20.22 -j DROP
iptables -A OUTPUT -d 202.54.20.22 -j DROP

A simple shell script to block lots of IP address

If you have lots of IP address use the following shell script:

A) Create a text file:

# vi /root/ip.blocked
Now append IP address:

# Ip address block  file
202.54.20.22
202.54.20.1/24
#65.66.36.87

B) Create a script as follows or add following script line to existing iptables shell script:

BLOCKDB=”/root/ip.blocked”
IPS=$(grep -Ev "^#" $BLOCKDB)
for i in $IPS
do
iptables -A INPUT -s $i -j DROP
iptables -A OUTPUT -d $i -j DROP
done

C) Save and close the file.

How to: Linux flush or remove all iptables rules

Posted on in Categories Debian Linux, Howto, Iptables, Linux, Networking, RedHat/Fedora Linux, Ubuntu Linux last updated June 20, 2005

Here is a small script that does this. Debian or Ubuntu GNU/Linux does not comes with any SYS V init script (located in /etc/init.d directory). You create a script as follows and use it to stop or flush the iptables rules. Please don’t type rules at the command prompt. Use the script to speed up work.

Warning: All the commands must be executed with root privileges.

Procedure for Debian / Ubuntu Linux (Generic method)

First, create /root/fw.stop script using text editor such as vi:

#!/bin/sh
echo "Stopping firewall and allowing everyone..."
ipt="/sbin/iptables"
## Failsafe - die if /sbin/iptables not found
[ ! -x "$ipt" ] && { echo "$0: \"${ipt}\" command not found."; exit 1; }
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -F
$ipt -X
$ipt -t nat -F
$ipt -t nat -X
$ipt -t mangle -F
$ipt -t mangle -X
$ipt iptables -t raw -F
$ipt -t raw -X

Make sure you can execute the script:
# chmod +x /root/fw.stop

Run the script as root user:
# /root/fw.stop

How do I verify that my firewall rules are flushed out?

Type the following command:
# iptables -L -n -v
Sample outputs:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination

A note for RedHat (RHEL), CentOS and friends Linux user

Please note that RedHat Enterprise Linux (RHEL), Fedora and Centos Linux comes with pre-installed rc.d script, which can be used to stop the firewall, enter:
# /etc/init.d/iptables stop
OR
# service iptables stop
Sample outputs:

A note about firewalld on CentOS 7/Fedora (latest)/RedHat Enterprise Linux 7.x+ user

Type the following command to stop and flush all rules:
# systemctl stop firewalld

Virtuozzo iptables firewall

Posted on in Categories CentOS, Howto, Iptables, Linux, RedHat/Fedora Linux last updated December 5, 2004

Recently I got chance to play with Virtuozzo VPS. Good news is they are good to reduced cost and bad news (as of Dec-04, 2004) they do not support full iptables rule set like –state and –log etc. After spending more than 4+ hrs I was able to setup simple but effective firewall on Red hat enterprise linux Virtuozzo VPS. Here is script. Make sure you customize it for your environment.