18 Examples to Learn Iptable Rules On CentOS

Iptable is the administration tool for IPv4 packet filtering and NAT. Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains. Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a `target', which may be a jump to a user-defined chain in the same table.

A firewall rule specifies criteria for a packet and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain or one of the special values ACCEPT, DROP, QUEUE or RETURN.

  • ACCEPT means to let the packet through.
  • DROP means to drop the packet on the floor
  • QUEUE means to pass the packet to userspace
  • RETURN means stop traversing this chain and resume at the next rule in the previous chain.

There are total 4 chains:

  • INPUT - The default chain is used for packets addressed to the system. Use this to open or close incoming ports and ip addresses/subnet
  • OUTPUT - The default chain is used when packets are generating from the system. Use this open or close outgoing ports and ip addresses/subnets
  • FORWARD - The default chains is used when packets send through another interface. Usually used when you setup Linux as router
  • RH-Firewall-1-INPUT - This is a user-defined custom chain. It is used by the INPUT, OUTPUT and FORWARD chains.

Installation of Iptables

We can install iptables via following command.

[root@vpn ~]# yum install iptables -y

Check iptable version :

[root@vpn ~]# iptables --version
iptables v1.3.5

Check iptables status :

[root@vpn ~]# service iptables status

Start  iptables :

[root@vpn ~]# service iptables start
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter [ OK ]
Unloading iptables modules: [ OK ]

To set iptables start at boot :

[root@vpn ~]# chkconfig iptables on

The default configuration file of CentOS is /etc/sysconfig/iptables. It is the system scripts that activate the firewall by reading this file

Iptable Rules

1) Reset all rules (F) and chains (X), necessary if have already defined iptables rules

#iptables -t filter -F
#iptables -t filter -X

2) Display Status of the firewall

#iptables -L -n -v

3) Blocking null packets

#iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

 4) Reject SYN -FLOOD  attack

#iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

5) Reject a recon Packet

#iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

6) Adding localhost interface to the firewall filter

#iptables -A INPUT -i lo -j ACCEPT

7) Allow web server traffic

#iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

8) Allow users to use SMTP servers

#iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT

9) Allow the users read email on their server

allow POP3 traffic

#iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT

allow POP3 traffic

#iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
#iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

10) Allow ssh traffic

#iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

allow traffic to SSH port if it comes from one source

#iptables -A INPUT -p tcp -s YOUR_IP_ADDRESS -m tcp --dport 22 -j ACCEPT

11) Allow any established outgoing connections to receive replies from the server

#iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

12) Block an IP address

#iptables -A INPUT -s IP_ADDRESS -j DROP

13) Block a Port for a specific IP Address

#iptables -A INPUT -p tcp -s IP_ADDRESS --dport PORT -j DROP

14) Open a port for a Specific IP Address

#iptables -A INPUT -p tcp -s IP_ADDRESS --dport PORT -j ACCEPT

15) Allow Printer for a Specific IP address

#iptables -A INPUT -s IP_ADDRESS -p udp -m udp --dport 631 -j ACCEPT

16) Open DNS

#iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

17) Open MYSQL Port

#iptables -A INPUT -p tcp --dport 3306 -j ACCEPT

18) Open a Range of Ports (eg : 7000-7100 )

#iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7100 -j ACCEPT

After setting all the rules, you need to save the rules and restart the iptables

#service iptables save

#service iptables restart

Leave a Comment