Basic IPTABLES rules

Open up ports for selected services:
---------------------------
we can start adding selected services to our firewall filter. The first such thing is a localhost interface:

iptables -A INPUT -i lo -j ACCEPT
We tell iptables to add (-A) a rule to the incoming (INPUT) filter table any trafic that comes to localhost interface (-i lo) and to accept (-j ACCEPT) it. Localhost is often used for, ie. your website or email server communicating with a database locally installed. That way our VPS can use the database, but the database is closed to exploits from the internet.

we can allow web server traffic:

iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
We added the two ports (http port 80, and https port 443) to the ACCEPT chain - allowing traffic in on those ports. , let's allow users use our SMTP servers:
iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT

Like stated before, if we can influence our users, we should rather use the secure version, but often we can't dictate the terms and the clients will connect using port 25, which is much more easier to have passwords sniffed from. We proceed to allow the users read email on their server:

iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
Those two rules will allow POP3 traffic. Again, we could increase security of our email server by just using the secure version of the service. we also need to allow IMAP mail protocol:

iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

Limiting SSH access
We should also allow SSH traffic, so we can connect to the VPS remotely. The simple way to do it would be with this command:

iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Block the most common attacks:
---------------------------
VPSs usually come with the empty configuration: all traffic is allowed. Just to make sure of this, we can flush the firewall rules - that is, erase them all:

iptables -F
We can then add a few simple firewall rules to block the most common attacks, to protect our VPS from script-kiddies. We can't really count on iptables alone to protect us from a full-scale DDOS or similar, but we can at least put off the usual network scanning bots that will eventually find our VPS and start looking for security holes to exploit. First, we start with blocking null packets.

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
We told the firewall to take all incoming packets with tcp flags NONE and just DROP them. Null packets are, simply said, recon packets. The attack patterns use these to try and see how we configured the VPS and find out weaknesses. The next pattern to reject is a syn-flood attack.

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
Syn-flood attack means that the attackers open a new connection, but do not state what they want (ie. SYN, ACK, whatever). They just want to take up our servers' resources. We won't accept such packages. Now we move on to one more common pattern: XMAS packets, also a recon packet.

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

Rule: iptables to drop incoming ping requests
This iptables rule will DROP all incoming ping requests.

NOTE: it is possible to use REJECT instead of DROP. The difference between DROP vs REJECT is that DROP silently discards the incoming package, whereas REJECT will result in ICMP error being returned.

# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
Rule: iptables to drop outgoing telnet connections
This iptables rule will block any outgoing traffic to any host where destination port is 23 ( telnet ).

# iptables -A OUTPUT -p tcp --dport telnet -j REJECT
Rule: iptables to reject incoming telnet connections
Refuse all incoming connection requests to a local port 23

# iptables -A INPUT -p tcp --dport telnet -j REJECT
Rule: iptables to reject outgoing ssh connections
# iptables -A OUTPUT -p tcp --dport ssh -j REJECT
Rule: iptables to reject incoming ssh connections
Refuse all incoming connections to a local port 22 ( ssh ).

# iptables -A INPUT -p tcp --dport ssh -j REJECT
Rule: iptables to reject all incoming traffic except ssh and local connections
# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -p tcp --dport ssh -j ACCEPT
# iptables -A INPUT -j REJECT
Rule: iptables to accept incoming ssh connections from specific IP address
Using this iptables rule we will block all incoming connections to port 22 ( ssh ) except host with IP address 77.66.55.44. What it meas is that only host with IP 77.66.55.44 will be able to ssh.

# iptables -A INPUT -p tcp -s 77.66.55.44 --dport ssh -j ACCEPT
# iptables -A INPUT -p tcp --dport ssh -j REJECT
Rule: iptables to accept incoming ssh connections from specific MAC address
Using this iptables rule we will block all incoming connections to port 22 ( ssh ) except host with MAC address 00:e0:4c:f1:41:6b . In other works all ssh connections will be limited to a single host with a MAC address 00:e0:4c:f1:41:6b.

# iptables -A INPUT -m mac --mac-source 00:e0:4c:f1:41:6b -p tcp --dport ssh -j ACCEPT
# iptables -A INPUT -p tcp --dport ssh -j REJECT
Rule: iptables to reject incoming connections on a specific TCP port
The following iptables rule will drop all incoming traffic on TCP port 3333

# iptables -A INPUT -p tcp --dport 3333 -j REJECT
Rule: iptables to drop all incoming connections on a specific network interface
The following rule will drop incoming traffic on a specific network interface coming from subnet 192.168.0.0/16. The is very useful in attempt to drop all spoofed IP addresses. If eth0 is an external network interface, no incoming traffic originating from internal network should hit eth0 network interface.

# iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
Rule: iptables to create a simple IP Masquerading
The following rule will create a simple IP Masquerading gateway to allow all host on the same subnet to access the Internet. The below specified eth0 is a external interface connected to the Internet.

# echo "1" > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE
Rule: Reject all incoming telnet traffic except specified IP address
The following iptables rule will reject all incoming telnet traffic except connection request from IP 222.111.111.222

# iptables -A INPUT -t filter ! -s 222.111.111.222 -p tcp --dport 23 -j REJECT
Rule: Reject all incoming ssh traffic except specified IP address range
The following iptables rule will reject all incoming ssh traffic except connection request from IP address range 10.1.1.90 - 10.1.1.1.100.

Removing negator "!" from the below rule reject all ssh traffic originating from IP address range 10.1.1.90 - 10.1.1.100.

iptables -A INPUT -t filter -m iprange ! --src-range 10.1.1.90-10.1.1.100 -p tcp --dport 22 -j REJECT
Rule: iptables to reject all outgoing traffic to a specific remote host
The following iptables rule will reject all outgoing traffic to a remote host with an IP address 222.111.111.222

# iptables -A OUTPUT -d 222.111.111.222 -j REJECT
Rule: iptables to block an access to a specific website
The following iptables rule will block all incoming traffic from facebook.com where source port is port 80 / www

# iptables -A INPUT -s facebook.com -p tcp --sport www -j DROP
NOTE: the above iptables rule will block access to facebook.com as well as www.facebook.com.

Saving IpTables Rules:
---------------------------
iptables-save | sudo tee /etc/sysconfig/iptables
The iptables configuration file on CentOS is located at /etc/sysconfig/iptables. The above command saved the rules we created into that file. Just to make sure everything works, we can restart the firewall:
Finally.
service iptables restart

Related Articles
IpTables Essentials
Introduction Iptables is the software firewall that is included with most Linux distributions by default. This cheat sheet-style guide provides a quick reference to iptables commands that will create firewall rules are useful in common, everyday ...
RHEL7: Disable Firewalld and replace it with Iptables.
If you don’t get used to Firewalld, you can still rely on Iptables by following the instructions below provided by the Fedora project. Procedure Install the Iptables package: # yum install -y iptables-services Disable the Firewalld service: # ...
How To Migrate from FirewallD to Iptables on CentOS 7
Introduction Like most other Linux distributions, CentOS 7 uses the netfilter framework inside the Linux kernel in order to access packets that flow through the network stack. This provides the necessary interface to inspect and manipulate packets in ...
Updating ip table rules
When you need to add a firewall rule in Linux, you will need to edit the iptables file, which is located in /etc/sysconfig . Before you make any changes be sure to make a copy of the current iptables file in the event something happens. Once the ...
MYSQL basic user permissions
Grant Different User Permissions On a MYSQL database. Here is a short list of other common possible permissions that users can enjoy. ALL PRIVILEGES- as we saw previously, this would allow a MySQL user all access to a designated database (or if no ...

Basic IPTABLES rules

Basic IPTABLES rules

Related Articles

IpTables Essentials

RHEL7: Disable Firewalld and replace it with Iptables.

How To Migrate from FirewallD to Iptables on CentOS 7

Updating ip table rules

MYSQL basic user permissions