{"id":38,"date":"2012-06-10T09:03:35","date_gmt":"2012-06-10T09:03:35","guid":{"rendered":"http:\/\/rmohan.com\/?p=38"},"modified":"2012-06-10T09:55:19","modified_gmt":"2012-06-10T09:55:19","slug":"iptables-firewall-on-centos","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=38","title":{"rendered":"IPTABLES Firewall on Centos"},"content":{"rendered":"

Firewall on Centos OS <\/strong><\/p>\n

#!\/bin\/sh
\n#
\n#<\/p>\n

## Set your IP address
\nMYIP=”192.168.1.108″
\n#
\n## Flush rules & reset counters
\n\/sbin\/iptables -F
\n\/sbin\/iptables -Z
\n#
\n## Set policies
\n\/sbin\/iptables -P INPUT DROP
\n\/sbin\/iptables -P FORWARD DROP
\n\/sbin\/iptables -P OUTPUT DROP
\n#
\n## Drop all incoming fragments
\n\/sbin\/iptables -A INPUT -i eth0 -f -j DROP
\n#
\n## Drop outside packets with local addresses – anti-spoofing measure
\n\/sbin\/iptables -A INPUT -s $MYIP -i ! lo -j DROP
\n\/sbin\/iptables -A INPUT -s 127.0.0.0\/8 -i ! lo -j DROP
\n\/sbin\/iptables -A INPUT -s 10.0.0.0\/8 -i ! lo -j DROP
\n\/sbin\/iptables -A INPUT -s 192.168.0.0\/16 -i ! lo -j DROP
\n\/sbin\/iptables -A INPUT -s 224.0.0.0\/4 -i ! lo -j DROP
\n\/sbin\/iptables -A INPUT -s 0.0.0.0\/8 -i ! lo -j DROP
\n\/sbin\/iptables -A INPUT -s 255.255.255.255 -i ! lo -j DROP
\n\/sbin\/iptables -A INPUT -s 169.254.0.0\/16 -i ! lo -j DROP
\n\/sbin\/iptables -A INPUT -s 221.240.102 -i ! lo -j DROP
\n\/sbin\/iptables -A INPUT -s 203.215.94.193 -i ! lo -j DROP
\n\/sbin\/iptables -A INPUT -s 218.71.137.68 -i ! lo -j DROP
\n#
\n## Pass all locally-originating packets
\n\/sbin\/iptables -A INPUT -i lo -j ACCEPT
\n\/sbin\/iptables -A OUTPUT -o lo -j ACCEPT
\n#
\n## Accept ICMP ping echo requests
\n## (this allows other people to ping your machine, among other things),
\n\/sbin\/iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT
\n#
\n## Accept all traffic from a specific machine with IP x.x.x.x
\n## replace x.x.x.x with the desired IP, then uncomment the line.
\n#\/sbin\/iptables -A INPUT -p tcp -m tcp –syn -s xxx.xxx.xxx.xxx -j ACCEPT
\n#
\n## Accept traffic on port p from a specific machine with IP x.x.x.x
\n## replace p with the desired port number, and replace x.x.x.x with
\n## the desired IP, then uncomment the line.
\n#\/sbin\/iptables -A INPUT -p tcp -m tcp –syn -s x.x.x.x –dport p -j ACCEPT
\n#
\n## Accept ftp-data and ftp (ports 20 & 21)
\n\/sbin\/iptables -A INPUT -p tcp -m tcp –syn –dport 20 -j ACCEPT
\n\/sbin\/iptables -A INPUT -p tcp -m tcp –syn –dport 21 -j ACCEPT
\n#
\n## Accept ssh (port 22)
\n\/sbin\/iptables -A INPUT -p tcp -m tcp –syn –dport 22 -j ACCEPT
\n#
\n## Accept telnet (port 23)
\n#\/sbin\/iptables -A INPUT -p tcp -m tcp –syn –dport 23 -j ACCEPT
\n#
\n## Accept smtp (port 25)
\n#\/sbin\/iptables -A INPUT -p tcp -m tcp –syn –dport 25 -j ACCEPT
\n## Accept dns (port 53)
\n\/sbin\/iptables -A INPUT -p udp -m udp -s 0\/0 –dport 53 -d 0\/0 -j ACCEPT
\n\/sbin\/iptables -A INPUT -p tcp -m tcp -s 0\/0 –dport 53 -d 0\/0 -j ACCEPT
\n#
\n## Accept http (port 80)
\n#\/sbin\/iptables -A INPUT -p tcp -m tcp –syn –dport 80 -j ACCEPT
\n#
\n## Accept pop3 (port 110)
\n#\/sbin\/iptables -A INPUT -p tcp -m tcp –syn –dport 110 -j ACCEPT
\n#
\n## Accept inbound identd (port 113)
\n#\/sbin\/iptables -A INPUT -p tcp -m tcp –syn –dport 113 -j ACCEPT
\n## or you can reject and send back a TCP RST packet instead
\n#\/sbin\/iptables -A INPUT -p tcp -m tcp –dport 113 -j REJECT –reject-with tcp-reset
\n#
\n## Accept imap (port 143)
\n#\/sbin\/iptables -A INPUT -p tcp -m tcp –syn –dport 143 -j ACCEPT
\n#
\n## Accept https (port 443)
\n#\/sbin\/iptables -A INPUT -p tcp -m tcp –syn –dport 443 -j ACCEPT
\n#
\n## Accept smtps (port 465)
\n#\/sbin\/iptables -A INPUT -p tcp -m tcp –syn –dport 465 -j ACCEPT
\n## Accept msp (port 587)
\n#\/sbin\/iptables -A INPUT -p tcp -m tcp –syn –dport 587 -j ACCEPT
\n#
\n## Accept SpamAssassin (port 783)
\n#\/sbin\/iptables -A INPUT -p tcp -m tcp –syn –dport 783 -j ACCEPT
\n#
\n## Accept imaps (port 993)
\n#\/sbin\/iptables -A INPUT -p tcp -m tcp –syn –dport 993 -j ACCEPT
\n#
\n## Accept pop3s (port 995)
\n#\/sbin\/iptables -A INPUT -p tcp -m tcp –syn –dport 995 -j ACCEPT
\n#
\n## Accept mysql (port 3306)
\n#\/sbin\/iptables -A INPUT -p tcp -m tcp –syn –dport 3306 -j ACCEPT
\n#
\n## Allow inbound established and related outside communication
\n\/sbin\/iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
\n#
\n## Drop outside initiated connections
\n\/sbin\/iptables -A INPUT -m state –state NEW -j REJECT
\n#
\n## Allow all outbound tcp, udp, icmp traffic with state
\n\/sbin\/iptables -A OUTPUT -p tcp -m state –state NEW,ESTABLISHED -j ACCEPT
\n\/sbin\/iptables -A OUTPUT -p udp -m state –state NEW,ESTABLISHED -j ACCEPT
\n\/sbin\/iptables -A OUTPUT -p icmp -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
\n#
\n## Save rules
\nservice \/sbin\/iptables save
\n#
\n#
\necho “\/sbin\/iptables configuration is complete”
\necho “”
\necho “Check your rules – \/sbin\/iptables -L -n”
\necho “”<\/p>\n

Redhat Linux IPTABLES <\/strong><\/p>\n

==============================================================================================
\n==============================================================================================
\n# Generated by iptables-save v1.3.5 on Sat Dec 10 05:28:35 2011
\n*filter
\n:INPUT DROP [0:0]
\n:FORWARD DROP [0:0]
\n:OUTPUT ACCEPT [59:18308]
\n:RH-Firewall-1-INPUT – [0:0]
\n:SSH_CHECK – [0:0]
\n-A INPUT -j RH-Firewall-1-INPUT
\n-A INPUT -s 10.0.0.0\/255.0.0.0 -i eth0 -j LOG –log-prefix “IP DROP SPOOF A: ”
\n-A INPUT -s 172.16.0.0\/255.240.0.0 -i eth0 -j LOG –log-prefix “IP DROP SPOOF B: ”
\n-A INPUT -s 192.168.0.0\/255.255.0.0 -i eth0 -j LOG –log-prefix “IP DROP SPOOF C: ”
\n-A INPUT -s 224.0.0.0\/240.0.0.0 -i eth0 -j LOG –log-prefix “IP DROP MULTICAST D: ”
\n-A INPUT -s 240.0.0.0\/248.0.0.0 -i eth0 -j LOG –log-prefix “IP DROP SPOOF E: ”
\n-A INPUT -d 127.0.0.0\/255.0.0.0 -i eth0 -j LOG –log-prefix “IP DROP LOOPBACK: ”
\n-A INPUT -p tcp -m tcp –dport 22 -m state –state NEW -j SSH_CHECK
\n-A FORWARD -j RH-Firewall-1-INPUT
\n-A RH-Firewall-1-INPUT -i lo -j ACCEPT
\n-A RH-Firewall-1-INPUT -p icmp -m icmp –icmp-type 0 -j ACCEPT
\n-A RH-Firewall-1-INPUT -p icmp -m icmp –icmp-type 3 -j ACCEPT
\n-A RH-Firewall-1-INPUT -p icmp -m icmp –icmp-type 11 -j ACCEPT
\n-A RH-Firewall-1-INPUT -p icmp -m icmp –icmp-type 8 -j ACCEPT
\n-A RH-Firewall-1-INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
\n-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 22 -j ACCEPT
\n-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 80 -j ACCEPT
\n-A RH-Firewall-1-INPUT -p tcp -m state –state NEW -m tcp –dport 443 -j ACCEPT
\n-A RH-Firewall-1-INPUT -j LOG
\n-A RH-Firewall-1-INPUT -j DROP
\n-A SSH_CHECK -m recent –set –name SSH –rsource
\n-A SSH_CHECK -m recent –update –seconds 60 –hitcount 4 –name SSH –rsource -j DROP
\nCOMMIT
\n# Completed on Sat Dec 10 05:28:35 2011
\n==============================================================================================
\n==============================================================================================<\/p>\n

Block Incomming Port 80 except for IP Address 192.168.3.0\/24<\/strong><\/p>\n

# \/sbin\/iptables -A INPUT -p tcp -i eth0 -s ! 192.168.3.0\/24 –dport 80 -j DROP<\/p>\n

# Generated by iptables-save v1.3.5 on Sat Dec 10 06:17:00 2011
\n*filter
\n:INPUT ACCEPT [80:5760]
\n:FORWARD ACCEPT [0:0]
\n:OUTPUT ACCEPT [78:12568]
\n-A INPUT -p tcp -m tcp –dport 80 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
\n-A INPUT -p tcp -m tcp –dport 443 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
\n-A INPUT -p tcp -m tcp –dport 22 –tcp-flags FIN,SYN,RST,ACK SYN -j ACCEPT
\n-A INPUT -s ! 192.168.3.0\/255.255.255.0 -i eth0 -p tcp -m tcp –dport 80 -j DROP
\nCOMMIT
\n# Completed on Sat Dec 10 06:17:00 2011
\n==============================================================================================
\n==============================================================================================<\/p>\n

FTP FIREWALL <\/strong><\/p>\n

# Generated by iptables-save v1.3.5 on Wed Jun 10 21:13:16 2009
\n*filter
\n:INPUT ACCEPT [0:0]
\n:FORWARD ACCEPT [0:0]
\n:OUTPUT ACCEPT [423:45748]
\n:RH-Firewall-1-INPUT \u2013 [0:0]
\n-A INPUT -j RH-Firewall-1-INPUT
\n-A FORWARD -j RH-Firewall-1-INPUT
\n-A RH-Firewall-1-INPUT -i lo -j ACCEPT
\n-A RH-Firewall-1-INPUT -p icmp -m icmp \u2013icmp-type any -j ACCEPT
\n-A RH-Firewall-1-INPUT -p esp -j ACCEPT
\n-A RH-Firewall-1-INPUT -p ah -j ACCEPT
\n-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp \u2013dport 5353 -j ACCEPT
\n-A RH-Firewall-1-INPUT -p udp -m udp \u2013dport 631 -j ACCEPT
\n-A RH-Firewall-1-INPUT -p tcp -m tcp \u2013dport 631 -j ACCEPT
\n-A RH-Firewall-1-INPUT -m state \u2013state RELATED,ESTABLISHED -j ACCEPT
\n-A RH-Firewall-1-INPUT -p tcp -m state \u2013state NEW -m tcp \u2013dport 20 -j ACCEPT
\n-A RH-Firewall-1-INPUT -p tcp -m state \u2013state NEW -m tcp \u2013dport 21 -j ACCEPT
\n-A RH-Firewall-1-INPUT -p tcp -m state \u2013state NEW -m tcp \u2013dport 22 -j ACCEPT
\n-A RH-Firewall-1-INPUT -p tcp -m state \u2013state NEW -m tcp \u2013dport 23 -j ACCEPT
\n-A RH-Firewall-1-INPUT -j REJECT \u2013reject-with icmp-host-prohibited
\nCOMMIT
\n==============================================================================================
\n==============================================================================================<\/p>\n

Redhat Basic Firewall<\/strong><\/p>\n

# Firewall configuration written by system-config-securitylevel
\n# Manual customization of this file is not recommended.
\n*filter
\n:INPUT ACCEPT [0:0]
\n:FORWARD ACCEPT [0:0]
\n:OUTPUT ACCEPT [0:0]
\n:RH-Firewall-1-INPUT – [0:0]
\n-A INPUT -j RH-Firewall-1-INPUT
\n-A FORWARD -j RH-Firewall-1-INPUT
\n-A RH-Firewall-1-INPUT -i lo -j ACCEPT
\n-A RH-Firewall-1-INPUT -p icmp –icmp-type any -j ACCEPT
\n-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
\n-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
\n-A RH-Firewall-1-INPUT -p udp –dport 5353 -d 224.0.0.251 -j ACCEPT
\n-A RH-Firewall-1-INPUT -p udp -m udp –dport 631 -j ACCEPT
\n-A RH-Firewall-1-INPUT -p tcp -m tcp –dport 631 -j ACCEPT
\n-A RH-Firewall-1-INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
\n-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 8009 -j ACCEPT
\n-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 5902 -j ACCEPT
\nA RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 8080 -j ACCEPT
\n-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 10050 -j ACCEPT
\n-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
\n-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT
\n-A RH-Firewall-1-INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT
\n-A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited
\nCOMMIT<\/p>\n

==============================================================================================
\n==============================================================================================<\/p>\n

SSH Rules <\/strong><\/p>\n

Using iptables to allow only specific hosts to connect<\/p>\n

An alternative to TCP wrappers (although you can use both at the same time) is limiting SSH access with iptables. Here’s a simple example of how you can allow only a specific host to connect to your SSH service:<\/p>\n

~# iptables -A INPUT -p tcp -m state –state NEW –source 193.180.177.13 –dport 22 -j ACCEPT <\/p>\n

And make sure no one else has access to SSH service:<\/p>\n

~# iptables -A INPUT -p tcp –dport 22 -j DROP <\/p>\n

~# iptables -A INPUT -p tcp -m state –syn –state NEW –dport 22 -m limit –limit 1\/minute –limit-burst 1 -j ACCEPT
\n~# iptables -A INPUT -p tcp -m state –syn –state NEW –dport 22 -j DROP<\/p>\n

In a second example, iptables are set to allow only host 193.180.177.13 to connect to the SSH service. After three failed login tries, iptables allows the host only one login try per minute:<\/p>\n

~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state –syn –state NEW –dport 22 -m limit –limit 1\/minute –limit-burst 1 -j ACCEPT
\n~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state –syn –state NEW –dport 22 -j DROP<\/p>\n

Conclusion <\/p>\n

iptables -N SSH_CHECK
\niptables -A INPUT -p tcp –dport 22 -m state –state NEW -j SSH_CHECK
\niptables -A SSH_CHECK -m recent –set –name SSH
\niptables -A SSH_CHECK -m recent –update –seconds 60 –hitcount 4 –name SSH -j DROP<\/p>\n","protected":false},"excerpt":{"rendered":"

Firewall on Centos OS <\/p>\n

#!\/bin\/sh # #<\/p>\n

## Set your IP address MYIP=”192.168.1.108″ # ## Flush rules & reset counters \/sbin\/iptables -F \/sbin\/iptables -Z # ## Set policies \/sbin\/iptables -P INPUT DROP \/sbin\/iptables -P FORWARD DROP \/sbin\/iptables -P OUTPUT DROP # ## Drop all incoming fragments \/sbin\/iptables -A INPUT -i eth0 -f -j DROP […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,8],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/38"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=38"}],"version-history":[{"count":13,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/38\/revisions"}],"predecessor-version":[{"id":52,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/38\/revisions\/52"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=38"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=38"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=38"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}