Introduction
Iptables is a software firewall that is included with most modern unix operation systems by default. Iptables can be used to restrict/limit traffic incoming, outgoing and forwarded traffic on a linux box.
Installation
CentOS 7
$ yum install epel-release
$ yum install iptables-services
To use iptables on centos 7 you will need to disable firewalld
$ systemctl stop firewalld
$ systemctl disable firewalld
Saving Rules
service iptables save
IPtables rules
Machine A
Accept from loopback
Loopback is an interface used by the machine to make network connections to itself. There could be some applications running on the loopback, such has a database server to which a webserver is connection on loopback.
iptables -A INPUT -i lo -j ACCEPT
Accept Established and Related Incoming Connections
established : connection setup ( 3-way handshake ) has been completed
related : packets related to established and which want to start new connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Accept ICMP icmp-type echo-request, echo-reply (ping), time-exceeded (traceroute), or destination-unreachable
ICMP packets are used to check connectivity to the server, usually ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
Allow SSH from trusted IP ranges
iptables -A INPUT -p tcp -s 100.64.0.0/16,10.21.32.0/24,198.18.0.0/16 --dport 22 -m state --state NEW -j ACCEPT
Set default policies for INPUT, OUTPUT, FORWARD
DROP INPUT traffic that is not listed in rules
iptables -P INPUT DROP
ACCEPT FORWARD traffic that is not listed in rules
iptables -P FORWARD ACCEPT
ACCEPT OUTPUT Traffic
iptables -P OUTPUT ACCEPT
Drop outgoing traffic to facebook
Simplest way us to block the IP address returned by the DNS. Obviously if you want to be more specific then block all IP ranges of AS32934
iptables -A FORWARD -d 157.240.2.35 -j DROP
iptables -A FORWARD -d 31.13.74.36 -j DROP
iptables -A FORWARD -s 157.240.2.35 -j DROP
iptables -A FORWARD -s 31.13.74.36 -j DROP
Drop outgoing traffic to *.cheezburger.com
iptables -A FORWARD -d 216.176.177.72 -j DROP
iptables -A FORWARD -s 216.176.177.72 -j DROP
Allow forwarded traffic to other servers
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT
iptables -A FORWARD -p icmp -m icmp --icmp-type 0 -j ACCEPT
iptables -A FORWARD -p icmp -m icmp --icmp-type 11 -j ACCEPT
iptables -A FORWARD -p icmp -m icmp --icmp-type 3 -j ACCEPT
iptables -A FORWARD -p tcp -s 100.64.0.0/16,10.21.32.0/24,198.18.0.0/16 --dport 22 -m state --state NEW -j ACCEPT
iptables -A FORWARD -d 100.64.69.2,100.64.69.5 -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A FORWARD -d 100.64.69.2,100.64.69.5 -p tcp --dport 443 -m state --state NEW -j ACCEPT
iptables -A FORWARD -s 100.64.0.0/16 -d 100.64.69.3 -j ACCEPT
iptables -A FORWARD -s 100.64.0.0/16,172.20.74.4 -d 100.64.69.3 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 100.64.0.0/16,172.20.74.4 -d 100.64.69.3 -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -d 100.64.69.4 -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -d 100.64.69.4 -p udp --dport 53 -j ACCEPT
Machine B & Machine F
Accept from loopback
Loopback is an interface used by the machine to make network connections to itself. There could be some applications running on the loopback, such has a database server to which a webserver is connection on loopback.
iptables -A INPUT -i lo -j ACCEPT
Accept Established and Related Incoming Connections
established : connection setup ( 3-way handshake ) has been completed
related : packets related to established and which want to start new connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Accept ICMP icmp-type echo-request, echo-reply (ping), time-exceeded (traceroute), or destination-unreachable
ICMP packets are used to check connectivity to the server, usually ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
Allow SSH from trusted IP ranges
iptables -A INPUT -p tcp -s 100.64.0.0/16,10.21.32.0/24,198.18.0.0/16 --dport 22 -m state --state NEW -j ACCEPT
Accept NEW http, https traffic from any source
iptables -A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
Set default policies for INPUT, OUTPUT, FORWARD
DROP INPUT traffic that is not listed in rules
iptables -P INPUT DROP
DROP FORWARD traffic that is not listed in rules
iptables -P FORWARD DROP
ACCEPT OUTPUT Traffic
iptables -P OUTPUT ACCEPT
Machine C
Accept from loopback
Loopback is an interface used by the machine to make network connections to itself. There could be some applications running on the loopback, such has a database server to which a webserver is connection on loopback.
iptables -A INPUT -i lo -j ACCEPT
Accept Established and Related Incoming Connections
established : connection setup ( 3-way handshake ) has been completed
related : packets related to established and which want to start new connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Accept ICMP icmp-type echo-request, echo-reply (ping), time-exceeded (traceroute), or destination-unreachable
ICMP packets are used to check connectivity to the server, usually ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
Allow SSH from trusted IP ranges
iptables -A INPUT -p tcp -s 100.64.0.0/16,10.21.32.0/24,198.18.0.0/16 --dport 22 -j ACCEPT
Accept all INPUT traffic from 100.64.0.0/16
iptables -A INPUT -s 100.64.0.0/16 -j ACCEPT
Accept NEW FTP traffic from 100.64.0.0/16, 100.64.0.27 and 172.20.74.4
iptables -A INPUT -s 100.64.0.0/16,100.64.0.27,172.20.74.4 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 100.64.0.0/16,100.64.0.27,172.20.74.4 -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 100.64.0.0/16,100.64.0.27,172.20.74.4 -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
Allow OUTPUT DNS to 100.64.69.4
iptables -A OUTPUT -d 100.64.69.4 -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -d 100.64.69.4 -p udp --dport 53 -j ACCEPT
Allow OUTPUT ftp, http, https and ssh traffic to any source
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
Allow OUTPUT ICMP traffic
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
Allow OUTPUT ESTABLISHED traffic
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT
Default policy for INPUT, OUTPUT is DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
Machine D
Accept from loopback
Loopback is an interface used by the machine to make network connections to itself. There could be some applications running on the loopback, such has a database server to which a webserver is connection on loopback.
iptables -A INPUT -i lo -j ACCEPT
Accept Established and Related Incoming Connections
established : connection setup ( 3-way handshake ) has been completed
related : packets related to established and which want to start new connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Accept ICMP icmp-type echo-request, echo-reply (ping), time-exceeded (traceroute), or destination-unreachable
ICMP packets are used to check connectivity to the server, usually ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
Allow SSH from trusted IP ranges
iptables -A INPUT -p tcp -s 100.64.0.0/16,10.21.32.0/24,198.18.0.0/16 --dport 22 -j ACCEPT
Allow INPUT DNS from any source
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
Set default policies for INPUT, OUTPUT, FORWARD
DROP INPUT traffic that is not listed in rules
iptables -P INPUT DROP
ACCEPT FORWARD traffic that is not listed in rules
iptables -P FORWARD DROP
ACCEPT OUTPUT Traffic
iptables -P OUTPUT ACCEPT
Machine E
Accept from loopback
Loopback is an interface used by the machine to make network connections to itself. There could be some applications running on the loopback, such has a database server to which a webserver is connection on loopback.
iptables -A INPUT -i lo -j ACCEPT
Accept Established and Related Incoming Connections
established : connection setup ( 3-way handshake ) has been completed
related : packets related to established and which want to start new connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Accept ICMP icmp-type echo-request, echo-reply (ping), time-exceeded (traceroute), or destination-unreachable
ICMP packets are used to check connectivity to the server, usually ping
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
Allow SSH from trusted IP ranges
iptables -A INPUT -p tcp -s 10.21.32.0/24 --dport 22 -m state --state NEW -j ACCEPT
Allow INPUT traffic to CIFS and SMB
iptables -A INPUT -s 10.21.32.0/24 -p tcp --dport 135 -j ACCEPT
iptables -A INPUT -s 10.21.32.0/24 -p udp --dport 137:139 -j ACCEPT
iptables -A INPUT -s 10.21.32.0/24 -p tcp --dport 445 -j ACCEPT
Set default policies for INPUT, OUTPUT, FORWARD
DROP INPUT traffic that is not listed in rules
iptables -P INPUT DROP
ACCEPT FORWARD traffic that is not listed in rules
iptables -P FORWARD DROP
ACCEPT OUTPUT Traffic
iptables -P OUTPUT ACCEPT
Comments (0)