Iptables Configuration Guide for Linux CentOS Fedora Lunux Redhat Ubuntu Debian for Bind, SSH, Squid, Samba, Apache, Ldap, Snmp, Dhcp, Smpt, SMTPS, Webmin, Tftp, HTTP HTTPS
Iptables Basic Setup:
Here I have mentioned the basic configurations for enabling iptables in fedora linux.
will list your current iptables configuration.
1) To allow established sessions to receive traffic
# iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
2) You could start by blocking traffic, but you might be working over SSH, where you would need to allow SSH before blocking everything else.
To allow incoming traffic on the default ssh port (22)
# iptables -A INPUT -p tcp –dport 22 -j ACCEPT
To allow incoming traffic on the default Squid port (3128)
# iptables -A INPUT -p tcp –dport 3128 -j ACCEPT
To allow incoming traffic on the default Apache port
# iptables -A INPUT -p tcp –dport 80 -j ACCEPT
To allow incoming traffic on the default samba port
# iptables -A INPUT -p udp –dport 137 -j ACCEPT
# iptables -A INPUT -p udp –dport 138 -j ACCEPT
# iptables -A INPUT -p udp –dport 139 -j ACCEPT
# iptables -A INPUT -p tcp –dport 139 -j ACCEPT
# iptables -A INPUT -p tcp –dport 445 -j ACCEPT
To allow incoming traffic on the default SNMP port (161)
# iptables -A INPUT -p tcp –dport 161 -j ACCEPT
# iptables -A INPUT -p udp –dport 161 -j ACCEPT
Now check the current configuration
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all — anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp — anywhere anywhere tcp dpt:http
ACCEPT tcp — anywhere anywhere udp dpt:netbios-ns
ACCEPT tcp — anywhere anywhere udp dpt:netbios-dgm
ACCEPT tcp — anywhere anywhere udp dpt:netbios-ssn
ACCEPT tcp — anywhere anywhere tcp dpt:netbios-ssn
ACCEPT tcp — anywhere anywhere tcp dpt:snmp
ACCEPT tcp — anywhere anywhere udp dpt:snmp
ACCEPT tcp — anywhere anywhere tcp dpt:microsoft-ds
ACCEPT tcp — anywhere anywhere tcp dpt:squid
3) Once we enabled the above port.we can drop all other incoming ports.
# iptables -A INPUT -j DROP
Now check the rule
For Interface based access for eth0 specify -i eth0
4) In the final step we have to enable loopback interface. After all the traffic has been dropped. We need to insert this rule before that. Since this is a lot of traffic, we’ll insert it as the first rule so it’s processed first.
#iptables -I INPUT 1 -i lo -j ACCEPT
5) To enabling logging
# iptables -I INPUT 5 -m limit –limit 5/min -j LOG –log-prefix “iptables denied: ” –log-level 7
6) To save this configuration
or
#service iptables save
This configuration will enable ssh port and disable all other incoming ports.
To manually edit iptables config
Also you can manual edit /etc/sysconfig/iptables
IP Tables configuration for other Services
1) Iptables for LDAP / LDAPS / OPENLDAP
# iptables -A INPUT -p tcp –dport 389 -j ACCEPT
# iptables -A INPUT -p tcp –dport 636 -j ACCEPT
or manually edit /etc/sysconfig/iptables and add the below mentioned line
-A INPUT -p tcp -m tcp –dport 389 -j ACCEPT
2) IP tables for SMTP / SMTPS
#iptables -A INPUT -p tcp –dport 25 -j ACCEPT
#iptables -A INPUT -p tcp –dport 465 -j ACCEPT
or manually edit /etc/sysconfig/iptables and add the below mentioned line
-A INPUT -p tcp -m tcp –dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 465 -j ACCEPT
3) iptables for POP3 / POP3S
#iptables -A INPUT -p tcp –dport 110 -j ACCEPT
#iptables -A INPUT -p tcp –dport 995 -j ACCEPT
or manually edit /etc/sysconfig/iptables and add the below mentioned line
-A INPUT -p tcp -m tcp –dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 995 -j ACCEPT
4) iptables for IMAP / IMAPS
#iptables -A INPUT -p tcp –dport 143 -j ACCEPT
#iptables -A INPUT -p tcp –dport 993 -j ACCEPT
or manually edit /etc/sysconfig/iptables and add the below mentioned line
-A INPUT -p tcp -m tcp –dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 993 -j ACCEPT
5) iptables for WEBMIN default port
#iptables -A INPUT -p tcp –dport 10000 -j ACCEPT
or manually edit /etc/sysconfig/iptables and add the below mentioned line
-A INPUT -p tcp -m tcp –dport 1000 -j ACCEPT
6) IPtables for BIND /NAMED/ DNS
#iptables -A INPUT -p tcp –dport 53 -j ACCEPT
#iptables -A INPUT -p udp –dport 53 -j ACCEPT
or manually edit /etc/sysconfig/iptables and add the below mentioned line
-A INPUT -p tcp -m tcp –dport 53 -j ACCEPT
-A INPUT -p udp -m udp –dport 53 -j ACCEPT
7) iptables for TFTP server
#iptables -A INPUT -p udp –dport 69 -j ACCEPT
or manually edit /etc/sysconfig/iptables and add the below mentioned line
-A INPUT -p udp -m udp –dport 69 -j ACCEPT
8) iptable configuration for DHCP server
#iptables -A INPUT -p udp –dport 67 -j ACCEPT
#iptables -A INPUT -p udp –dport 68 -j ACCEPT
or manually edit /etc/sysconfig/iptables and add the below mentioned line
-A INPUT -p udp -m udp –dport 67 -j ACCEPT
-A INPUT -p udp -m udp –dport 68 -j ACCEPT
9) iptables for NTP server
#iptables -A INPUT -p udp –dport 123 -j ACCEPT
or manually edit /etc/sysconfig/iptables and add the below mentioned line
-A INPUT -p udp -m udp –dport 123 -j ACCEPT
10) iptables for Apache HTTP / HTTPS
#iptables -A INPUT -p tcp –dport 80 -j ACCEPT
#iptables -A INPUT -p tcp –dport 443 -j ACCEPT
or manually edit /etc/sysconfig/iptables and add the below mentioned line
-A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp –dport 443 -j ACCEPT
11) iptables for Squid Proxy server
#iptables -A INPUT -p tcp –dport 3128 -j ACCEPT
or manually edit /etc/sysconfig/iptables and add the below mentioned line
-A INPUT -p tcp -m tcp –dport 3128 -j ACCEPT
12) iptables for SNMP
# iptables -A INPUT -p tcp –dport 161 -j ACCEPT
# iptables -A INPUT -p udp –dport 161 -j ACCEPT
13) iptables for SAMBA / SMBD NMBD WINBIND
# iptables -A INPUT -d 10.1.1.1 -p udp –dport 137 -j DROP
# iptables -A INPUT -d 10.1.1.1 -p udp –dport 138 -j DROP
# iptables -A INPUT -d 10.1.1.1 -p tcp –dport 139 -j DROP
# iptables -A INPUT -d 10.1.1.1 -p tcp –dport 445 -j DROP
For Other Services
NFS, SSH, FTP Refer the below Related Post Links.