{"id":31,"date":"2017-10-10T05:08:00","date_gmt":"2017-10-10T05:08:00","guid":{"rendered":"https:\/\/linuxadmin.melberi.com\/uncategorized\/iptables-for-squid-samba-apache-ldap"},"modified":"2017-10-10T05:52:06","modified_gmt":"2017-10-10T05:52:06","slug":"iptables-for-squid-samba","status":"publish","type":"post","link":"https:\/\/www.melberi.com\/linuxadmin\/iptables\/iptables-for-squid-samba","title":{"rendered":"Iptables for Bind Squid Samba Apache Ldap Snmp Dhcp Smpt Webmin Tftp"},"content":{"rendered":"<p>Iptables Configuration Guide for Linux CentOS Fedora Lunux Redhat Ubuntu Debian for Bind, SSH, Squid, Samba, Apache, Ldap,\u00a0 Snmp, Dhcp, Smpt, SMTPS, Webmin, Tftp, HTTP HTTPS<\/p>\n<div class=\"separator\" style=\"clear: both; text-align: center;\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter\" title=\"Iptables \" src=\"https:\/\/www.melberi.com\/linuxadmin\/wp-content\/uploads\/sites\/3\/2015\/10\/iptables.jpg\" alt=\"Iptables \" width=\"500\" height=\"200\" border=\"0\" \/><\/div>\n<h2><u><b>Iptables Basic Setup:<\/b><\/u><\/h2>\n<p>Here I have mentioned the basic configurations for enabling iptables in fedora linux.<\/p>\n<div><b style=\"background-color: white;\">#iptables -L<\/b><\/div>\n<p>will list your current iptables configuration.<\/p>\n<p><b>1)\u00a0<\/b>To allow established sessions to receive traffic<\/p>\n<p><b># iptables -A INPUT -m conntrack &#8211;ctstate ESTABLISHED,RELATED -j ACCEPT <\/b><\/p>\n<p><b>2) <\/b>You could start by blocking traffic, but you might be working over SSH, where you would need to allow SSH before blocking everything else.<\/p>\n<p>To allow incoming traffic on the default ssh port (22)<\/p>\n<p><b># iptables -A INPUT -p tcp &#8211;dport 22 -j ACCEPT<\/b><\/p>\n<p>To allow incoming traffic on the default Squid port (3128)<\/p>\n<p><b># iptables -A INPUT -p tcp &#8211;dport 3128 -j ACCEPT<\/b><\/p>\n<p>To allow incoming traffic on the default Apache port<\/p>\n<p><b># iptables -A INPUT -p tcp &#8211;dport 80 -j ACCEPT<\/b><\/p>\n<p>To allow incoming traffic on the default samba port<\/p>\n<p><b># iptables -A INPUT -p udp &#8211;dport 137 -j ACCEPT<\/b><br \/>\n<b># iptables -A INPUT -p udp &#8211;dport 138 -j ACCEPT<\/b><br \/>\n<b style=\"background-color: white;\"># iptables -A INPUT -p udp &#8211;dport 139 -j ACCEPT <\/b><br \/>\n<b># iptables -A INPUT -p tcp &#8211;dport 139 -j ACCEPT<\/b><br \/>\n<b style=\"background-color: white;\"># iptables -A INPUT -p tcp &#8211;dport 445 -j ACCEPT\u00a0\u00a0<\/b><\/p>\n<p>To allow incoming traffic on the default SNMP port\u00a0 (161)<\/p>\n<p><b># iptables -A INPUT -p tcp &#8211;dport 161 -j ACCEPT<\/b><br \/>\n<b># iptables -A INPUT -p udp &#8211;dport 161 -j ACCEPT<\/b><\/p>\n<p>Now check the current configuration<\/p>\n<div><b style=\"background-color: white;\"># iptables -L<\/b><br \/>\n<b style=\"background-color: white;\">Chain INPUT (policy ACCEPT)<\/b><br \/>\n<b style=\"background-color: white;\">target\u00a0\u00a0\u00a0\u00a0 prot opt source\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 destination<\/b><br \/>\nACCEPT\u00a0\u00a0\u00a0\u00a0 all\u00a0 &#8212;\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 state RELATED,ESTABLISHED<br \/>\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 &#8212;\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 tcp dpt:http<br \/>\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 &#8212;\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 udp dpt:netbios-ns<br \/>\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 &#8212;\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 udp dpt:netbios-dgm<br \/>\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 &#8212;\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 udp dpt:netbios-ssn<br \/>\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 &#8212;\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 tcp dpt:netbios-ssn<br \/>\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 &#8212;\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 tcp dpt:snmp<br \/>\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 &#8212;\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 udp dpt:snmp<br \/>\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 &#8212;\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 tcp dpt:microsoft-ds<br \/>\nACCEPT\u00a0\u00a0\u00a0\u00a0 tcp\u00a0 &#8212;\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 anywhere\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 tcp dpt:squid<\/div>\n<p><b>3)<\/b> Once we enabled the above port.we can drop all other incoming ports.<\/p>\n<p><b># iptables -A INPUT -j DROP<\/b><\/p>\n<p>Now check the rule<\/p>\n<div><b style=\"background-color: white;\"># iptables -L<\/b><\/div>\n<p><b>For Interface based access for eth0 specify -i eth0<\/b><\/p>\n<p><b>4)<\/b> In the final step we have to enable loopback interface. After all the traffic has been dropped. We need to insert this rule before that. Since this is a lot of traffic, we&#8217;ll insert it as the first rule so it&#8217;s processed first.<\/p>\n<p><b>#iptables -I INPUT 1 -i lo -j ACCEPT<\/b><\/p>\n<p><b>5)<\/b> To enabling logging<\/p>\n<p><b># iptables -I INPUT 5 -m limit &#8211;limit 5\/min -j LOG &#8211;log-prefix &#8220;iptables denied: &#8221; &#8211;log-level 7<\/b><\/p>\n<p><b>6)<\/b> To save this configuration<\/p>\n<div><b style=\"background-color: white;\"># iptables-save &gt;\u00a0 \/etc\/sysconfig\/iptables<\/b><br \/>\n<b style=\"background-color: white;\">or <\/b><br \/>\n<b>#service iptables save\u00a0 <\/b><b><br \/>\n<\/b><\/div>\n<div><b style=\"background-color: white;\">#service iptables start<\/b><\/div>\n<p>This configuration will enable ssh port and disable all other incoming ports.<\/p>\n<p><a href=\"https:\/\/www.melberi.com\/linuxadmin\/iptables\/iptables-ssh\">To manually edit iptables config<\/a><\/p>\n<p>Also you can manual edit\u00a0 \/etc\/sysconfig\/iptables<\/p>\n<h3><u><b>IP Tables configuration for other Services<\/b><\/u><\/h3>\n<h4><u><b>1) Iptables\u00a0 for LDAP \/ LDAPS \/ OPENLDAP<br \/>\n<\/b><\/u><\/h4>\n<p><b># iptables -A INPUT -p tcp &#8211;dport 389 -j ACCEPT<\/b><br \/>\n<b># iptables -A INPUT -p tcp &#8211;dport 636 -j ACCEPT<\/b><\/p>\n<p>or manually edit \/etc\/sysconfig\/iptables and add the below mentioned line<\/p>\n<p><b>-A INPUT -p tcp -m tcp &#8211;dport\u00a0 389 -j ACCEPT <\/b><\/p>\n<h4><u><b>2) IP tables for SMTP \/ SMTPS<br \/>\n<\/b><\/u><\/h4>\n<p><b>\u00a0#iptables -A INPUT -p tcp &#8211;dport 25 -j ACCEPT<\/b><br \/>\n<b>\u00a0#iptables -A INPUT -p tcp &#8211;dport 465 -j ACCEPT<\/b><\/p>\n<p>or manually edit \/etc\/sysconfig\/iptables and add the below mentioned line<\/p>\n<p><b>-A INPUT -p tcp -m tcp &#8211;dport\u00a0 25 -j ACCEPT\u00a0<\/b><br \/>\n<b>-A INPUT -p tcp -m tcp &#8211;dport\u00a0 465 -j ACCEPT <\/b><\/p>\n<h4><u><b>3) iptables for POP3 \/ POP3S<\/b><\/u><\/h4>\n<p><b>\u00a0#iptables -A INPUT -p tcp &#8211;dport 110 -j ACCEPT<\/b><br \/>\n<b>\u00a0#iptables -A INPUT -p tcp &#8211;dport 995 -j ACCEPT<\/b><\/p>\n<p>or manually edit \/etc\/sysconfig\/iptables and add the below mentioned line<\/p>\n<p><b style=\"background-color: white;\">-A INPUT -p tcp -m tcp &#8211;dport\u00a0 110 -j ACCEPT <\/b><br \/>\n<b>-A INPUT -p tcp -m tcp &#8211;dport\u00a0 995 -j ACCEPT <\/b><\/p>\n<h4><u><b>4) iptables for IMAP \/ IMAPS<\/b><\/u><\/h4>\n<p><b>\u00a0#iptables -A INPUT -p tcp &#8211;dport 143 -j ACCEPT<\/b><br \/>\n<b>\u00a0#iptables -A INPUT -p tcp &#8211;dport 993 -j ACCEPT\u00a0 <\/b><\/p>\n<p>or manually edit \/etc\/sysconfig\/iptables and add the below mentioned line<\/p>\n<p><b>-A INPUT -p tcp -m tcp &#8211;dport\u00a0 143 -j ACCEPT <\/b><br \/>\n<b>-A INPUT -p tcp -m tcp &#8211;dport\u00a0 993 -j ACCEPT <\/b><\/p>\n<h4><u><b>5) iptables for WEBMIN default port <\/b><\/u><\/h4>\n<p><b style=\"background-color: white;\">\u00a0#iptables -A INPUT -p tcp &#8211;dport 10000 -j ACCEPT<\/b><\/p>\n<p>or manually edit \/etc\/sysconfig\/iptables and add the below mentioned line<\/p>\n<p><b>-A INPUT -p tcp -m tcp &#8211;dport\u00a0 1000 -j ACCEPT <\/b><\/p>\n<h4><u><b>6) IPtables for BIND \/NAMED\/ DNS<\/b><\/u><\/h4>\n<p><b>\u00a0#iptables -A INPUT -p tcp &#8211;dport 53 -j ACCEPT<\/b><br \/>\n<b style=\"background-color: white;\">\u00a0#iptables -A INPUT -p udp &#8211;dport 53 -j ACCEPT\u00a0<\/b><\/p>\n<p>or manually edit \/etc\/sysconfig\/iptables and add the below mentioned line<\/p>\n<p><b>-A INPUT -p tcp -m tcp &#8211;dport\u00a0 53 -j ACCEPT <\/b><br \/>\n<b>-A INPUT -p udp -m udp &#8211;dport\u00a0 53 -j ACCEPT <\/b><\/p>\n<h4><u><b>7) iptables\u00a0 for TFTP server<\/b> <\/u><\/h4>\n<p><b style=\"background-color: white;\">\u00a0#iptables -A INPUT -p udp &#8211;dport 69 -j ACCEPT <\/b><\/p>\n<p>or manually edit \/etc\/sysconfig\/iptables and add the below mentioned line<\/p>\n<p><b>-A INPUT -p udp -m udp &#8211;dport\u00a0 69 -j ACCEPT <\/b><\/p>\n<h4><u><b>8) iptable configuration for DHCP server<\/b><\/u><\/h4>\n<p><b style=\"background-color: white;\">#iptables -A INPUT -p udp &#8211;dport 67 -j ACCEPT\u00a0<\/b><br \/>\n<b>\u00a0#iptables -A INPUT -p udp &#8211;dport 68 -j ACCEPT<br \/>\n<\/b><\/p>\n<p>or manually edit \/etc\/sysconfig\/iptables and add the below mentioned line<\/p>\n<p><b>-A INPUT -p udp -m udp &#8211;dport\u00a0 67 -j ACCEPT <\/b><br \/>\n<b>-A INPUT -p udp -m udp &#8211;dport\u00a0 68 -j ACCEPT <\/b><\/p>\n<h4><u><b>9) iptables\u00a0 for NTP server<\/b> <\/u><\/h4>\n<p><b style=\"background-color: white;\">\u00a0#iptables -A INPUT -p udp &#8211;dport 123 -j ACCEPT <\/b><\/p>\n<p>or manually edit \/etc\/sysconfig\/iptables and add the below mentioned line<\/p>\n<p><b>-A INPUT -p udp -m udp &#8211;dport\u00a0 123 -j ACCEPT <\/b><\/p>\n<h4><u><b>10) iptables for Apache HTTP \/ HTTPS<\/b><\/u><\/h4>\n<p><b>\u00a0#iptables -A INPUT -p tcp &#8211;dport 80 -j ACCEPT<\/b><br \/>\n<b>\u00a0#iptables -A INPUT -p tcp &#8211;dport 443 -j ACCEPT\u00a0 <\/b><\/p>\n<p>or manually edit \/etc\/sysconfig\/iptables and add the below mentioned line<\/p>\n<p><b>-A INPUT -p tcp -m tcp &#8211;dport 80 -j ACCEPT <\/b><br \/>\n<b>-A INPUT -p tcp -m tcp &#8211;dport\u00a0 443 -j ACCEPT <\/b><\/p>\n<h4><u><b>11) iptables\u00a0 for Squid Proxy server<\/b> <\/u><\/h4>\n<p><b>\u00a0#iptables -A INPUT -p tcp &#8211;dport 3128 -j ACCEPT <\/b><\/p>\n<p>or manually edit \/etc\/sysconfig\/iptables and add the below mentioned line<\/p>\n<p><b>-A INPUT -p tcp -m tcp &#8211;dport 3128 -j ACCEPT <\/b><\/p>\n<h4><u><b>12) iptables\u00a0 for SNMP<\/b> <\/u><\/h4>\n<p><b># iptables -A INPUT -p tcp &#8211;dport 161 -j ACCEPT<\/b><br \/>\n<b># iptables -A INPUT -p udp &#8211;dport 161 -j ACCEPT<\/b><\/p>\n<h4><u><b>13) iptables\u00a0 for SAMBA \/ SMBD NMBD WINBIND<br \/>\n<\/b><\/u><\/h4>\n<p># iptables -A INPUT -d 10.1.1.1 -p udp &#8211;dport 137 -j DROP<br \/>\n# iptables -A INPUT -d 10.1.1.1 -p udp &#8211;dport 138 -j DROP<br \/>\n# iptables -A INPUT -d 10.1.1.1 -p tcp &#8211;dport 139 -j DROP<br \/>\n# iptables -A INPUT -d 10.1.1.1 -p tcp &#8211;dport 445 -j DROP<\/p>\n<p>&nbsp;<\/p>\n<p><strong><span style=\"text-decoration: underline;\">For Other Services<\/span><\/strong><\/p>\n<p>NFS, SSH, FTP Refer the below Related Post Links.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Iptables Configuration Guide for Linux CentOS Fedora Lunux Redhat Ubuntu Debian for Bind, SSH, Squid, Samba, Apache, Ldap,\u00a0 Snmp, Dhcp, Smpt, SMTPS, Webmin, Tftp, HTTP HTTPS Iptables Basic Setup: Here&#8230; <a href=\"https:\/\/www.melberi.com\/linuxadmin\/iptables\/iptables-for-squid-samba\">Read more &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":196,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[104],"tags":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.melberi.com\/linuxadmin\/wp-json\/wp\/v2\/posts\/31"}],"collection":[{"href":"https:\/\/www.melberi.com\/linuxadmin\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.melberi.com\/linuxadmin\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.melberi.com\/linuxadmin\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.melberi.com\/linuxadmin\/wp-json\/wp\/v2\/comments?post=31"}],"version-history":[{"count":6,"href":"https:\/\/www.melberi.com\/linuxadmin\/wp-json\/wp\/v2\/posts\/31\/revisions"}],"predecessor-version":[{"id":622,"href":"https:\/\/www.melberi.com\/linuxadmin\/wp-json\/wp\/v2\/posts\/31\/revisions\/622"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.melberi.com\/linuxadmin\/wp-json\/wp\/v2\/media\/196"}],"wp:attachment":[{"href":"https:\/\/www.melberi.com\/linuxadmin\/wp-json\/wp\/v2\/media?parent=31"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.melberi.com\/linuxadmin\/wp-json\/wp\/v2\/categories?post=31"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.melberi.com\/linuxadmin\/wp-json\/wp\/v2\/tags?post=31"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}