Monday, March 21, 2011

Sample IPTABLES

This is a sample custom IPTABLES config to be used in rhel01 server

#flush all chains PREROUTING FORWARD INPUT OUTPUT POSTROUTING
iptables -F
#zero counters
iptables -Z
#erase user created chains
iptables -X
#drop packets
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
#create "custom-fw" chain
iptables -N custom-fw-input
#add custom-fw to default INPUT chain
iptables -A INPUT -j custom-fw-input
#add rules on custom-fw
iptables -A custom-fw-input -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A custom-fw-input -i eth0 -m state --state NEW -s 192.168.1.0/24 -j ACCEPT
#open ssh port
iptables -A custom-fw-input -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#open http port for apache webserver
iptables -A custom-fw-input -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
#drop other packets
iptables -A custom-fw-input -j DROP
#set OUTPUT chain to ACCEPT for demo only
iptables -P OUTPUT ACCEPT
Checking the iptables config
[root@rhel01 ~]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
custom-fw-input all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain custom-fw-input (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
DROP all -- anywhere anywhere
Saving iptables config
[root@rhel01 ~]# iptables-save > /etc/sysconfig/iptables
[root@rhel01 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Tue Mar 22 02:36:51 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [185:22677]
:custom-fw-input - [0:0]
-A INPUT -j custom-fw-input
-A custom-fw-input -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A custom-fw-input -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A custom-fw-input -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A custom-fw-input -j DROP
COMMIT
# Completed on Tue Mar 22 02:36:51 2011

Lab iptables Config in rhel01.localdomain
####################################################
# #
# iptables config #
# http://rhel6notes.blogspot.com #
# mctofferatgmaildotcom #
####################################################

#flush all chains PREROUTING FORWARD INPUT OUTPUT POSTROUTING
iptables -F

#zero counters
iptables -Z

#erase user created chains
iptables -X

#drop packets
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#create "custom-fw" chain
iptables -N custom-fw-input

#INPUT chain jump to custom-fw-input
iptables -A INPUT -j custom-fw-input

#add rules on custom-fw
iptables -A custom-fw-input -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A custom-fw-input -i lo -j ACCEPT

#allow icmp
iptables -A custom-fw-input -p icmp --icmp-type echo-request -j ACCEPT
#iptables -A custom-fw-input -i eth0 -m state --state NEW -s 192.168.1.0/24 -j ACCEPT

#open ssh port
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 22 -j ACCEPT

#VNC client port
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 5901 -j ACCEPT
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 5902 -j ACCEPT

#Webserver
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 80 -j ACCEPT

#NFS
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 111 -j ACCEPT
iptables -A custom-fw-input -p udp -m state --state NEW --dport 111 -j ACCEPT
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 2049 -j ACCEPT
iptables -A custom-fw-input -p udp -m state --state NEW --dport 2049 -j ACCEPT
iptables -A custom-fw-input -p udp -m state --state NEW --dport 32803 -j ACCEPT
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 32769 -j ACCEPT
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 892 -j ACCEPT
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 662 -j ACCEPT
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 2020 -j ACCEPT

#PXE kickstart ports
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 67 -j ACCEPT
iptables -A custom-fw-input -p tcp -m state --state NEW --dport 68 -j ACCEPT
iptables -A custom-fw-input -p udp -m state --state NEW --dport 68 -j ACCEPT
iptables -A custom-fw-input -p udp --dport 69 -j ACCEPT

#NIS
iptables -A custom-fw-input -p tcp --dport 834 -j ACCEPT
iptables -A custom-fw-input -p udp --dport 834 -j ACCEPT
iptables -A custom-fw-input -p tcp --dport 835 -j ACCEPT
iptables -A custom-fw-input -p udp --dport 835 -j ACCEPT

#drop all other packets
iptables -A custom-fw-input -j DROP

#accept OUTPUT chain
iptables -P OUTPUT ACCEPT
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)