Created Wed Aug, 28 2019 at 02:38PM
Today I had some issues implementing some iptables rules. So I first flushed all iptables rules (there were a lot from docker, fail2ban etc..). Then added in some test rules, first direct rules with iptables then with ipset.
In all tests below I just try pinging the test IP (9.9.9.9).
#ipv4
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t nat -F
iptables -t mangle -F
iptables -F
iptables -X
# ipv6
ip6tables -P INPUT ACCEPT
ip6tables -P FORWARD ACCEPT
ip6tables -P OUTPUT ACCEPT
ip6tables -t nat -F
ip6tables -t mangle -F
ip6tables -F
ip6tables -X
iptables -A INPUT -s 9.9.9.9 -j DROP
Parameter | Description |
---|---|
-p, --protocol |
The protocol, such as TCP, UDP, etc. |
-s, --source |
Can be an address, network name, hostname, etc. |
-d, --destination |
An address, hostname, network name, etc. |
-j, --jump |
Specifies the target of the rule; i.e. what to do if the packet matches. |
-g, --goto chain |
Specifies that the processing will continue in a user-specified chain. |
-i, --in-interface |
Names the interface from where packets are received. |
-o, --out-interface |
Name of the interface by which a packet is being sent. |
-f, --fragment |
The rule will only be applied to the second and subsequent fragments of fragmented packets. |
-c, --set-counters |
Enables the admin to initialize the packet and byte counters of a rule. |
ipset -N myset iphash
ipset -A myset 9.9.9.9
iptables -I INPUT -m set --match-set myset src,dst -j DROP
iptables -I INPUT -m set --match-set myset src,dst -j LOG --log-prefix "myset denied: " --log-level 7
# running sudo dmesg should show the hits.
My issue ended up being my block solution using ThreatSTOP was allowing all traffic since I had added my servers IP to a user defined list therefore matching the src IP rule early in the chain, rendering my block policy useless. Once I removed my IP all was well.
1 RETURN all -- anywhere anywhere match-set TSallowaddr src
2 RETURN all -- anywhere anywhere match-set TSallownet src
3 RETURN all -- anywhere anywhere match-set TSallowaddr dst
4 RETURN all -- anywhere anywhere match-set TSallownet dst
5 LOG all -- anywhere anywhere match-set TSblockaddr src LOG level warning prefix "ThreatSTOP-TSblock "
6 DROP all -- anywhere anywhere match-set TSblockaddr src
7 LOG all -- anywhere anywhere match-set TSblocknet src LOG level warning prefix "ThreatSTOP-TSblock "
8 DROP all -- anywhere anywhere match-set TSblocknet src
9 LOG all -- anywhere anywhere match-set TSblockaddr dst LOG level warning prefix "ThreatSTOP-TSblock "
10 DROP all -- anywhere anywhere match-set TSblockaddr dst
11 LOG all -- anywhere anywhere match-set TSblocknet dst LOG level warning prefix "ThreatSTOP-TSblock "
12 DROP all -- anywhere anywhere match-set TSblocknet dst
13 RETURN all -- anywhere anywhere
Allow port from hostname
iptables -A INPUT -p tcp --src mydomain.dyndns.org --dport 22 -j ACCEPT
Remember that you can check your current iptables ruleset with sudo iptables -S
and sudo iptables -L
.
Let’s take a look at the iptables commands!
Iptables rules are ephemeral, which means they need to be manually saved for them to persist after a reboot.
On Ubuntu, the easiest way to save iptables rules, so they will survive a reboot, is to use the iptables-persistent
package. Install it with apt-get like this:
sudo apt-get install iptables-persistent
During the installation, you will asked if you want to save your current firewall rules.
If you update your firewall rules and want to save the changes, run this command:
sudo netfilter-persistent save
On versions of Ubuntu prior to 16.04, run this command instead:
sudo invoke-rc.d iptables-persistent save
On CentOS 6 and older—CentOS 7 uses FirewallD by default—you can use the iptables
init script to save your iptables rules:
sudo service iptables save
This will save your current iptables rules to the /etc/sysconfig/iptables
file.
If you want to learn how to list and delete iptables rules, check out this tutorial: How To List and Delete Iptables Firewall Rules.
This section includes a variety of iptables commands that will create rules that are generally useful on most servers.
The loopback interface, also referred to as lo
, is what a computer uses to forward network connections to itself. For example, if you run ping localhost
or ping 127.0.0.1
, your server will ping itself using the loopback. The loopback interface is also used if you configure your application server to connect to a database server with a “localhost” address. As such, you will want to be sure that your firewall is allowing these connections.
To accept all traffic on your loopback interface, run these commands:
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A OUTPUT -o lo -j ACCEPT
As network traffic generally needs to be two-way—incoming and outgoing—to work properly, it is typical to create a firewall rule that allows established and related incoming traffic, so that the server will allow return traffic to outgoing connections initiated by the server itself. This command will allow that:
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
You may want to allow outgoing traffic of all established connections, which are typically the response to legitimate incoming connections. This command will allow that:
sudo iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
Assuming eth0
is your external network, and eth1
is your internal network, this will allow your internal to access the external:
sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
Some network traffic packets get marked as invalid. Sometimes it can be useful to log this type of packet but often it is fine to drop them. Do so with this command:
sudo iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
To block network connections that originate from a specific IP address, 15.15.15.51
for example, run this command:
sudo iptables -A INPUT -s 15.15.15.51 -j DROP
In this example, -s 15.15.15.51
specifies a source IP address of “15.15.15.51”. The source IP address can be specified in any firewall rule, including an allow rule.
If you want to reject the connection instead, which will respond to the connection request with a “connection refused” error, replace “DROP” with “REJECT” like this:
sudo iptables -A INPUT -s 15.15.15.51 -j REJECT
To block connections from a specific IP address, e.g. 15.15.15.51
, to a specific network interface, e.g. eth0
, use this command:
iptables -A INPUT -i eth0 -s 15.15.15.51 -j DROP
This is the same as the previous example, with the addition of -i eth0
. The network interface can be specified in any firewall rule, and is a great way to limit the rule to a particular network.
If you’re using a cloud server, you will probably want to allow incoming SSH connections (port 22) so you can connect to and manage your server. This section covers how to configure your firewall with various SSH-related rules.
To allow all incoming SSH connections run these commands:
sudo iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
The second command, which allows the outgoing traffic of established SSH connections, is only necessary if the OUTPUT
policy is not set to ACCEPT
.
To allow incoming SSH connections from a specific IP address or subnet, specify the source. For example, if you want to allow the entire 15.15.15.0/24
subnet, run these commands:
sudo iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
The second command, which allows the outgoing traffic of established SSH connections, is only necessary if the OUTPUT
policy is not set to ACCEPT
.
If your firewall OUTPUT
policy is not set to ACCEPT
, and you want to allow outgoing SSH connections—your server initiating an SSH connection to another server—you can run these commands:
sudo iptables -A OUTPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
Rsync, which runs on port 873, can be used to transfer files from one computer to another.
To allow incoming rsync connections from a specific IP address or subnet, specify the source IP address and the destination port. For example, if you want to allow the entire 15.15.15.0/24
subnet to be able to rsync to your server, run these commands:
sudo iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 873 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 873 -m conntrack --ctstate ESTABLISHED -j ACCEPT
The second command, which allows the outgoing traffic of established rsync connections, is only necessary if the OUTPUT
policy is not set to ACCEPT
.
Web servers, such as Apache and Nginx, typically listen for requests on port 80 and 443 for HTTP and HTTPS connections, respectively. If your default policy for incoming traffic is set to drop or deny, you will want to create rules that will allow your server to respond to those requests.
To allow all incoming HTTP (port 80) connections run these commands:
sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
The second command, which allows the outgoing traffic of established HTTP connections, is only necessary if the OUTPUT
policy is not set to ACCEPT
.
To allow all incoming HTTPS (port 443) connections run these commands:
sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
The second command, which allows the outgoing traffic of established HTTP connections, is only necessary if the OUTPUT
policy is not set to ACCEPT
.
If you want to allow both HTTP and HTTPS traffic, you can use the multiport module to create a rule that allows both ports. To allow all incoming HTTP and HTTPS (port 443) connections run these commands:
sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
The second command, which allows the outgoing traffic of established HTTP and HTTPS connections, is only necessary if the OUTPUT
policy is not set to ACCEPT
.
MySQL listens for client connections on port 3306. If your MySQL database server is being used by a client on a remote server, you need to be sure to allow that traffic.
To allow incoming MySQL connections from a specific IP address or subnet, specify the source. For example, if you want to allow the entire 15.15.15.0/24
subnet, run these commands:
sudo iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT
The second command, which allows the outgoing traffic of established MySQL connections, is only necessary if the OUTPUT
policy is not set to ACCEPT
.
To allow MySQL connections to a specific network interface—say you have a private network interface eth1
, for example—use these commands:
sudo iptables -A INPUT -i eth1 -p tcp --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -o eth1 -p tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT
The second command, which allows the outgoing traffic of established MySQL connections, is only necessary if the OUTPUT
policy is not set to ACCEPT
.
PostgreSQL listens for client connections on port 5432. If your PostgreSQL database server is being used by a client on a remote server, you need to be sure to allow that traffic.
To allow incoming PostgreSQL connections from a specific IP address or subnet, specify the source. For example, if you want to allow the entire 15.15.15.0/24
subnet, run these commands:
sudo iptables -A INPUT -p tcp -s 15.15.15.0/24 --dport 5432 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 5432 -m conntrack --ctstate ESTABLISHED -j ACCEPT
The second command, which allows the outgoing traffic of established PostgreSQL connections, is only necessary if the OUTPUT
policy is not set to ACCEPT
.
To allow PostgreSQL connections to a specific network interface—say you have a private network interface eth1
, for example—use these commands:
sudo iptables -A INPUT -i eth1 -p tcp --dport 5432 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -o eth1 -p tcp --sport 5432 -m conntrack --ctstate ESTABLISHED -j ACCEPT
The second command, which allows the outgoing traffic of established PostgreSQL connections, is only necessary if the OUTPUT
policy is not set to ACCEPT
.
Mail servers, such as Sendmail and Postfix, listen on a variety of ports depending on the protocols being used for mail delivery. If you are running a mail server, determine which protocols you are using and allow the appropriate types of traffic. We will also show you how to create a rule to block outgoing SMTP mail.
If your server shouldn’t be sending outgoing mail, you may want to block that kind of traffic. To block outgoing SMTP mail, which uses port 25, run this command:
sudo iptables -A OUTPUT -p tcp --dport 25 -j REJECT
This configures iptables to reject all outgoing traffic on port 25. If you need to reject a different service by its port number, instead of port 25, simply replace it.
To allow your server to respond to SMTP connections, port 25, run these commands:
sudo iptables -A INPUT -p tcp --dport 25 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 25 -m conntrack --ctstate ESTABLISHED -j ACCEPT
The second command, which allows the outgoing traffic of established SMTP connections, is only necessary if the OUTPUT
policy is not set to ACCEPT
.
Note: It is common for SMTP servers to use port 587 for outbound mail.
To allow your server to respond to IMAP connections, port 143, run these commands:
sudo iptables -A INPUT -p tcp --dport 143 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 143 -m conntrack --ctstate ESTABLISHED -j ACCEPT
The second command, which allows the outgoing traffic of established IMAP connections, is only necessary if the OUTPUT
policy is not set to ACCEPT
.
To allow your server to respond to IMAPS connections, port 993, run these commands:
sudo iptables -A INPUT -p tcp --dport 993 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 993 -m conntrack --ctstate ESTABLISHED -j ACCEPT
The second command, which allows the outgoing traffic of established IMAPS connections, is only necessary if the OUTPUT
policy is not set to ACCEPT
.
To allow your server to respond to POP3 connections, port 110, run these commands:
sudo iptables -A INPUT -p tcp --dport 110 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 110 -m conntrack --ctstate ESTABLISHED -j ACCEPT
The second command, which allows the outgoing traffic of established POP3 connections, is only necessary if the OUTPUT
policy is not set to ACCEPT
.
To allow your server to respond to POP3S connections, port 995, run these commands:
sudo iptables -A INPUT -p tcp --dport 995 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 995 -m conntrack --ctstate ESTABLISHED -j ACCEPT
The second command, which allows the outgoing traffic of established POP3S connections, is only necessary if the OUTPUT
policy is not set to ACCEPT
.
Very basic iptables setup https://superuser.com/questions/427458/deny-all-incoming-connections-with-iptables Try this with root access :
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT Note that this will brutally cut all running connections - this includes things like the SSH connection you may use to administer the server. Only use this if you have access to a local console.