IPtables Administration
Config File: \etc\sysconfig\iptables
Add the below lines for iptables block/accept
Block
Incoming Port
Syntax:
-A INPUT -p tcp --dport PORT-NUMBER-HERE -j DROP
To
Drop a Incoming Port
-A
INPUT –p tcp --dport 80 –j DROP
To
Drop port from particular ip address or subnet
-A
INPUT –p tcp --dport 80 –s ipaddress –j DROP
-A
INPUT –p tcp --dport 80 –s ipaddress/subnet –j DROP
Block Outgoing Port
To
Drop a Outgoing Port
-A
OUTPUT –p tcp --dport 80 –j DROP
To
Drop port from particular ip address or subnet
-A
OUTPUT –d ipaddress –p tcp --dport 80 –j DROP
-A
OUTPUT –d ipaddress/subnet –p tcp --dport 80 –j DROP
To use interface for
block and accept
-A
INPUT –p tcp –i eth0 --dport 80 –s ipaddress –j DROP
-A
OUTPUT –d ipaddress –p tcp –i eth0 --dport 80 –j DROP
Block
Incoming Port 80 except for IP Address 192.168.1.1
-A
INPUT –p tcp ! –s 192.168.1.1 --dport 80 –j DROP
Block
Outcoming Port 80 except for IP Address 192.168.1.1
-A
OUTPUT ! –d 192.168.1.1 –p tcp --dport 80 –j DROP
Accept
Incoming/Outgoing Port
For
Accept use ACCEPT instead of DROP in above lines
How
Do I Log Dropped Port Details?
#
Logging #
###
If you would like to log dropped packets to syslog, first log it ###
/sbin/iptables
-A INPUT -m limit --limit 5/min -j LOG
--log-prefix "PORT 80 DROP: "
--log-level 7
###
now drop it ###
/sbin/iptables
-A INPUT -p tcp --d-port 80 -j DROP
How
Do I Block Cracker (IP: 123.1.2.3) Access To UDP Port # 161?
/sbin/iptables
-A INPUT -s 123.1.2.3 -i eth1 -p udp -m
state --state NEW -m udp --dport 161 -j
DROP
#
drop students 192.168.1.0/24
subnet to port 80
/sbin/iptables
-A INPUT -s 192.168.1.0/24
-i eth1 -p tcp -m state --state NEW -m tcp --dport 80
-j DROP
Default
Chain Policy
As you notice
below, it says “(policy ACCEPT)” next to all the three chain
names (INPUT, OUTPUT, and FORWARD). This indicates that the default
chain policy is ACCEPT.
#
iptables -L
Chain
INPUT (policy ACCEPT)
target
prot opt source destination
ACCEPT
tcp -- anywhere anywhere tcp dpt:ssh
DROP
all -- anywhere anywhere
Chain
FORWARD (policy ACCEPT)
target
prot opt source destination
Chain
OUTPUT (policy ACCEPT)
target
prot opt source destination
- Option 1: Add drop rules
At the end, add
the following three drop rules that will drop all incoming, outgoing,
and forward packets
iptables
-A INPUT -j DROP
iptables
-A OUTPUT -j DROP
iptables
-A FORWARD -j DROP
- Option 2: Change the default chain policy to DROP
At the
beginning, execute the following three commands that will change the
chain’s default policy to DROP.
iptables
-P INPUT DROP
iptables
-P OUTPUT DROP
iptables
-P FORWARD DROP
In the above
example:
- iptables -A INPUT: Append the new rule to the INPUT chain. For incoming connection request, this always has to be INPUT.
- -i eth0: This refers to the input interface. For incoming connections, this always has to be ‘-i’.
- -p tcp: Indicates that this is for TCP protocol.
- –dport 22: This refers to the destination port for the incoming connection. Port 22 is for ssh.
- -m state: This indicates that the “state” matching module is used. We’ll discuss more about “-m” option (and all available matching modules for iptables) in future article.
- –state NEW, ESTABLISHED: Options for the “state” matching module. In this example, only NEW and ESTABLISHED states are allowed. The 1st time when a SSH connection request is initiated from the client to the server, NEW state is used. ESTABLISHED state is used for all further request from the client to the server.
No comments:
Post a Comment