Ip tables Rules

Top IPtables Rules

Hack@Rhino#  Status of Your Firewall

Hack@Rhino# iptables -L -n -v

Where,

-L : List rules.

-v : Display detailed information. This option makes the list command show the interface name, the rule options, and the TOS masks. The packet and byte counters are also listed, with the suffix 'K', 'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipliers respectively.

-n : Display IP address and port in numeric format. Do not use DNS to resolve names. This will speed up listing.

Hack@Rhino#2: Stop / Start / Restart the Firewall

If you are using BackTrack/ Kali Linux/ CentOS / RHEL / Fedora Linux, enter:
Hack@Rhino# service iptables stop
Hack@Rhino# service iptables start
Hack@Rhino# service iptables restart

You can use the iptables command itself to stop the firewall and delete all rules:
Hack@Rhino# iptables -F
Hack@Rhino# iptables -X
Hack@Rhino# iptables -t nat -F
Hack@Rhino# iptables -t nat -X
Hack@Rhino# iptables -t mangle -F
Hack@Rhino# iptables -t mangle -X
Hack@Rhino# iptables -P INPUT ACCEPT
Hack@Rhino# iptables -P OUTPUT ACCEPT
Hack@Rhino# iptables -P FORWARD ACCEPTHack@Rhino# Where:-F : Deleting (flushing) all the rules.-X : Delete chain.-t table_name : Select table (called nat or mangle) and delete/flush rules.-P : Set the default policy (such as DROP, REJECT, or ACCEPT).

Delete Existing Rules

Before you start building new set of rules, you might want to clean-up all the default rules, and existing rules. Use the iptables flush command as shown below to do this.

Hack@Rhino#  iptables -F
(or)
Hack@Rhino# iptables --flush

 Allow POP3 and POP3S

The following rules allow POP3 access.

Hack@Rhino# iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
Hack@Rhino# iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT

The following rules allow POP3S access.

Hack@Rhino# iptables -A INPUT -i eth0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
Hack@Rhino# iptables -A OUTPUT -o eth0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT

Allow MySQL connection only from a specific network

If you are running MySQL, typically you don’t want to allow direct connection from outside. In most cases, you might have web server running on the same server where the MySQL database runs.

However DBA and developers might need to login directly to the MySQL from their laptop and desktop using MySQL client. In those case, you might want to allow your internal network to talk to the MySQL directly as shown below.

Hack@Rhino# iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
Hack@Rhino# iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

Allow Sendmail or Postfix Traffic

The following rules allow mail traffic. It may be sendmail or postfix.

Hack@Rhino# iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
Hack@Rhino# iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

 Allow IMAP and IMAPS

The following rules allow IMAP/IMAP2 traffic.

Hack@Rhino# iptables -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
Hack@Rhino# iptables -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT

The following rules allow IMAPS traffic.

Hack@Rhino# iptables -A INPUT -i eth0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
Hack@Rhino# iptables -A OUTPUT -o eth0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT

 Allow ALL Incoming SSH

The following rules allow ALL incoming ssh connections on eth0 interface.

Hack@Rhino# iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
Hack@Rhino# iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

 Allow Incoming SSH only from a Sepcific Network

The following rules allow incoming ssh connections only from 192.168.100.X network.

Hack@Rhino# iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
Hack@Rhino# iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

In the above example, instead of /24, you can also use the full subnet mask. i.e “192.168.100.0/255.255.255.0″.

Allow Incoming HTTP and HTTPS

The following rules allow all incoming web traffic. i.e HTTP traffic to port 80.

Hack@Rhino# iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
Hack@Rhino# iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

The following rules allow all incoming secure web traffic. i.e HTTPS traffic to port 443.

Hack@Rhino# iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
Hack@Rhino# iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

Combine Multiple Rules Together using MultiPorts

When you are allowing incoming connections from outside world to multiple ports, instead of writing individual rules for each and every port, you can combine them together using the multiport extension as shown below.

The following example allows all incoming SSH, HTTP and HTTPS traffic.

Hack@Rhino# iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
Hack@Rhino# iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT

Allow Outgoing SSH

The following rules allow outgoing ssh connection. i.e When you ssh from inside to an outside server.

Hack@Rhino# iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
Hack@Rhino# iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Please note that this is slightly different than the incoming rule. i.e We allow both the NEW and ESTABLISHED state on the OUTPUT chain, and only ESTABLISHED state on the INPUT chain. For the incoming rule, it is vice versa.

Allow Outgoing SSH only to a Specific Network

The following rules allow outgoing ssh connection only to a specific network. i.e You an ssh only to 192.168.100.0/24 network from the inside.

Hack@Rhino# iptables -A OUTPUT -o eth0 -p tcp -d 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
Hack@Rhino# iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

Allow Outgoing HTTPS

The following rules allow outgoing secure web traffic. This is helpful when you want to allow internet traffic for your users. On servers, these rules are also helpful when you want to use wget to download some files from outside.

Hack@Rhino# iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
Hack@Rhino# iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

Note: For outgoing HTTP web traffic, add two additional rules like the above, and change 443 to 80.

Load Balance Incoming Web Traffic

You can also load balance your incoming web traffic using iptables firewall rules.

This uses the iptables nth extension. The following example load balances the HTTPS traffic to three different ip-address. For every 3th packet, it is load balanced to the appropriate server (using the counter 0).

Hack@Rhino# iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
Hack@Rhino# iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
Hack@Rhino# iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443

Allow Ping from Outside to Inside

The following rules allow outside users to be able to ping your servers.

Hack@Rhino# iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
Hack@Rhino# iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

Allow Ping from Inside to Outside

The following rules allow you to ping from inside to any of the outside servers.

Hack@Rhino# iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
Hack@Rhino# iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Allow Loopback Access

You should allow full loopback access on your servers. i.e access using 127.0.0.1

Hack@Rhino# iptables -A INPUT -i lo -j ACCEPT
Hack@Rhino# iptables -A OUTPUT -o lo -j ACCEPT

Allow Internal Network to External network.

On the firewall server where one ethernet card is connected to the external, and another ethernet card connected to the internal servers, use the following rules to allow internal network talk to external network.

In this example, eth1 is connected to external network (internet), and eth0 is connected to internal network (For example: 192.168.1.x).

Hack@Rhino# iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

Allow outbound DNS

The following rules allow outgoing DNS connections.

Hack@Rhino# iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
Hack@Rhino# iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

Allow NIS Connections

If you are running NIS to manage your user accounts, you should allow the NIS connections. Even when the SSH connection is allowed, if you don’t allow the NIS related ypbind connections, users will not be able to login.

The NIS ports are dynamic. i.e When the ypbind starts it allocates the ports.

First do a rpcinfo -p as shown below and get the port numbers. In this example, it was using port 853 and 850.

rpcinfo -p | grep ypbind

Now allow incoming connection to the port 111, and the ports that were used by ypbind.

Hack@Rhino# iptables -A INPUT -p tcp --dport 111 -j ACCEPT
Hack@Rhino# iptables -A INPUT -p udp --dport 111 -j ACCEPT
Hack@Rhino# iptables -A INPUT -p tcp --dport 853 -j ACCEPT
Hack@Rhino# iptables -A INPUT -p udp --dport 853 -j ACCEPT
Hack@Rhino# iptables -A INPUT -p tcp --dport 850 -j ACCEPT
Hack@Rhino# iptables -A INPUT -p udp --dport 850 -j ACCEPT

The above will not work when you restart the ypbind, as it will have different port numbers that time.

There are two solutions to this: 1) Use static ip-address for your NIS, or 2) Use some clever shell scripting techniques to automatically grab the dynamic port number from the “rpcinfo -p” command output, and use those in the above iptables rules.

Blocking an IP Address (BLOCK IP)

To block an attackers ip address called 1.2.3.4, enter:
Hack@Rhino#  iptables -A INPUT -s 1.2.3.4 -j DROP
Hack@Rhino#  iptables -A INPUT -s 192.168.0.0/24 -j DROP#10: Block Incoming Port Requests (BLOCK PORT)

To block all service requests on port 80, enter:
Hack@Rhino# iptables -A INPUT -p tcp --dport 80 -j DROP
Hack@Rhino# iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP

To block port 80 only for an ip address 1.2.3.4, enter:
Hack@Rhino# iptables -A INPUT -p tcp -s 1.2.3.4 --dport 80 -j DROP
Hack@Rhino# iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROPBlock Outgoing IP Address

To block outgoing traffic to a particular host or domain such as cyberciti.biz, enter:
Hack@Rhino# host -t a hackrhino.com

Sample outputs:

Hack@Rhino# hackrhino.com has address 104.28.12.34

Note down its ip address and type the following to block all outgoing traffic to 75.126.153.206:
Hack@Rhino# iptables -A OUTPUT -d 104.28.12.34 -j DROP
You can use a subnet as follows:
Hack@Rhino# iptables -A OUTPUT -d 192.168.1.0/24 -j DROP
Hack@Rhino# iptables -A OUTPUT -o eth1 -d 192.168.1.0/24 -j DROP

Example - Block Facebook.com Domain

First, find out all ip address of facebook.com, enter:
Hack@Rhino# host -t a www.facebook.com
Sample outputs:

Hack@Rhino# www.facebook.com has address 69.171.228.40

Find CIDR for 69.171.228.40, enter:
Hack@Rhino# whois 69.171.228.40 | grep CIDR
Sample outputs:

CIDR:           69.171.224.0/19

To prevent outgoing access to www.facebook.com, enter:
Hack@Rhino# iptables -A OUTPUT -p tcp -d 69.171.224.0/19 -j DROP
You can also use domain name, enter:
Hack@Rhino# iptables -A OUTPUT -p tcp -d www.facebook.com -j DROP
Hack@Rhino# iptables -A OUTPUT -p tcp -d facebook.com -j DROP

From the iptables man page:

... specifying any name to be resolved with a remote query such as DNS (e.g., facebook.com is a really bad idea), a network IP address (with /mask), or a plain IP address ...

Block or Allow ICMP Ping Request

Type the following command to block ICMP ping requests:
Hack@Rhino# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
Hack@Rhino# iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP
Ping responses can also be limited to certain networks or hosts:
Hack@Rhino# iptables -A INPUT -s 192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT
The following only accepts limited type of ICMP requests:
### ** assumed that default INPUT policy set to DROP ** #############
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
## ** all our server to respond to pings ** ##
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

Block or Open Common Ports

The following shows syntax for opening and closing common TCP and UDP ports:

 
Replace ACCEPT with DROP to block port:
## open port ssh tcp port 22 ##
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
 
## open cups (printing service) udp/tcp port 631 for LAN users ##
iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT
 
## allow time sync via NTP for lan users (open udp port 123) ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT
 
## open tcp port 25 (smtp) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
 
# open dns server ports for all ##
iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
 
## open http/https (Apache) server port to all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
 
## open tcp port 110 (pop3) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT
 
## open tcp port 143 (imap) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT
 
## open access to Samba file server for lan users only ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT
 
## open access to proxy server for lan users only ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 3128 -j ACCEPT
 
## open access to mysql server for lan users only ##
iptables -I INPUT -p tcp --dport 3306 -j ACCEPT
 

Restrict the Number of Parallel Connections To a Server Per Client IP

You can use connlimit module to put such restrictions. To allow 3 ssh connections per client host, enter:
Hack@Rhino# iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT

Set HTTP requests to 20:
Hack@Rhino# iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP
Where,

1. --connlimit-above 3 : Match if the number of existing connections is above 3.
2. --connlimit-mask 24 : Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32.

© HaCkRhInO-TeaM ! 2014

R0oTx:Sahil_Rai

http://hackrhino.com

https://www.facebook.com/HackRhino

https://plus.google.com/b/104193298146006948462

Others free Services

http://www.hackrhino.com/p/qr-codes-generator.html