Sample iptables ruleset


By Popular demand, here is a sample ruleset for iptables.

Disclaimer: This is only a template to help you build an iptables ruleset that will best fit your solution, it is not intended to be a security standard nor will it fit every environment. Please use this sample only to help you with syntax and ideas on how to use iptables.

This ruleset can be placed in /etc/sysconfig/iptables to be activated when IPtables restarts. This ruleset can be placed in most distributions and will be activated when IPtables restarts.

Default locations of IPtables rulesets:

  • Fedora/RedHat/RHEL: /etc/sysconfig/iptables
  • Ubuntu/Debian: /etc/iptables.rules (Can be changed with iptables-save command)

Note: These may vary by distribution and version


*filter

# Dropping incoming connections that don't have explecit rules bellow
:INPUT DROP [68:4456]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1628:151823]

# Allow established connections for both public and private connections
-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Opening ports wide open
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT

# Opening a port to a specific IP
-A INPUT -p tcp -m tcp --dport 10000 -s 192.168.1.1 -j ACCEPT

# Opening a port to a range of IPs
-A INPUT -p tcp -m tcp --dport 20000 -s 192.168.0.0/24 -j ACCEPT

# Commmiting the rules to the firewall
COMMIT

Follow the links below to learn more about iptables:



Was this content helpful?




© 2011-2013 Rackspace US, Inc.

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License


See license specifics and DISCLAIMER