Iptables Command Line Tool Examples: Difference between revisions
Jump to navigation
Jump to search
Line 104: | Line 104: | ||
=Allow Multicast Traffic to Go Out= | =Allow Multicast Traffic to Go Out= | ||
The standard <tt>/etc/sysconfig/iptables</tt> rule that allows all traffic out should be sufficient: | |||
<pre> | |||
[...] | |||
[...] | |||
</pre> | |||
=Allow Multicast Traffic to Come In= | =Allow Multicast Traffic to Come In= |
Revision as of 06:07, 9 January 2016
Internal
Base Configuration
Use the content below and overwrite the existing /etc/sysconfig/iptables.
*mangle :PREROUTING ACCEPT :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT :POSTROUTING ACCEPT COMMIT *nat :PREROUTING ACCEPT :POSTROUTING ACCEPT :OUTPUT ACCEPT COMMIT *filter # the default INPUT chain policy is to DROP unless there's a rule that explicitly accepts the packet :INPUT DROP # the default FORWARD chain policy is to DROP unless there's a rule that explicitly accepts the packet :FORWARD DROP # the default OUTPUT chain policy is to ACCEPT unless there's a rule that explicitly rejects or drops the packet :OUTPUT ACCEPT # anything that comes from us through the loopback interface is accepted -A INPUT -i lo -j ACCEPT # established connections initiated by us are accepted -A INPUT -m state --state ESTABLISHED -j ACCEPT # by default, we allow new SSH connections on port 22 all interfaces - we may want to change that and be more selective -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # # everything else coming from outside will be dropped # # # all outbound traffic is accepted # COMMIT
Base IPv6 Configuration
Use the content below and overwrite the existing /etc/sysconfig/ip6tables.
# # DROP all inbound and forward traffic, allow all outbound traffic # *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] COMMIT
Allow SSH Only From the Internal Network on a Non-Standard Port
Add to /etc/sysconfig/iptables. Note that all new ssh connection attempts coming on other interfaces than enp0s25 will be dropped. Make sure the enp0s25 is the internal network interface.
[...] # allow SSH only from the internal network on a non-standard port -A INPUT -i enp0s25 -p tcp -m tcp --dport 12345 -m state --state NEW -s 192.168.1.0/24 -j ACCEPT [...]
Details on how to reconfigure the sshd server to listen on a non-standard port are available here: Changing the Default sshd Port. Important! sshd server reconfiguration and the firewall rule change must be done at the same time, otherwise you may lose remote ssh access between reboots.
Allow a Web Server on a Specific Interface
In /etc/sysconfig/iptables:
[...] # allow a web server on a specific interface on both 80 and 443 -A INPUT -i enp15s0u2 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT -A INPUT -i enp15s0u2 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT [...]
Allow Multicast Traffic to Go Out
The standard /etc/sysconfig/iptables rule that allows all traffic out should be sufficient:
[...] [...]