Iptables Command Line Tool Examples: Difference between revisions

From NovaOrdis Knowledge Base
Jump to navigation Jump to search
No edit summary
Line 66: Line 66:


</pre>
</pre>
'''Important!''' sshd server reconfiguration and the firewall rule change must be done at the same time, otherwise you may lose remote ssh access between reboots.


=Allow a Web Server on a Specific Interface=
=Allow a Web Server on a Specific Interface=

Revision as of 00:18, 6 January 2016

Internal

Base Configuration

Use the content below and overwrite the existing /etc/sysconfig/iptables.

*mangle
:PREROUTING ACCEPT 
:INPUT ACCEPT 
:FORWARD ACCEPT 
:OUTPUT ACCEPT 
:POSTROUTING ACCEPT 
COMMIT

*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT 
:OUTPUT ACCEPT 
COMMIT

*filter

# the default INPUT chain policy is to DROP unless there's a rule that explicitly accepts the packet
:INPUT DROP 

# the default FORWARD chain policy is to DROP unless there's a rule that explicitly accepts the packet
:FORWARD DROP 

# the default OUTPUT chain policy is to ACCEPT unless there's a rule that explicitly rejects or drops the packet
:OUTPUT ACCEPT 

# anything that comes from us through the loopback interface is accepted
-A INPUT -i lo -j ACCEPT

# established connections initiated by us are accepted
-A INPUT -m state --state ESTABLISHED -j ACCEPT

# by default, we allow new SSH connections on port 22 all interfaces - we may want to change that and be more selective
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT

#
# everything else coming from outside will be dropped
#

#
# all outbound traffic is accepted
#
COMMIT

Allow SSH Only From the Internal Network on a Non-Standard Port


[...]

# allow SSH only from the internal network on a non-standard port
-A INPUT -p tcp -m tcp --dport 12345 -m state --state NEW -s 192.168.1.0/24 -j ACCEPT

[...]

Important! sshd server reconfiguration and the firewall rule change must be done at the same time, otherwise you may lose remote ssh access between reboots.

Allow a Web Server on a Specific Interface


[...]

# allow a web server on a specific Interface on both 80 and 443
-A INPUT -i enp15s0u2 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -i enp15s0u2 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT

[...]