Home » Home » How To Use Iptables in Linux?

Here is an effective way to put your finger on the pulse of network packets using Iptables. The man page of Iptables explains that ” Iptables is used to set up, maintain, and inspect the tables of IPv4 packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains…. BLA.. BLA.. BLA…” Fine!!  its a lengthy explanation with lot of geeky terms. Okay, lets start look at the step by step approach with practical examples to understand better.
IPTABLES is an editing tool for packet filtering, with it you can analyze the header and make decisions about the destinations of these packets, it is not the only existing solution to control this filtering.It is important to note that in Gnu / Linux, packet filtering is built into the kernel.
To Clearing existing rules
$ iptables -t filter -F
$ iptables -t filter -X
To filter ping in Iptables
Ping scanning is typically used to determine which hosts on a network are alive. This works by sending the ICMP ECHO request packets to the target host. The below commands involve in  enabling ICMP ECHO requests to broadcast/multicast addresses and directly to the host itself.
$ echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
To Protection against ICMP redirect request
$ echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
To block send messages, ICMP redirected.
$ echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
Iptable Commands to Filter Ping
$ iptables -t filter -A INPUT -p icmp -j ACCEPT
$ iptables -t filter -A OUTPUT -p icmp -j ACCEPT
To package logs with nonexistent addresses (due to wrong routes) on your network
$ echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
Enabling forwarding packets required for NAT.
$ echo “1” >/proc/sys/net/ipv4/ip_forward
To accept SSH
$ iptables -t filter -A INPUT -p tcp –dport 22 -j ACCEPT
To hold the established connections without breaking
$ iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
$ iptables -A OUTPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
To block all connections by default
$ iptables -t filter -P INPUT DROP
$ iptables -t filter -P FORWARD DROP
$ iptables -t filter -P OUTPUT DROP
IP spoofing protection
$ echo “1” > /proc/sys/net/ipv4/conf/default/rp_filter
To disable sending the IPV4
$ echo 0 > /proc/sys/net/ipv4/ip_forward
SYN-Flood Protection
$ iptables -N syn-flood
$ iptables -A syn-flood -m limit –limit 10/second –limit-burst 50 -j RETURN
$ iptables -A syn-flood -j LOG –log-prefix “SYN FLOOD: “
$ iptables -A syn-flood -j DROP
To accept the input and output communication in Loopback
$ iptables -t filter -A INPUT -i lo -j ACCEPT
$ iptables -t filter -A OUTPUT -o lo -j ACCEPT
To scan connections
$ iptables -A INPUT -m recent –name scan –update –seconds 600 –rttl –hitcount 3 -j DROP
$ iptables -A INPUT -m recent –name scan –update –seconds 600 –rttl –hitcount 3 -j LOG –log-level info –log-prefix “Scan recent”
To Check  SYN packets are invalid
$ iptables -A INPUT -p tcp –tcp-flags ALL ACK,RST,SYN,FIN -j DROP
$ iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j DROP
$ iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
$ iptables -A INPUT -p tcp –tcp-flags ALL ACK,RST,SYN,FIN -j LOG –log-level info –log-prefix “Packages SYN Detected”
$ iptables -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j LOG –log-level info –log-prefix “Packages SYN Detected”
$ iptables -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j LOG –log-level info –log-prefix “Packages SYN Detected”
Certifies that new packets are SYN
$ iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP
Discard packets with fragments of entry. Attack that can cause data loss
$ iptables -A INPUT -f -j DROP
$ iptables -A INPUT -f -j LOG –log-level info –log-prefix “Packages fragmented entries”
Tips malformed XMAS packets
$ iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP
$ iptables -A INPUT -p tcp –tcp-flags ALL ALL -j LOG –log-level info –log-prefix “malformed XMAS packets”
DNS In/Out
$ iptables -t filter -A OUTPUT -p tcp –dport 53 -j ACCEPT
$ iptables -t filter -A OUTPUT -p udp –dport 53 -j ACCEPT
$ iptables -t filter -A INPUT -p tcp –dport 53 -j ACCEPT
$ iptables -t filter -A INPUT -p udp –dport 53 -j ACCEPT
NTP Out
$ iptables -t filter -A OUTPUT -p udp –dport 123 -j ACCEPT
WHOIS Out
$ iptables -t filter -A OUTPUT -p tcp –dport 43 -j ACCEPT
FTP Out
$ iptables -t filter -A OUTPUT -p tcp –dport 20:21 -j ACCEPT
$ iptables -t filter -A OUTPUT -p tcp –dport 30000:50000 -j ACCEPT
FTP In
$ iptables -t filter -A INPUT -p tcp –dport 20:21 -j ACCEPT
$ iptables -t filter -A INPUT -p tcp –dport 30000:50000 -j ACCEPT
$iptables -t filter -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
HTTP + HTTPS Out
$ iptables -t filter -A OUTPUT -p tcp –dport 80 -j ACCEPT
$ iptables -t filter -A OUTPUT -p tcp –dport 443 -j ACCEPT
HTTP + HTTPS In
$ iptables -t filter -A INPUT -p tcp –dport 80 -j ACCEPT
$ iptables -t filter -A INPUT -p tcp –dport 443 -j ACCEPT
Mail SMTP:25
$ iptables -t filter -A INPUT -p tcp –dport 25 -j ACCEPT
$ iptables -t filter -A OUTPUT -p tcp –dport 25 -j ACCEPT
Mail POP3:110
$ iptables -t filter -A INPUT -p tcp –dport 110 -j ACCEPT
$ iptables -t filter -A OUTPUT -p tcp –dport 110 -j ACCEPT
Mail IMAP:143
$ iptables -t filter -A INPUT -p tcp –dport 143 -j ACCEPT
$ iptables -t filter -A OUTPUT -p tcp –dport 143 -j ACCEPT
Reverse
$ iptables -t filter -A INPUT -p tcp –dport 77 -j ACCEPT
$ iptables -t filter -A OUTPUT -p tcp –dport 77 -j ACCEPT
MSF
$ iptables -t filter -A INPUT -p tcp –dport 7337 -j ACCEPT
$ iptables -t filter -A OUTPUT -p tcp –dport 7337 -j ACCEPT
I hope to help you in configuring your network security and remind you to choose only the best options available. You can specify what types of network protocols and services to be provided and you may control the packets from any untrusted services. Your firewall also allows blocking websites with URL filters, access control, access logs for reports by user, protecting the corporate network through proxies, and Network Address Translation (NAT). Control services that can either be executed or not, on the network allowing for high performance in their duties with easy administration and reliability.

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA Image

*