Menu
There are several ways to configure iptables on CentOS. In this tutorial, I will show you a few basic but essential examples of how to use iptables on CentOS:
You can configure the iptables rules according to your needs. All the following commands should be input from your SSH terminal as root.
Check the existing rules:
iptables -L -n
Flush all existing rules (erase all of them):
iptables -F; iptables -X; iptables -Z
Using a stateful rule to allow all established connections:
iptables -A INPUT -p all -m state –state ESTABLISHED -j ACCEPT iptables -A OUTPUT -p all -m state –state ESTABLISHED -j ACCEPT
Some services requires you to allow related connections (ftp,tftp…):
iptables -A INPUT -p all -m state –state RELATED -j ACCEPT iptables -A OUTPUT -p all -m state –state RELATED -j ACCEPT
Allow LocaHost rule to communicate:
iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
Allow Web Browsing
iptables -A OUTPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT iptables -A OUTPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT
Allow Outgoing SSH
iptables -A OUTPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT
Allow Incoming SSH
Allow Incoming SSH from a specified subnet/ip address
iptables -A INPUT -p tcp -s 192.168.1.0/24 –dport 22 -m state –state NEW -j ACCEPT
Allow Incoming SSH from all
iptables -A INPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT
Allow Incoming Web Server
iptables -A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT iptables -A INPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT
Allow DNS requests out
iptables -A OUTPUT -p udp –dport 53 -m state –state NEW -j ACCEPT
Allow Incoming ping
iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp –icmp-type echo-reply -j ACCEPT
Allow Outgoing ping
iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT
Allow SMTP Server
iptables -A INPUT -p tcp –dport 25 -m state –state NEW -j ACCEPT
Allow SMTP Client
iptables -A OUTPUT -p tcp –dport 25 -m state –state NEW -j ACCEPT
Allow IMAP Server
iptables -A INPUT -p tcp –dport 143 -m state –state NEW -j ACCEPT
Allow IMAP Client
iptables -A OUTPUT -p tcp –dport 143 -m state –state NEW -j ACCEPT
Allow mySQL Server
iptables -A INPUT -p tcp –dport 3306 -m state –state NEW -j ACCEPT
Allow mySQL Client
iptables -A OUTPUT -p tcp –dport 3306 -m state –state NEW -j ACCEPT
Allow NTP Server
iptables -A INPUT -p udp –dport 123 -m state –state NEW -j ACCEPT
Allow NTP Client
iptables -A OUTPUT -p udp –dport 123 -m state –state NEW -j ACCEPT
Allow rsyslogd in
iptables -A INPUT -p tcp –dport 514 -m state –state NEW -j ACCEPT iptables -A INPUT -p udp –dport 514 -m state –state NEW -j ACCEPT
Allow rsyslogd out
iptables -A OUTPUT -p tcp –dport 514 -m state –state NEW -j ACCEPT iptables -A OUTPUT -p udp –dport 514 -m state –state NEW -j ACCEPT
Specify port range, e.g. allow all communication from ports 50-150 to ports 300-400:
iptables -A OUTPUT –sport 50:150 –dport 300:400 -j ACCEPT
Specify IP Address range, this requires the ‘iprange’ module. For example allow all communication to and from 192.168.1.1-192.168.1.31
iptables -A OUTPUT -m iprange –dst-range 192.168.1.1-192.168.1.31-j ACCEPT iptables -A INPUT -m iprange –src-range 192.168.1.1-192.168.1.31 -j ACCEPT
At last, set the default policies:
iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP
Save the iptables configuration with the following command:
service iptables save
or
/sbin/service iptables save
4 Carolina Way,
Manchester M50 2ZY
© 2024 Datacentreplus UK. All rights reserved. Prices exclude VAT. Errors & Omissions Excepted. Datacentreplus UK is a trading name of Sandyx Systems Ltd.
