IPTables for Outbound Connections

There are several ways to configure iptables on CentOS. In this tutorial, I will show you a few basic but essential examples of how to use iptables on CentOS:

You can configure the iptables rules according to your needs. All the following commands should be input from your SSH terminal as root.

Check the existing rules:

iptables -L -n

 

Flush all existing rules (erase all of them):

iptables -F; iptables -X; iptables -Z

 

Using a stateful rule to allow all established connections:

iptables -A INPUT -p all -m state –state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p all -m state –state ESTABLISHED -j ACCEPT

 

Some services requires you to allow related connections (ftp,tftp…):

iptables -A INPUT -p all -m state –state RELATED -j ACCEPT
iptables -A OUTPUT -p all -m state –state RELATED -j ACCEPT

 

Allow LocaHost rule to communicate:

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

 

Allow Web Browsing

iptables -A OUTPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
iptables -A OUTPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT

 

Allow Outgoing SSH

iptables -A OUTPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT

Allow Incoming SSH

Allow Incoming SSH from a specified subnet/ip address

iptables -A INPUT -p tcp -s 192.168.1.0/24 –dport 22 -m state –state NEW -j ACCEPT

Allow Incoming SSH from all

iptables -A INPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT

Allow Incoming Web Server

iptables -A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
iptables -A INPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT

Allow DNS requests out

iptables -A OUTPUT -p udp –dport 53 -m state –state NEW -j ACCEPT

 Allow Incoming ping

iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type echo-reply -j ACCEPT

 

Allow Outgoing ping

iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT

 

Allow SMTP Server

iptables -A INPUT -p tcp –dport 25 -m state –state NEW -j ACCEPT

Allow SMTP Client

iptables -A OUTPUT -p tcp –dport 25 -m state –state NEW -j ACCEPT

 

Allow IMAP Server

iptables -A INPUT -p tcp –dport 143 -m state –state NEW -j ACCEPT

 

Allow IMAP Client

iptables -A OUTPUT -p tcp –dport 143 -m state –state NEW -j ACCEPT

 

Allow mySQL Server

iptables -A INPUT -p tcp –dport 3306 -m state –state NEW -j ACCEPT

 

Allow mySQL Client

iptables -A OUTPUT -p tcp –dport 3306 -m state –state NEW -j ACCEPT

 

Allow NTP Server

iptables -A INPUT -p udp –dport 123 -m state –state NEW -j ACCEPT

Allow NTP Client

iptables -A OUTPUT -p udp –dport 123 -m state –state NEW -j ACCEPT

Allow rsyslogd in

iptables -A INPUT -p tcp –dport 514 -m state –state NEW -j ACCEPT
iptables -A INPUT -p udp –dport 514 -m state –state NEW -j ACCEPT

 

Allow rsyslogd out

iptables -A OUTPUT -p tcp –dport 514 -m state –state NEW -j ACCEPT
iptables -A OUTPUT -p udp –dport 514 -m state –state NEW -j ACCEPT

 

Specify port range, e.g. allow all communication from ports 50-150 to ports 300-400:

iptables -A OUTPUT –sport 50:150 –dport 300:400 -j ACCEPT

 

Specify IP Address range, this requires the ‘iprange’ module. For example allow all communication to and from 192.168.1.1-192.168.1.31

iptables -A OUTPUT -m iprange –dst-range 192.168.1.1-192.168.1.31-j ACCEPT
iptables -A INPUT -m iprange –src-range 192.168.1.1-192.168.1.31 -j ACCEPT

At last, set the default policies:

iptables -P INPUT DROP

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

 

Save the iptables configuration with the following command:

service iptables save

or

/sbin/service iptables save

RELATED ARTICLES