Iptablesrocks.org - Examples
home
|
syntax & structure
|
examples
|
faq
|
contact
|
links
Iptables Ruleset Examples
This page contains already configured examples of several types of iptables configurations for a variety of different purposes. Feel free to use them as
is or make any needed adjustments to suit your particular needs.
A word of caution:
Before you make any changes to your iptables configuration, you should read about
pre-configuration precautions!
Example 1 - iptables setup for a full service web server
Summary: A hearty iptables configuration geared for web servers running web services (http and https), mail services, mysql, ftp services
and dns services.
When running a typical web server, you need a firewall that is secure and offers protection, but you also need one that allows all needed traffic to be
able to enter and leave the server so that your server's day to day operations can carry on unimpeded. This particular iptables configuration does the
following:
1.
Uses the "mangle" portion of the table to effectively block and/or confuse most port scans. These rules deal address FIN,SYN,RST,PSH,ACK,URG
FIN,PSH and URG methods.
2.
Establishes a locked down and secure foundation by initially blocking all incoming, outgoing and forwarded packets COMPLETELY.
3.
With all incoming packets dropped by default, it then grants incoming access to a select number of ports. These ports are ports that a typical web
server might allow.
Open inbound ports include: 20 & 21 (ftp), 22 (ssh), 25 (smtp), 53 (dns), 80 (http), 110 (pop), 143 (imap), 443 (https), 993 (imaps)
4.
With all outbound packets dropped by default, it then grants outbound access to a select number of ports. These ports are posts that a typical web
server might allow.
Open outbound ports include: 20 & 21 (ftp), 22 (ssh), 25 (smtp), 43 (whois), 53 (dns), 80 (http), 110 (pop), 143 (imap), 443 (https), 993 (imaps)
5.
Both inbound and outbound connections are required to be in a "related and established" state. The "related and established" state requirement will
require you to add the "ip_conntrack_ftp" module into your server's configuration. This is typically done with the following command:
insmod ip_conntrack_ftp
6.
ICMP packet types 3, 8 and 11 are dropped by default for all inbound traffic. This makes your server unpingable and reduces the chance of ping
ICMP based attacks. Pings are allowed for all outbound traffic.
7.
Unauthorized inbound and outbound traffic is logged.
Example 2 - iptables setup for linux gateway on DSL connection
Example 3- iptables setup for linux gateway on a cable internet connection
home
|
syntax & structure
|
examples
|
faq
|
contact
|
links
Site last modified:
February 13, 2004 15:27:51
http://www.iptablesrocks.org/examples/ (1 of 2) [2/13/2004 8:04:44 PM]