Setup firewall with iptables in Ubuntu (Part 2)

Samples of iptables’ rules.

 

# Accept TCP packets for routing from eth0 (any IP) and destined for IP 192.168.1.58

# that is reachable via eth1.

# -A : Append rule to end of a chain

# FORWARD : Filters packets to server accessible by another NIC on the firewall

# -s : Source IP address

# 0/0 : Any ip address

# -i : Input Interface name (eth0, eth1 etc)

# -d : Destination IP address

# -o : Output Interface name (eth0, eth1 etc)

# -p tcp –sport : TCP source port (can be single or range value)

# -d tcp –dport : TCP destination port (can be single or range value)

iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.1.58 -o eth1 -p tcp –sport 1024:65535 –dport 80 -j ACCEPT

 

# Accept TCP packets coming in from eth0 (any IP) and destined for IP 192.168.1.1

# INPUT : Filter packets destined to the firewall.

iptables -A INPUT -s 0/0 -i eth0 -d 192.168.1.1 -p tcp -j ACCEPT

# Flush all chains

iptables -F

 

# YOUR LOCAL NETWORK FIREWALL

# Accept all connection from ip source 192.168.0.1-192.168.0.254 to any ip address from any ports to any ports

iptables -I FORWARD -s 192.168.0.1/24 -d 0/0 -j ACCEPT

# Accept anything on localhost

iptables -A INPUT -i lo -j ACCEPT

 

# COMMON ICMP (ping)

# ALLOWING Sending “PING” (Echo request) AND

# Incoming “PONG” (Echo reply)

# Allow the firewall to send ICMP echo-request (pings)

iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT

# Allow the firewall to accept the expected ICMP echo-replies (pongs)

iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT

# Can do ‘pings’ 1 in a second. (3 pings per seconds = 3/s)

iptables -A INPUT -p icmp –icmp-type echo-request -m limit –limit 1/s -i eth0 -j ACCEPT

# Defense for SYN (–syn = new tcp connection)flood attacks was created by limiting the acceptance of TCP segments

# with the SYN bit set to no more than five Ping per second.

iptables -A INPUT -p tcp –syn -m limit –limit 5/s -i eth0 -j ACCEPT

 

# ALLOWING INCOMING TRAFFIC

# ON SPECIFIC PORT

# HTTP (port 80)

sudo iptables -A INPUT -p tcp -i eth0 –dport http -j ACCEPT

# HTTPS (port 443)

sudo iptables -A INPUT -p tcp -i eth0 –dport https -j ACCEPT

# POP3 (port 110)

sudo iptables -A INPUT -p tcp -i eth0 –dport pop3 -j ACCEPT

# SMTP (port 25)

sudo iptables -A INPUT -p tcp -i eth0 –dport smtp -j ACCEPT

# FTP (port 20 21)

sudo iptables -A INPUT -p tcp -i eth0 –dport ftp -j ACCEPT

# IMAP (port 143)

sudo iptables -A INPUT -p tcp -i eth0 –dport imap -j ACCEPT

# NFS (port 111 2049)

sudo iptables -A INPUT -p tcp -i eth0 –dport nfs -j ACCEPT

# NNTP (port 119)

sudo iptables -A INPUT -p tcp -i eth0 –dport nntp -j ACCEPT

# Telnet (port 23)

sudo iptables -A INPUT -p tcp -i eth0 –dport telnet -j ACCEPT

# SSH (port 22)

sudo iptables -A INPUT -p tcp -i eth0 –dport ssh -j ACCEPT

# DNS (port 53)

sudo iptables -A INPUT -p tcp -i eth0 –dport 53 -j ACCEPT

# Samba (port 137-139)

sudo iptables -A INPUT -p tcp -i eth0 –dport 137:139 -j ACCEPT

 

# ALLOWING DNS to Access to your firewall

# It’s used by Ubuntu to get update from Repository Server

iptables -A OUTPUT -p udp -o eth0 –dport 53 –sport 1024:65535 -j ACCEPT

iptables -A INPUT -p udp -i eth0 –sport 53 –dport 1025:65535 -j ACCEPT

 

# ALLOWING WWW and SSH to Access to your firewall

# It’s used when you want to manage you web server

# managed remotely via secure shell (ssh) sessions.

# Allow previously established connections

iptables -A OUTPUT -o eth0 -m state –state ESTABLISHED,RELATED -j ACCEPT

# Allow port 80 (http) and 22 (ssh) connections to firewall

iptables -A INPUT -p tcp -i eth0 –dport 22 –sport 1024:65535 -m state –state NEW -j ACCEPT

iptables -A INPUT -p tcp -i eth0 –dport 80 –sport 1024:65535 -m state –state NEW -j ACCEPT

 

# ALLOWING FIREWALL to access The Internet

# Enable a user on the firewall to surf the internet using Web Browser HTTP (port 80) and HTTPs (port 443)

iptables -A OUTPUT -o eth0 -p tcp -m state –state NEW,ESTABLISHED,RELATED -m multiport –sport 1024:65535 -m multiport –dport 80,443 -j ACCEPT

# Allowing all TCP traffic originating from firewall

iptables -A OUTPUT -o eth0 -p tcp -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

 

# BLOCK VIRUSES

# Use you can use this 4 rules:

# iptables -I FORWARD -s 0/0 -p tcp -d 0/0 –dport 136 -j DROP

# iptables -I FORWARD -s 0/0 -p tcp -d 0/0 –dport 137 -j DROP

# iptables -I FORWARD -s 0/0 -p tcp -d 0/0 –dport 138 -j DROP

# iptables -I FORWARD -s 0/0 -p tcp -d 0/0 –dport 139 -j DROP

# or this 1 rule

iptables -A FORWARD -p tcp –dport 136:139 -j DROP

 

# Use you can use this 4 rules:

# iptables -I FORWARD -s 0/0 -p udp -d 0/0 –dport 136 -j DROP

# iptables -I FORWARD -s 0/0 -p udp -d 0/0 –dport 137 -j DROP

# iptables -I FORWARD -s 0/0 -p udp -d 0/0 –dport 138 -j DROP

# iptables -I FORWARD -s 0/0 -p udp -d 0/0 –dport 139 -j DROP

# or this 1 rule

iptables -A FORWARD -p udp –dport 136:139 -j DROP

 

# ROUTING

# Allow firewall to accept tcp packets for routing

# Enter via eth0 (any ip) via range port 1024 to 65535

# Destined to eth1 (ip 192.168.0.2 ) port 80 (www/http)

iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.0.2 -o eth1 -p tcp –sport 1024:65535 –dport 80 -j ACCEPT

 

# -m multiport –dport

# A variety of tcp/udp destination ports separated by commas.

# -m multiport –sport

# A variety of tcp/udp destination ports separated by commas.

iptables -A FORWARD -s 0/0 -i eth0 -d 192.168.0.2 -o eth1 -p tcp -m multiport –sport 1024:65535 -m multiport –dport 80,443 -j ACCEPT

 

# Loading Kernel Modules

# Any type NAT required, this module have to be loaded.

modprobe -a iptable_nat

# For tcp connection

modprobe -a ip_conntrack

# For FTP support

modprobe -a ip_conntrack_ftp

# For FTP server behind NAT firewall

modprobe -a ip_nat_ftp

 

modprobe -a ip_queue

modprobe -a iptable_filter

modprobe -a iptable_mangle

modprobe -a ip_tables

modprobe -a ipt_LOG

modprobe -a ipt_MASQUERADE

modprobe -a ipt_owner

modprobe -a ipt_REDIRECT

modprobe -a ipt_TOS

modprobe -a ipt_ttl

modprobe -a ipt_ULOG

modprobe -a ipt_ecn

modprobe -a ipt_ECN