Common iptables Filtering

Default policy set to block all incoming, outgoing, and forwarded packets, it is impossible for the firewall/gateway and internal LAN users to communicate with each other or with external resources. To allow users to perform network-related functions and use networking applications, administrators must open certain ports for communication.

To allow access to port 80 on the firewall, append the following rule:

iptables -A INPUT -p tcp -m tcp –sport 80 -j ACCEPT

This allows regular Web browsing from websites that communicate via port 80. To allow access to secure websites (such as https://www.serverbuddies.com/), you must open port 443, as well.

iptables -A INPUT -p tcp -m tcp –sport 443 -j ACCEPT

You must set a rule to allow first, and then set a drop rule on the subnet.

To arbitrarily insert a rule in an existing chain of rules, use -I, followed by the chain in which to insert the rule, and a rule number (1,2,3,…,n) for where the rule should reside. For example:

iptables -I INPUT 1 -i lo -p all -j ACCEPT

The rule is inserted as the first rule in the INPUT chain to allow local loopback device traffic.

$ sudo iptables -L -n -v

Chain INPUT (policy ACCEPT 235 packets, 45229 bytes)
pkts bytes target prot opt in out source destination
2 158 ACCEPT all — lo * 0.0.0.0/0 0.0.0.0/0
169 36782 ACCEPT tcp — * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80

To allow remote SSH access, the following rules may be used:

iptables -A INPUT -p tcp –dport 22 -j ACCEPT
iptables -A OUTPUT -p udp –sport 22 -j ACCEPT

Trackback URI | Comments RSS

Leave a Reply

You must be logged in to post a comment.