Basic and most common iptables rules

Clara - VPS Hosting Team

iptables is a powerful firewall tool that allows users to set specific rules to control both incoming and outgoing traffic. It can be used to block specific ports, IP addresses, and more. This article covers the most common uses of iptables.

Basic Concepts

iptables rules are organized into three main "chains," each serving a specific purpose:

1. INPUT: Handles all packets destined for the host computer.

2. OUTPUT: Manages all packets originating from the host computer.

3. FORWARD: Deals with packets that are passing through the host computer but are not destined for it. This is commonly used when the computer is acting as a router.

Flushing Existing Rules

To clear existing iptables rules (which can be useful when starting fresh or fixing accidental blocks), use:

iptables -F

To flush a specific chain, like INPUT, use:

sudo iptables -F INPUT

Checking Current Rules

To list active rules, use:

iptables -L
iptables -S

You can also specify a chain to filter by purpose:

iptables -L INPUT

Adding -v provides detailed information, including packets and their sizes:

iptables -L -v

Blocking Connections

To block connections from a specific IP address, use:

iptables -A INPUT -s 1.1.1.1 -j DROP
iptables -A OUTPUT -s 1.1.1.1 -j DROP
iptables -A INPUT -s 1.1.1.1 -j REJECT

Note: REJECT sends a "connection refused" message instead of silently dropping the connection.

To block a specific port, such as SMTP port 25:

iptables -A INPUT -p tcp --dport 25 -j DROP
iptables -I OUTPUT -p tcp --dport 25 -j DROP

Allowing Specific Connections

To allow incoming SSH connections only from a specific IP:

iptables -A INPUT -i venet0 -p tcp -s 1.1.1.1 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o venet0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

This allows only the specified IP to connect via SSH on port 22. The second rule permits outgoing traffic for the same session.

For HTTP and HTTPS connections:

iptables -A INPUT -i venet0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o venet0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i venet0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o venet0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

The above rules allow HTTP (port 80) and HTTPS (port 443) connections.

Managing ICMP Traffic (Ping)

To allow or block ICMP (ping) requests:

Allow:

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

Block:

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP

Allowing Loopback and Specific Services

Allow loopback access:

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Allow MySQL connections from a specific IP:

iptables -A INPUT -i venet0 -p tcp -s 1.1.1.1 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o venet0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

Allow POP3 or IMAP traffic:

iptables -A INPUT -i venet0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o venet0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i venet0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o venet0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT

For secure connections (POP3/IMAP):

iptables -A INPUT -i venet0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o venet0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i venet0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o venet0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT

Note: Replace venet0 with the network interface in use on your server, such as eth0.

Preventing DDoS Attacks

To limit connections per minute and prevent DDoS attacks:

iptables -A INPUT -p tcp --dport 80 -m limit --limit 10/minute --limit-burst 100 -j ACCEPT

Explanation:

-m limit: Uses the limit module.

--limit 10/minute: Allows a maximum of 10 connections per minute.

--limit-burst 100: Starts limiting only after 100 connections have been reached.

Feel free to adjust the rules based on your security needs.