Iptables Rules Setup CentOS6

Backup First(export)

Before you do any vital operation, you must to backup the file. The iptables configuration file on CentOS is located at /etc/sysconfig/iptables. Remeber to open SSH port, if we made an accident in our configuration, we may have blocked ourselves from accessing the VPS. If we locked out, we need a console access.

The iptables-save command writes the current iptables rules to stdout (standard out). This gives us an easy way to export the firewall rules to file, by redirecting stdout to a file.

export rules

iptables-save > iptables-export

import rules

sudo iptables-restore < /tmp/iptables-export

CentOS 中默认iptables规则如下:

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

逐条解释

:INPUT ACCEPT [0:0] 该规则表示INPUT表默认策略是ACCEPT

:FORWARD ACCEPT [0:0] 该规则表示FORWARD表默认策略是ACCEPT

:OUTPUT ACCEPT [0:0] 该规则表示OUTPUT表默认策略是ACCEPT

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 意思是允许进入的数据包只能是刚刚我发出去的数据包的回应,ESTABLISHED:已建立的链接状态。RELATED:该数据包与本机发出的数据包有关。

-A INPUT -p icmp -j ACCEPT 进来的icmp请求通过

-A INPUT -i lo -j ACCEPT 由lo(loopback)接口进来的全部通过

-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT 新建的22端口请求通过

-A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited 这两条的意思是在INPUT表和FORWARD表中拒绝所有其他不符合上述任何一条规则的数据包。并且发送一条host prohibited的消息给被拒绝的主机。

Useful Commands


service iptables start
service iptables restart 
service iptables stop

# save rules
service iptables save

# restore to default rules
iptables-restore < /etc/sysconfig/iptables

# save and back rules to a file

If iptables is stoped, there are no rules will be shown.

$ iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Caution

If you have some rules are wrong or no recognized by iptables, it will not start. This is the error:

Iptables: Applying firewall rules: iptables-restore v1.4.7: Couldn't load match `stste':/lib64/xtables/libipt_stste.so: cannot open shared object file: No such file or directory 

Error occurred at line: 21
Try 'iptables-restore -h' or 'iptables-restore --help' for more information.

To solve this, we need to flush or clear all rules and save it, then iptables will start. But this operation is dangrous, if you flush, port 22 will not open any more.

[root@host2 ~]# iptables -F; iptables -X; iptables -Z
[root@host2 ~]#
[root@host2 ~]# service iptables start
iptables: Applying firewall rules:                         [  OK  ]
[root@host2 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

A better way is to restore the rules to be defaults.
Save the following lines into a file, called iptables.default

# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

then restore it

# iptables-restore < ./iptables.default

save the rules

[root@h2 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]

You need a stable network environment to these operation.

Others Rules

Allow ssh

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

Allow ping

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

Allow HTTP and HTTPS

iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Allow DNS query

iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT

Accept all established inbound connections:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Ports

web 80 and 443 (SSL port)
For sending emai: port 25 (regular SMTP) and 465 (secure SMTP)
To let users receive email(allow the users read email on their server:): port 110 (POP3) and 995 (secure POP3 port).

Security Rules

Blocking null packets. Drppping all incoming packets with tcp flags NONE.

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

To reject syn-flood attack. Syn-flood attack means that the attackers open a new connection, but do not state what they want (ie. SYN, ACK, whatever).They just want to take up our servers’ resources. We won’t accept such packages.

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Now we move on to one more common pattern: XMAS packets, also a recon packet.

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

You can create the firewall rule to only allow traffic to SSH port if it comes from one source: your IP address(not recommended):

iptables -A INPUT -p tcp -s YOUR_IP_ADDRESS -m tcp --dport 22 -j ACCEPT

Replace YOUR_IP_ADDRESS with the actuall IP.

Resources