2016-12-14 14:22:53 0 Comments Linux Boy.Lee

2017 Classical iptables Config rules Demo for Centos 6 Web Server

List classical iptables config rules one by one for Centos 6 Web Server Produce Environment, you can direct copy and use it. 

 

to understand the follow rules you can have a look at this topic <<2017 CENTOS 6 WEB SERVER IPTABLES CLASSIAL CONFIG RULES LIST>>

 

#basic policy
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT


#clean all rules
iptables -F
iptables -X


#common rules
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #allow established and related in
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #allow established and related out
iptables -A INPUT -p icmp --icmp-type any -j ACCEPT #allow icmp in for ping out server,if no need don't add it
iptables -A OUTPUT -p icmp --icmp any -j ACCEPT #allow ping out for on server ping


#SSH and FTP
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT #change to your ssh port
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT 
iptables -A INPUT -p tcp -m tcp --dport 30000:30100 -j ACCEPT


#web server support
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT #https
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT #http
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 3306 -j ACCEPT #mysql


#on server operate support
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT #dns
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT #https
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT #http
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT #ssh, like git
iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT #send mail
iptables -A OUTPUT -p tcp --dport 123 -j ACCEPT #use ntpdate commond update date


#defend
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/min --limit-burst 100 -j ACCEPT # ddos
iptables -A FORWARD -f -m limit --limit 100/sec --limit-burst 100 -j ACCEPT #handle IP fragment, prevent attack, allow 100/s
iptables -A FORWARD -p icmp -m limit --limit 1/sec --limit-burst 10 -j ACCEPT #for ping allow 1/s since 11th


#drop all at the end
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
iptables -A FORWARD -j DROP


#review rules before save
iptables -L -n


#save and reboot
service iptables save #save iptables
service iptables restart #restart iptables