{"id":362,"date":"2017-01-10T17:43:18","date_gmt":"2017-01-10T17:43:18","guid":{"rendered":"https:\/\/www.xsofthost.com\/help\/?p=362"},"modified":"2017-09-01T11:32:20","modified_gmt":"2017-09-01T11:32:20","slug":"commands-guide-iptables-firewall-on-linux-os","status":"publish","type":"post","link":"https:\/\/www.xsofthost.com\/help\/commands-guide-iptables-firewall-on-linux-os\/","title":{"rendered":"Commands guide for iptables firewall on linux os"},"content":{"rendered":"<h2 class=\"h3\">Common Iptables Firewall Rules and Commands<\/h2>\n<h3 class=\"h4\">What is Iptables?<\/h3>\n<div>Iptables is the software firewall that is included with most Linux distributions by default. <strong>How Iptables works<\/strong>: iptables is a command-line firewall utility that uses policy chains to allow or block traffic. When a connection tries to establish itself on your system, iptables looks for a rule in its list to match it to. If it doesn\u2019t find one, it resorts to the default action.<\/p>\n<p> for list of parameters visit <a title=\" iptables command options and PARAMETERS on linux\" href=\"https:\/\/www.xsofthost.com\/knowledgebase\/77\/Iptables-command-options-and-PARAMETERS-on-linux.html\">Iptables command options and parameters on linux<\/a><\/div>\n<h3 class=\"h4\">Most common Iptables Firewall commands list:<\/h3>\n<ul>\n<li>\n<p>To find your network interface run the following command:<\/p>\n<div class=\"cmd\">\n<div><span class=\"prompt\">ifconfig<\/span><\/div>\n<\/div>\n<p>in the bellow examples the network interface <strong>eth0<\/strong><\/p>\n<\/li>\n<li>\n<p>Display the List of currently configured iptables rules:<\/p>\n<div class=\"cmd\">\n<div><span class=\"prompt\">iptables -L<\/span><\/div>\n<\/div>\n<\/li>\n<li>\n<p>To clear all the currently configured iptables rules, you can issue the flush command:<\/p>\n<div class=\"cmd\">\n<div><span class=\"prompt\">iptables -F<\/span><\/div>\n<\/div>\n<\/li>\n<li>\n<p>To Block connection from Specific ip-address run the command for example block ip 1.1.1.0:<\/p>\n<div class=\"cmd\">\n<div><span class=\"prompt\">iptables -A INPUT -s <span class=\"text-orange\">1.1.1.0<\/span> -j DROP<\/span><\/div>\n<\/div>\n<\/li>\n<li>\n<p>To Block SSH connection from Specific ip-address run the command for example block ip 1.1.1.0:<\/p>\n<div class=\"cmd\">\n<div><span class=\"prompt\"> iptables -A INPUT -p tcp &#8211;dport ssh -s <span class=\"text-orange\">1.1.1.0<\/span> -j DROP<\/span><\/div>\n<div><span class=\"text-green\">This following shows how to block SSH connections from any IP address.<\/span><\/div>\n<div><span class=\"prompt\"> iptables -A INPUT -p tcp &#8211;dport ssh -j DROP<\/span><\/div>\n<\/div>\n<\/li>\n<li>\n<p>Allow Incoming SSH only from a Sepcific Network as example allow ssh connection from 192.168.1.x network:<\/p>\n<div class=\"cmd\">\n<div><span class=\"prompt\"> iptables -A INPUT -i eth0 -p tcp -s 192.168.1.0\/24 &#8211;dport 22 -m state &#8211;state NEW,ESTABLISHED -j ACCEPT<\/span><\/div>\n<div><span class=\"prompt\"> iptables -A OUTPUT -o eth0 -p tcp &#8211;sport 22 -m state &#8211;state ESTABLISHED -j ACCEPT<\/span><\/div>\n<\/div>\n<\/li>\n<li>\n<p>Ping iptables rules:<\/p>\n<ul>\n<li>\n<p>Allow Ping from Outside to Inside<\/p>\n<div class=\"cmd\">\n<div><span class=\"prompt\"> iptables -A INPUT -p icmp &#8211;icmp-type echo-request -j ACCEPT<\/span><\/div>\n<div><span class=\"prompt\"> iptables -A OUTPUT -p icmp &#8211;icmp-type echo-reply -j ACCEPT<\/span><\/div>\n<\/div>\n<\/li>\n<li>\n<p>Allow Ping from Inside to Outside<\/p>\n<div class=\"cmd\">\n<div><span class=\"prompt\"> iptables -A OUTPUT -p icmp &#8211;icmp-type echo-request -j ACCEPT<\/span><\/div>\n<div><span class=\"prompt\"> iptables -A INPUT -p icmp &#8211;icmp-type echo-reply -j ACCEPT<\/span><\/div>\n<\/div>\n<\/li>\n<\/ul>\n<\/li>\n<li>\n<p>Allow All Incoming HTTP and HTTPS:<\/p>\n<div class=\"cmd\">\n<div><span class=\"prompt\">iptables -A INPUT -i eth0 -p tcp &#8211;dport 80,443 -m state &#8211;state NEW,ESTABLISHED -j ACCEPT<\/span><\/div>\n<div><span class=\"prompt\">iptables -A OUTPUT -o eth0 -p tcp &#8211;sport 80,443 -m state &#8211;state ESTABLISHED -j ACCEPT<\/span><\/div>\n<\/div>\n<\/li>\n<li>\n<p>Allow MySQL connection only from a specific IP-address:<\/p>\n<div class=\"cmd\">\n<div><span class=\"prompt\">iptables -A INPUT -i eth0 -p tcp -s <span class=\"text-orange\">192.168.1.10<\/span> &#8211;dport 3306 -m state &#8211;state NEW,ESTABLISHED -j ACCEPT<\/span><\/div>\n<div><span class=\"prompt\">iptables -A OUTPUT -o eth0 -p tcp &#8211;sport 3306 -m state &#8211;state ESTABLISHED -j ACCEPT<\/span><\/div>\n<\/div>\n<\/li>\n<li>\n<p>Allow outbound DNS:<\/p>\n<div class=\"cmd\">\n<div><span class=\"prompt\">iptables -A OUTPUT -p udp -o eth0 &#8211;dport 53 -j ACCEPT<\/span><\/div>\n<div><span class=\"prompt\">iptables -A INPUT -p udp -i eth0 &#8211;sport 53 -j ACCEPT<\/span><\/div>\n<\/div>\n<\/li>\n<li>\n<p>iptables rule will help you prevent the Denial of Service (DoS) attack on your webserver:<\/p>\n<div class=\"cmd\">\n<div><span class=\"prompt\">iptables -A INPUT -p tcp &#8211;dport 80 -m limit &#8211;limit 50\/minute &#8211;limit-burst 200 -j ACCEPT<\/span><\/div>\n<\/div>\n<div class=\"well\">Parameters Description:<\/p>\n<ul>\n<li>-m limit: This uses the limit iptables extension<\/li>\n<li>\u2013limit 50\/minute: This limits only maximum of 50 connection per minute. Change this value based on your specific requirement<\/li>\n<li>\u2013limit-burst 200: This value indicates that the limit\/minute will be enforced only after the total number of connection have reached the limit-burst level.<\/li>\n<\/ul>\n<\/div>\n<\/li>\n<li>\n<p>Saving iptables Changes:<\/p>\n<p>The changes that you make to your iptables rules will be revoked next time that the iptables service restarted unless you execute a command to save the changes. This command can differ depending on your distribution Linux os:<\/p>\n<div class=\"cmd\">\n<div class=\"text-orange\">For Ubuntu OS:<\/div>\n<div><span class=\"prompt\"> sudo \/sbin\/iptables-save<\/span><\/div>\n<div class=\"text-orange\">For Red Hat \/ CentOS:<\/div>\n<div><span class=\"prompt\"> \/sbin\/service iptables save<\/span><\/div>\n<\/div>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Common Iptables Firewall Rules and Commands What is Iptables? Iptables is the software firewall that is included with most Linux distributions by default. How Iptables works: iptables is a command-line firewall utility that uses policy chains to allow or block traffic. When a connection tries to establish itself on your system, iptables looks for a [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":363,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[41],"tags":[178,48,49,42,74],"_links":{"self":[{"href":"https:\/\/www.xsofthost.com\/help\/wp-json\/wp\/v2\/posts\/362"}],"collection":[{"href":"https:\/\/www.xsofthost.com\/help\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.xsofthost.com\/help\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.xsofthost.com\/help\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.xsofthost.com\/help\/wp-json\/wp\/v2\/comments?post=362"}],"version-history":[{"count":2,"href":"https:\/\/www.xsofthost.com\/help\/wp-json\/wp\/v2\/posts\/362\/revisions"}],"predecessor-version":[{"id":365,"href":"https:\/\/www.xsofthost.com\/help\/wp-json\/wp\/v2\/posts\/362\/revisions\/365"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.xsofthost.com\/help\/wp-json\/wp\/v2\/media\/363"}],"wp:attachment":[{"href":"https:\/\/www.xsofthost.com\/help\/wp-json\/wp\/v2\/media?parent=362"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.xsofthost.com\/help\/wp-json\/wp\/v2\/categories?post=362"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.xsofthost.com\/help\/wp-json\/wp\/v2\/tags?post=362"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}