IPTABLES (firewall)

commands

services iptable start or stop, restart
iptables -L look at what the firewall thinks it is doing
iptables stop
iptables -L INPUT look at the input ports
/etc/init.d/iptables stop
/sbin/iptables stop
service iptables save use this after iptables tweaked


for localhost
iptables -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT


For sendmail: open port 25 to receive input.

-A INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
-A OUTPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

For POP3:

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 173.45.236.139 --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 173.45.236.139 --sport 110 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

For IMAP:

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 173.45.236.139 --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 173.45.236.139 --sport 143 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

Reject ICMP requests:

iptables -A INPUT -p icmp -m state --state NEW -j DROP 

/etc/sysconfig/iptables

iptables = configuration for the firewall

The order of the lines in this file may be significant. I'm not sure.

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2571:527834]
#
#
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -i lo -j ACCEPT 
-A INPUT -s 127.0.0.1/32 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT 
-A INPUT -j REJECT --reject-with icmp-host-prohibited 
#
#  port 111 is used for RPCbind--it wasn't a good idea to close it ...
#
#-A INPUT -p tcp --dport 111 -j DROP
#-A INPUT -p tcp -s 127.0.0.1  --dport 111 -j ACCEPT
#
#
-A FORWARD -j REJECT --reject-with icmp-host-prohibited 
#
#
-A OUTPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -s 127.0.0.1/32 -j ACCEPT 
COMMIT
# 

udp port 5353

/etc/services associates it with “Multicast DNS”.

 
tighar/iptables.txt · Last modified: 2017/07/13 20:33 (external edit)
 
Recent changes RSS feed Creative Commons License Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki