Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
tighar:iptables [2009/07/06 04:57]
moleski
tighar:iptables [2017/07/13 20:33] (current)
Line 1: Line 1:
 +====== IPTABLES (firewall) ======
 +===== commands =====
 +
 +|services iptable start | or stop, restart ​ |
 +|iptables -L | look at what the firewall thinks it is doing |
 +|iptables stop| |
 +|iptables -L INPUT | look at the input ports |
 +|/​etc/​init.d/​iptables stop | |
 +|/​sbin/​iptables stop| |
 +| service iptables save | use this after iptables tweaked|
 + ​\\ ​
 +^  for localhost ​ ^
 +|iptables -A INPUT -s 127.0.0.1 -j ACCEPT|
 +|iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT|
 + ​\\ ​
 +
 +For sendmail: open port 25 to receive input.
 +<​code>​
 +-A INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
 +-A OUTPUT -p tcp --dport 25 -m state --state NEW,​ESTABLISHED -j ACCEPT
 +</​code>​
 +
 +For POP3:
 +
 +<​code>​
 +iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 173.45.236.139 --dport 110 -m state --state NEW,​ESTABLISHED -j ACCEPT
 +iptables -A OUTPUT -p tcp -s 173.45.236.139 --sport 110 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 +</​code>​
 +For IMAP:
 +
 +<​code>​
 +iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 173.45.236.139 --dport 143 -m state --state NEW,​ESTABLISHED -j ACCEPT
 +iptables -A OUTPUT -p tcp -s 173.45.236.139 --sport 143 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 +</​code>​
 +
 +Reject ICMP requests:
 +
 +<​code>​
 +iptables -A INPUT -p icmp -m state --state NEW -j DROP </​code>​
 +
 +===== /​etc/​sysconfig/​iptables =====
 +iptables = configuration for the firewall
 +
 +The order of the lines in this file may be significant. ​ I'm not sure.
 +<​code>​
 +*filter
 +:INPUT ACCEPT [0:0]
 +:FORWARD ACCEPT [0:0]
 +:OUTPUT ACCEPT [2571:​527834]
 +#
 +#
 +-A INPUT -m state --state RELATED,​ESTABLISHED -j ACCEPT ​
 +-A INPUT -p icmp -j ACCEPT ​
 +-A INPUT -i lo -j ACCEPT ​
 +-A INPUT -s 127.0.0.1/​32 -j ACCEPT ​
 +-A INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT
 +-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT ​
 +-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT ​
 +-A INPUT -j REJECT --reject-with icmp-host-prohibited ​
 +#
 +#  port 111 is used for RPCbind--it wasn't a good idea to close it ...
 +#
 +#-A INPUT -p tcp --dport 111 -j DROP
 +#-A INPUT -p tcp -s 127.0.0.1 ​ --dport 111 -j ACCEPT
 +#
 +#
 +-A FORWARD -j REJECT --reject-with icmp-host-prohibited ​
 +#
 +#
 +-A OUTPUT -p tcp --dport 25 -m state --state NEW,​ESTABLISHED -j ACCEPT
 +-A OUTPUT -s 127.0.0.1/​32 -j ACCEPT ​
 +COMMIT
 +
 +</​code>​
 +===== udp port 5353 =====
 +
 +/​etc/​services associates it with "​Multicast DNS".
 +
 +
 +
 +
  
 
 
Recent changes RSS feed Creative Commons License Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki