| services iptable start | or stop, restart |
| iptables -L | look at what the firewall thinks it is doing |
| iptables stop | |
| iptables -L INPUT | look at the input ports |
| /etc/init.d/iptables stop | |
| /sbin/iptables stop | |
| service iptables save | use this after iptables tweaked |
| for localhost |
|---|
| iptables -A INPUT -s 127.0.0.1 -j ACCEPT |
| iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT |
For sendmail: open port 25 to receive input.
-A INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT -A OUTPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
For POP3:
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 173.45.236.139 --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -s 173.45.236.139 --sport 110 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
For IMAP:
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 173.45.236.139 --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -p tcp -s 173.45.236.139 --sport 143 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
Reject ICMP requests:
iptables -A INPUT -p icmp -m state --state NEW -j DROP
iptables = configuration for the firewall
The order of the lines in this file may be significant. I'm not sure.
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [2571:527834] # # -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s 127.0.0.1/32 -j ACCEPT -A INPUT -p tcp -m tcp --dport 25 --syn -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited # # port 111 is used for RPCbind--it wasn't a good idea to close it ... # #-A INPUT -p tcp --dport 111 -j DROP #-A INPUT -p tcp -s 127.0.0.1 --dport 111 -j ACCEPT # # -A FORWARD -j REJECT --reject-with icmp-host-prohibited # # -A OUTPUT -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT -A OUTPUT -s 127.0.0.1/32 -j ACCEPT COMMIT #
/etc/services associates it with “Multicast DNS”.