Linux Programmer | RHCE | RHCSA

Search This Blog

Iptables

=> Allow only 80,1723,22,3389 ports open

iptables -F
iptables -X
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT


## Allow Network connectivity after iptables are applied###
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -j ACCEPT


# Allow incoming ssh only
/sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
##Allow HTTP port
/sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT

## Allow mysql port
/sbin/iptables -A INPUT -p tcp --dport 3306 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --sport 3306 -j ACCEPT
##Allow vpn port
/sbin/iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --sport 1723 -j ACCEPT
##Allow rdp port
/sbin/iptables -A INPUT -p tcp --dport 3389 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --sport 3389 -j ACCEPT

# Allow GRE
iptables -A INPUT -p gre -j ACCEPT

# NAT for PPTP clients connectivity


# Accept all connections from vpn users
#iptables -A INPUT -s 10.10.0.0/16 -j ACCEPT

iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP


=>To List iptable rules 

iptable -S
iptable -L

=> Remove some specific iptable rule
output of iptables -S be like

-A OUTPUT -p tcp -m tcp --sport 3306 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1723 -j ACCEPT
-A OUTPUT -j DROP


=> to delete rule
iptables -D  OUTPUT -p tcp -m tcp --sport 3306 -j ACCEPT

=> script for open some port after applying IPtables 

#!/bin/bash

rules=`iptables -S | wc -l`
port="$1"
if [ "$rules" -gt 3 ];
then
    echo "rules already set"
    exists=`iptables -S | grep -i "$port"`
    if [ ! -n "$exists" ];
    then
        iptables -D INPUT -j DROP
        iptables -D OUTPUT -j DROP
        /sbin/iptables -A INPUT -p tcp --dport "$port" -j ACCEPT
        /sbin/iptables -A OUTPUT -p tcp --dport "$port" -j ACCEPT
        iptables -A INPUT -j DROP   
        iptables -A OUTPUT -j DROP   
        echo "$port port is open now"
    else
        echo "$port Port is already open"
    fi
   
else
    echo "rules  not set"
fi 



Block All ports Except Some Specific Ports

iptables -F
iptables -X
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT

## DO NOT CHNAGE THIS ###
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -j ACCEPT
#####

## Allow ssh and block others
iptables -I INPUT -p tcp -s 0.0.0.0/0 --dport 1508 -j DROP
iptables -I INPUT -p tcp -s 10.10.10.10 --dport 1508 -j ACCEPT



## Allow http  ## allow 80 port from anywhere
iptables -I INPUT -p tcp -s 0.0.0.0/0 --dport 80 -j ACCEPT


## Allow mysql  ## allow mysql from specific port
iptables -I INPUT -p tcp -s 0.0.0.0/0 --dport 3306 -j DROP
iptables -I INPUT -p tcp -s 10.10.10.10 --dport 3306 -j ACCEPT

## Allow VNC viewer
iptables -I INPUT -p tcp -s 0.0.0.0/0 --dport 5900 -j DROP
iptables -I INPUT -p tcp -s 10.10.10.10 --dport 5900 -j ACCEPT


## Allow pptpd Control Connection
iptables -A INPUT -p tcp --dport 1723 -j ACCEPT

# Allow GRE  ## Do Not change this
iptables -A INPUT -p gre -j ACCEPT

# NAT for PPTP clients connectivity
#iptables -t nat -A POSTROUTING -j SNAT --to-source 202.71.31.3

# Accept all connections from vpn users
iptables -A INPUT -s 10.10.0.0/16 -j ACCEPT

## Drop All Ports
iptables -P INPUT DROP
iptables -P FORWARD DROP


##Save iptables permenantly
iptables-save >/etc/iptables/rules.v4
iptables-save >/etc/iptables/rules.v6



Port Redirection

On Linux systems, only privileged programs that run as root can use ports under 1024. In line with security best practice PaperCut runs as a non-privileged user. To enable port 80 and 443, use iptables (or ipchains on old systems) to port-forward 80 to 9191. The following commands provide an example. Consult your distribution's documentation to see how to persist the iptables rules between system restarts:
/sbin/iptables -t nat -I PREROUTING --src 0/0 --dst <server_ip> \
-p tcp --dport 80 -j REDIRECT --to-ports 9191
/sbin/iptables -t nat -I PREROUTING --src 0/0 --dst <server_ip> \
-p tcp --dport 443 -j REDIRECT --to-ports 9192
(These commands would typically be placed in an rc init script or the iptables startup config script as provided by your distribution.)
When you are done, restart the Application Server. (See Stop and start the Application Server).

 Remove PREROUTING Iptable rules in linux
To Flush iptables PREROUTING chains cannot be achieved by -F iptables option. To remove PREROUTING nat rules from you system first display all PREROUTING chains using a following iptables command:

1
iptables -t nat --line-numbers -L

As you can see the above command will display all PREROUTING chains with relevant line numbers. Next, we can use these line numbers to remove all PREROUTING chains one by one. For example to remove PREROUTING chain with line number 6 we can do:

1
iptables -t nat -D PREROUTING 6

In case that you wish to remove all PREROUTING chains with a single command you can try the following command chaining example:

1
for i in $( iptables -t nat --line-numbers -L | grep ^[0-9] | awk '{ print $1 }' | tac ); do iptables -t nat -D PREROUTING $i; done



No comments:

Post a Comment

SSH not working with password after upgrade ubuntu 22.04 or above

In recent upgrade of ubuntu 22.04 and above we are not able to login server with SSH password. but when we try to login with key then it all...