Thursday, March 18, 2010

News Feed Comments
You are here: Home / General / Common iptables command, cheatsheet

Common iptables command, cheatsheet

November 12, 2009 by admin  
Filed under General

Leave a Comment

#!/bin/sh
#File: /etc/rc.d/rc.firewall

# Immediately log and drop any known abusive IPs

iptables -A INPUT -p tcp -s 87.118.104.44 -m limit –limit 1/minute  –limit-burst 10  -j LOG –log-prefix “[DROPPED_NODE]“   –log-level 4

iptables -A INPUT -p tcp -s 87.118.104.44 -j DROP

# Allow from any to any on 127.0.0.1/32

iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1/32 -j ACCEPT

# Track connection state

iptables -A INPUT -p tcp -m state –state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m state –state NEW,ESTABLISHED -j ACCEPT

# Allow all foreign IPs to access ports 443 and 80

iptables -A INPUT -p TCP –dport 443 -j ACCEPT
iptables -A INPUT -p TCP –dport 80 -j ACCEPT

# Allow access from a specified foreign IP
# to this server’s port 8080

iptables -A INPUT -p TCP -s 172.16.88.2/32 –dport 8080 -j ACCEPT

# Allow access from a specified foreign IP
# to any port listening on this server

iptables -A INPUT -p TCP -s 172.13.88.3/32  -j ACCEPT

# Drop incoming UDP packets on port 137 and 138 without logging

iptables -A INPUT -p UDP –dport 137 -j DROP
iptables -A INPUT -p UDP –dport 138 -j DROP

# Accept all other incoming UDP packets

iptables -A INPUT -p UDP -j ACCEPT

# Log and Drop everything else

iptables -A INPUT -j LOG  -m limit –limit 1/minute   –limit-burst 10 –log-prefix “[DROPPED_NODE]” –log-level 4
iptables -A INPUT -j DROP

# View all rules

iptables -L -v

# View INPUT rules

iptables -L INPUT -nv


# View max tracked connections

cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max

# Set max tracked connections
# add the following line to rc.local if sysctl.conf doesn’t exist

echo 128000 >  /proc/sys/net/ipv4/netfilter/ip_conntrack_max

# View Current HASHSIZE

cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets

  • Share/Bookmark

Related posts:

  1. Opening ports in the firewall for the Mail Server There are standard ports that are used to access most...
  2. Configuring your Firewall for Webmin Many operating systems block access to port 10000 by default...

Related posts brought to you by Yet Another Related Posts Plugin.


Credits: http://technotes.1000lines.net/?p=47

Tags: , , , , , , , , , , , , , ,

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!