Common iptables firewall rules for Network Administrators

Managing network traffic is one of the toughest tasks that system administrators must deal with. We must specify that the users of the connected system meet the incoming and outgoing requirements of the firewall to ensure that the system is protected from attack. Many users use IPTables in Linux as a firewall, and from a strict point of view, IPTables is just a command-line tool that helps administrators define rules and communicate with Linux Kernel. It is only to help administrators configure the network traffic incoming, outgoing rules list, the specific implementation is actually in the Linux kernel.

IPTables includes a set of built-in and user-defined rules for the chain, and administrators can attach various packet processing rules to the chain.

I  will be introduced some iptables firewall rules that are used for network administrators.

• Allow access to the ring network card

  iptables -A INPUT –i lo -j ACCEPT
  iptables -A OUTPUT -o lo -j ACCEPT
• Configure the port forwarding

  Sometimes we need to forward a Linux server service traffic to another port, then you can use the following command:

  iptables -t nat -A PREROUTING –i eth0 -p tcp –dport 80 -j REDIRECT –to-port 8080

  The above command will redirect all traffic to eth0 card port 80 to port 8080.

• Disable PING

  PING on Linux can block ICMP incoming connections using the following rules:

  iptables -A INPUT -p icmp -i eth0 -j DROP

• Start, stop and restart IPTables systemctl start
  iptables systemctl stop
  iptables systemctl restart iptables 

  or/etc/init.d/iptables start
  /etc/init.d/iptables stop
  /etc/init.d/iptables restart

• View the IPtables firewall policy

  iptables -L -n -v

• Use IPtables to shut down a specific port

  Block specific outgoing connections:

  iptables -A OUTPUT -p tcp –dport zzz -j DROP

  Block specific incoming connections:

  iptables -A INPUT -p tcp –dport zzz -j ACCEPT

• Allowing the establishment of related connections
  With the separation of network traffic, to allow the establishment of incoming connections, you can use the following rules:
  iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT

  Allows you to establish rules for outgoing connection:

  iptables -A OUTPUT -m conntrack –ctstate ESTABLISHED -j ACCEPT

• Preventing connection to a network cardiptables -A INPUT -i eth0 -s zzz.zzz.zzz.zzz -j DROP

• IPtables block mail delivery rules

  If your system is not used for mail delivery, we can block the SMTP outgoing port in the rule:

  iptables -A INPUT -i eth0 -s zzz.zzz.zzz.zzz -j DROP

• Drop invalid packets

  Many network attacks will try to use custom illegal packets to try, we can use the following command to discard invalid packets:

  iptables -A OUTPUT -p tcp –dports 25,465,587 -j REJECT

• Block the specified MAC address

  iptables -A INPUT -m mac –mac-source 00:00:00:00:00:00 -j DROP

• Limit the number of concurrent connections
  iptables -A INPUT -p tcp –syn –dport 22 -m connlimit –connlimit-above 3 -j REJECT
•  Block HTTP service Flood attack
  iptables -A INPUT -p tcp –dport 80 -m limit –limit 100/minute –limit-burst 200 -j ACCEPT

•  Use the IP address range in the ruleIPtables in the IP address range can be directly used to express CIDR, for example:iptables -A OUTPUT -p tcp -d 192.168.1.1/24 –dport 22 -j ACCEPT

• Use Multiport to control multiple ports

  iptables -A INPUT -p tcp -m multiport –dports 22,80,443 -j ACCEPT
  iptables -A OUTPUT -p tcp -m multiport –sports 22,80,443 -j ACCEPT