iptables rules for a Linux web server.

Support for security such as Firewalls and securing linux
hack3rcon
Posts: 460
Joined: 2014/11/24 11:04:37

iptables rules for a Linux web server.

Post by hack3rcon » 2016/03/08 17:28:40

Hello.
I have a CentOS 7 web server and my current iptables rules are :

Code: Select all

# Generated by iptables-save v1.4.21 on Tue Mar 8 20:05:59 2016 *mangle
:PREROUTING ACCEPT [2538096:463067792] :INPUT ACCEPT [980691:361144018]
:FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [826330:625421246] :POSTROUTING
ACCEPT [825642:624894621] COMMIT # Completed on Tue Mar 8 20:05:59 2016
# Generated by iptables-save v1.4.21 on Tue Mar 8 20:05:59 2016 *filter
:INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :ALLOWIN -
[0:0] :ALLOWOUT - [0:0] :DENYIN - [0:0] :DENYOUT - [0:0] :INVALID -
[0:0] :INVDROP - [0:0] :LOCALINPUT - [0:0] :LOCALOUTPUT - [0:0]
:LOGDROPIN - [0:0] :LOGDROPOUT - [0:0] -A INPUT -s 8.8.8.8/32 ! -i lo -p
tcp -m tcp --dport 53 -j ACCEPT -A INPUT -s 8.8.8.8/32 ! -i lo -p udp -m
udp --dport 53 -j ACCEPT -A INPUT -s 8.8.8.8/32 ! -i lo -p tcp -m tcp
--sport 53 -j ACCEPT -A INPUT -s 8.8.8.8/32 ! -i lo -p udp -m udp
--sport 53 -j ACCEPT -A INPUT -s X.X.X.X/32 ! -i lo -p tcp -m tcp
--dport 53 -j ACCEPT -A INPUT -s X.X.X.X/32 ! -i lo -p udp -m udp
--dport 53 -j ACCEPT -A INPUT -s X.X.X.X/32 ! -i lo -p tcp -m tcp
--sport 53 -j ACCEPT -A INPUT -s X.X.X.X/32 ! -i lo -p udp -m udp
--sport 53 -j ACCEPT -A INPUT ! -i lo -j LOCALINPUT -A INPUT -i lo -j
ACCEPT -A INPUT ! -i lo -p tcp -j INVALID -A INPUT ! -i lo -m conntrack
--ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT ! -i lo -p tcp -m
conntrack --ctstate NEW -m tcp --dport 20 -j ACCEPT -A INPUT ! -i lo -p
tcp -m conntrack --ctstate NEW -m tcp --dport 21 -j ACCEPT -A INPUT ! -i
lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2233 -j ACCEPT -A
INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -j
ACCEPT -A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport
53 -j ACCEPT -A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp
--dport 80 -j ACCEPT -A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW
-m tcp --dport 110 -j ACCEPT -A INPUT ! -i lo -p tcp -m conntrack
--ctstate NEW -m tcp --dport 143 -j ACCEPT -A INPUT ! -i lo -p tcp -m
conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT -A INPUT ! -i lo -p
tcp -m conntrack --ctstate NEW -m tcp --dport 465 -j ACCEPT -A INPUT !
-i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 587 -j ACCEPT -A
INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 993 -j
ACCEPT -A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport
995 -j ACCEPT -A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp
--dport 2222 -j ACCEPT -A INPUT ! -i lo -p udp -m conntrack --ctstate
NEW -m udp --dport 20 -j ACCEPT -A INPUT ! -i lo -p udp -m conntrack
--ctstate NEW -m udp --dport 21 -j ACCEPT -A INPUT ! -i lo -p udp -m
conntrack --ctstate NEW -m udp --dport 53 -j ACCEPT -A INPUT ! -i lo -p
icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT -A INPUT !
-i lo -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT -A
INPUT ! -i lo -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT ! -i lo
-p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT ! -i lo -j LOGDROPIN -A
OUTPUT -d 8.8.8.8/32 ! -o lo -p tcp -m tcp --dport 53 -j ACCEPT -A
OUTPUT -d 8.8.8.8/32 ! -o lo -p udp -m udp --dport 53 -j ACCEPT -A
OUTPUT -d 8.8.8.8/32 ! -o lo -p tcp -m tcp --sport 53 -j ACCEPT -A
OUTPUT -d 8.8.8.8/32 ! -o lo -p udp -m udp --sport 53 -j ACCEPT -A
OUTPUT -d X.X.X.X/32 ! -o lo -p tcp -m tcp --dport 53 -j ACCEPT -A
OUTPUT -d X.X.X.X/32 ! -o lo -p udp -m udp --dport 53 -j ACCEPT -A
OUTPUT -d X.X.X.X/32 ! -o lo -p tcp -m tcp --sport 53 -j ACCEPT -A
OUTPUT -d X.X.X.X/32 ! -o lo -p udp -m udp --sport 53 -j ACCEPT -A
OUTPUT ! -o lo -j LOCALOUTPUT -A OUTPUT ! -o lo -p tcp -m tcp --dport 53
-j ACCEPT -A OUTPUT ! -o lo -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT
! -o lo -p tcp -m tcp --sport 53 -j ACCEPT -A OUTPUT ! -o lo -p udp -m
udp --sport 53 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT ! -o lo -p
tcp -j INVALID -A OUTPUT ! -o lo -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT -A OUTPUT ! -o lo -p tcp -m conntrack
--ctstate NEW -m tcp --dport 20 -j ACCEPT -A OUTPUT ! -o lo -p tcp -m
conntrack --ctstate NEW -m tcp --dport 21 -j ACCEPT -A OUTPUT ! -o lo -p
tcp -m conntrack --ctstate NEW -m tcp --dport 2233 -j ACCEPT -A OUTPUT !
-o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -j ACCEPT -A
OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -j
ACCEPT -A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp
--dport 80 -j ACCEPT -A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW
-m tcp --dport 110 -j ACCEPT -A OUTPUT ! -o lo -p tcp -m conntrack
--ctstate NEW -m tcp --dport 113 -j ACCEPT -A OUTPUT ! -o lo -p tcp -m
conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT -A OUTPUT ! -o lo
-p tcp -m conntrack --ctstate NEW -m tcp --dport 587 -j ACCEPT -A OUTPUT
! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 993 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 995
-j ACCEPT -A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp
--dport 2222 -j ACCEPT -A OUTPUT ! -o lo -p udp -m conntrack --ctstate
NEW -m udp --dport 20 -j ACCEPT -A OUTPUT ! -o lo -p udp -m conntrack
--ctstate NEW -m udp --dport 21 -j ACCEPT -A OUTPUT ! -o lo -p udp -m
conntrack --ctstate NEW -m udp --dport 53 -j ACCEPT -A OUTPUT ! -o lo -p
udp -m conntrack --ctstate NEW -m udp --dport 113 -j ACCEPT -A OUTPUT !
-o lo -p udp -m conntrack --ctstate NEW -m udp --dport 123 -j ACCEPT -A
OUTPUT ! -o lo -p icmp -m icmp --icmp-type 0 -j ACCEPT -A OUTPUT ! -o lo
-p icmp -m icmp --icmp-type 8 -j ACCEPT -A OUTPUT ! -o lo -p icmp -m
icmp --icmp-type 11 -j ACCEPT -A OUTPUT ! -o lo -p icmp -m icmp
--icmp-type 3 -j ACCEPT -A OUTPUT ! -o lo -j LOGDROPOUT -A ALLOWIN -s
5.61.24.9/32 ! -i lo -j ACCEPT -A ALLOWOUT -d 5.61.24.9/32 ! -o lo -j
ACCEPT -A DENYIN -s 46.36.108.66/32 ! -i lo -j DROP -A DENYOUT -d
46.36.108.66/32 ! -o lo -j LOGDROPOUT -A INVALID -m conntrack --ctstate
INVALID -j INVDROP -A INVALID -p tcp -m tcp --tcp-flags
FIN,SYN,RST,PSH,ACK,URG NONE -j INVDROP -A INVALID -p tcp -m tcp
--tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j INVDROP -A
INVALID -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j INVDROP -A INVALID
-p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j INVDROP -A INVALID -p tcp
-m tcp --tcp-flags FIN,ACK FIN -j INVDROP -A INVALID -p tcp -m tcp
--tcp-flags PSH,ACK PSH -j INVDROP -A INVALID -p tcp -m tcp --tcp-flags
ACK,URG URG -j INVDROP -A INVALID -p tcp -m tcp ! --tcp-flags
FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j INVDROP -A INVDROP -j
DROP -A LOCALINPUT ! -i lo -j ALLOWIN -A LOCALINPUT ! -i lo -j DENYIN -A
LOCALOUTPUT ! -o lo -j ALLOWOUT -A LOCALOUTPUT ! -o lo -j DENYOUT -A
LOGDROPIN -p tcp -m tcp --dport 67 -j DROP -A LOGDROPIN -p udp -m udp
--dport 67 -j DROP -A LOGDROPIN -p tcp -m tcp --dport 68 -j DROP -A
LOGDROPIN -p udp -m udp --dport 68 -j DROP -A LOGDROPIN -p tcp -m tcp
--dport 111 -j DROP -A LOGDROPIN -p udp -m udp --dport 111 -j DROP -A
LOGDROPIN -p tcp -m tcp --dport 113 -j DROP -A LOGDROPIN -p udp -m udp
--dport 113 -j DROP -A LOGDROPIN -p tcp -m tcp --dport 135:139 -j DROP
-A LOGDROPIN -p udp -m udp --dport 135:139 -j DROP -A LOGDROPIN -p tcp
-m tcp --dport 445 -j DROP -A LOGDROPIN -p udp -m udp --dport 445 -j
DROP -A LOGDROPIN -p tcp -m tcp --dport 500 -j DROP -A LOGDROPIN -p udp
-m udp --dport 500 -j DROP -A LOGDROPIN -p tcp -m tcp --dport 513 -j
DROP -A LOGDROPIN -p udp -m udp --dport 513 -j DROP -A LOGDROPIN -p tcp
-m tcp --dport 520 -j DROP -A LOGDROPIN -p udp -m udp --dport 520 -j
DROP -A LOGDROPIN -p tcp -m limit --limit 30/min -j LOG --log-prefix
"Firewall: *TCP_IN Blocked* " -A LOGDROPIN -p udp -m limit --limit
30/min -j LOG --log-prefix "Firewall: *UDP_IN Blocked* " -A LOGDROPIN -p
icmp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *ICMP_IN
Blocked* " -A LOGDROPIN -j DROP -A LOGDROPOUT -p tcp -m tcp --tcp-flags
FIN,SYN,RST,ACK SYN -m limit --limit 30/min -j LOG --log-prefix
"Firewall: *TCP_OUT Blocked* " --log-uid -A LOGDROPOUT -p udp -m limit
--limit 30/min -j LOG --log-prefix "Firewall: *UDP_OUT Blocked* "
--log-uid -A LOGDROPOUT -p icmp -m limit --limit 30/min -j LOG
--log-prefix "Firewall: *ICMP_OUT Blocked* " --log-uid -A LOGDROPOUT -j
DROP COMMIT # Completed on Tue Mar 8 20:05:59 2016 # Generated by
iptables-save v1.4.21 on Tue Mar 8 20:05:59 2016 *nat :PREROUTING ACCEPT
[1163194:79910085] :INPUT ACCEPT [101074:6696262] :OUTPUT ACCEPT
[4878:671435] :POSTROUTING ACCEPT [4637:285468] COMMIT # Completed on
Tue Mar 8 20:05:59 2016
I have some questions, If I flash these rules and replace them with below can my web server failed :

Code: Select all

#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#  Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allows all outbound traffic
#  You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allows SSH connections (only 4 attempts by an IP every 3 minutes, drop the rest)
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j DROP
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT
My current iptables rules writeen by provider and don't know them. my current open ports are :

PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
143/tcp open imap
443/tcp open https
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s


if I do new iptables rules, Can it cause any problem for my web console? Please advice me.

Tnx.
Last edited by hack3rcon on 2016/03/08 17:42:23, edited 2 times in total.

hack3rcon
Posts: 460
Joined: 2014/11/24 11:04:37

Re: iptables rules for a Linux web server.

Post by hack3rcon » 2016/03/08 17:37:26

On server I use mail service too and can new iptables rules cause any problem?

User avatar
TrevorH
Forum Moderator
Posts: 27384
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables rules for a Linux web server.

Post by TrevorH » 2016/03/08 18:00:14

Could you please paste the output of iptables-save into a post here and wrap the output in [code][/code] tags so that we can read it. I do not know what happened to your first attempt but it is unreadable and there is too much of it to correct.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

hack3rcon
Posts: 460
Joined: 2014/11/24 11:04:37

Re: iptables rules for a Linux web server.

Post by hack3rcon » 2016/03/08 18:09:32

the output is :

Code: Select all

# Generated by iptables-save v1.4.21 on Tue Mar 8 20:05:59 2016 *mangle
:PREROUTING ACCEPT [2538096:463067792] :INPUT ACCEPT [980691:361144018]
:FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [826330:625421246] :POSTROUTING
ACCEPT [825642:624894621] COMMIT # Completed on Tue Mar 8 20:05:59 2016
# Generated by iptables-save v1.4.21 on Tue Mar 8 20:05:59 2016 *filter
:INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :ALLOWIN -
[0:0] :ALLOWOUT - [0:0] :DENYIN - [0:0] :DENYOUT - [0:0] :INVALID -
[0:0] :INVDROP - [0:0] :LOCALINPUT - [0:0] :LOCALOUTPUT - [0:0]
:LOGDROPIN - [0:0] :LOGDROPOUT - [0:0] -A INPUT -s 8.8.8.8/32 ! -i lo -p
tcp -m tcp --dport 53 -j ACCEPT -A INPUT -s 8.8.8.8/32 ! -i lo -p udp -m
udp --dport 53 -j ACCEPT -A INPUT -s 8.8.8.8/32 ! -i lo -p tcp -m tcp
--sport 53 -j ACCEPT -A INPUT -s 8.8.8.8/32 ! -i lo -p udp -m udp
--sport 53 -j ACCEPT -A INPUT -s X.X.X.X/32 ! -i lo -p tcp -m tcp
--dport 53 -j ACCEPT -A INPUT -s X.X.X.X/32 ! -i lo -p udp -m udp
--dport 53 -j ACCEPT -A INPUT -s X.X.X.X/32 ! -i lo -p tcp -m tcp
--sport 53 -j ACCEPT -A INPUT -s X.X.X.X/32 ! -i lo -p udp -m udp
--sport 53 -j ACCEPT -A INPUT ! -i lo -j LOCALINPUT -A INPUT -i lo -j
ACCEPT -A INPUT ! -i lo -p tcp -j INVALID -A INPUT ! -i lo -m conntrack
--ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT ! -i lo -p tcp -m
conntrack --ctstate NEW -m tcp --dport 20 -j ACCEPT -A INPUT ! -i lo -p
tcp -m conntrack --ctstate NEW -m tcp --dport 21 -j ACCEPT -A INPUT ! -i
lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 2233 -j ACCEPT -A
INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -j
ACCEPT -A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport
53 -j ACCEPT -A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp
--dport 80 -j ACCEPT -A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW
-m tcp --dport 110 -j ACCEPT -A INPUT ! -i lo -p tcp -m conntrack
--ctstate NEW -m tcp --dport 143 -j ACCEPT -A INPUT ! -i lo -p tcp -m
conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT -A INPUT ! -i lo -p
tcp -m conntrack --ctstate NEW -m tcp --dport 465 -j ACCEPT -A INPUT !
-i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 587 -j ACCEPT -A
INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 993 -j
ACCEPT -A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp --dport
995 -j ACCEPT -A INPUT ! -i lo -p tcp -m conntrack --ctstate NEW -m tcp
--dport 2222 -j ACCEPT -A INPUT ! -i lo -p udp -m conntrack --ctstate
NEW -m udp --dport 20 -j ACCEPT -A INPUT ! -i lo -p udp -m conntrack
--ctstate NEW -m udp --dport 21 -j ACCEPT -A INPUT ! -i lo -p udp -m
conntrack --ctstate NEW -m udp --dport 53 -j ACCEPT -A INPUT ! -i lo -p
icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT -A INPUT !
-i lo -p icmp -m icmp --icmp-type 0 -m limit --limit 1/sec -j ACCEPT -A
INPUT ! -i lo -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT ! -i lo
-p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT ! -i lo -j LOGDROPIN -A
OUTPUT -d 8.8.8.8/32 ! -o lo -p tcp -m tcp --dport 53 -j ACCEPT -A
OUTPUT -d 8.8.8.8/32 ! -o lo -p udp -m udp --dport 53 -j ACCEPT -A
OUTPUT -d 8.8.8.8/32 ! -o lo -p tcp -m tcp --sport 53 -j ACCEPT -A
OUTPUT -d 8.8.8.8/32 ! -o lo -p udp -m udp --sport 53 -j ACCEPT -A
OUTPUT -d X.X.X.X/32 ! -o lo -p tcp -m tcp --dport 53 -j ACCEPT -A
OUTPUT -d X.X.X.X/32 ! -o lo -p udp -m udp --dport 53 -j ACCEPT -A
OUTPUT -d X.X.X.X/32 ! -o lo -p tcp -m tcp --sport 53 -j ACCEPT -A
OUTPUT -d X.X.X.X/32 ! -o lo -p udp -m udp --sport 53 -j ACCEPT -A
OUTPUT ! -o lo -j LOCALOUTPUT -A OUTPUT ! -o lo -p tcp -m tcp --dport 53
-j ACCEPT -A OUTPUT ! -o lo -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT
! -o lo -p tcp -m tcp --sport 53 -j ACCEPT -A OUTPUT ! -o lo -p udp -m
udp --sport 53 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT ! -o lo -p
tcp -j INVALID -A OUTPUT ! -o lo -m conntrack --ctstate
RELATED,ESTABLISHED -j ACCEPT -A OUTPUT ! -o lo -p tcp -m conntrack
--ctstate NEW -m tcp --dport 20 -j ACCEPT -A OUTPUT ! -o lo -p tcp -m
conntrack --ctstate NEW -m tcp --dport 21 -j ACCEPT -A OUTPUT ! -o lo -p
tcp -m conntrack --ctstate NEW -m tcp --dport 2233 -j ACCEPT -A OUTPUT !
-o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 25 -j ACCEPT -A
OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 53 -j
ACCEPT -A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp
--dport 80 -j ACCEPT -A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW
-m tcp --dport 110 -j ACCEPT -A OUTPUT ! -o lo -p tcp -m conntrack
--ctstate NEW -m tcp --dport 113 -j ACCEPT -A OUTPUT ! -o lo -p tcp -m
conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT -A OUTPUT ! -o lo
-p tcp -m conntrack --ctstate NEW -m tcp --dport 587 -j ACCEPT -A OUTPUT
! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 993 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp --dport 995
-j ACCEPT -A OUTPUT ! -o lo -p tcp -m conntrack --ctstate NEW -m tcp
--dport 2222 -j ACCEPT -A OUTPUT ! -o lo -p udp -m conntrack --ctstate
NEW -m udp --dport 20 -j ACCEPT -A OUTPUT ! -o lo -p udp -m conntrack
--ctstate NEW -m udp --dport 21 -j ACCEPT -A OUTPUT ! -o lo -p udp -m
conntrack --ctstate NEW -m udp --dport 53 -j ACCEPT -A OUTPUT ! -o lo -p
udp -m conntrack --ctstate NEW -m udp --dport 113 -j ACCEPT -A OUTPUT !
-o lo -p udp -m conntrack --ctstate NEW -m udp --dport 123 -j ACCEPT -A
OUTPUT ! -o lo -p icmp -m icmp --icmp-type 0 -j ACCEPT -A OUTPUT ! -o lo
-p icmp -m icmp --icmp-type 8 -j ACCEPT -A OUTPUT ! -o lo -p icmp -m
icmp --icmp-type 11 -j ACCEPT -A OUTPUT ! -o lo -p icmp -m icmp
--icmp-type 3 -j ACCEPT -A OUTPUT ! -o lo -j LOGDROPOUT -A ALLOWIN -s
5.61.24.9/32 ! -i lo -j ACCEPT -A ALLOWOUT -d 5.61.24.9/32 ! -o lo -j
ACCEPT -A DENYIN -s 46.36.108.66/32 ! -i lo -j DROP -A DENYOUT -d
46.36.108.66/32 ! -o lo -j LOGDROPOUT -A INVALID -m conntrack --ctstate
INVALID -j INVDROP -A INVALID -p tcp -m tcp --tcp-flags
FIN,SYN,RST,PSH,ACK,URG NONE -j INVDROP -A INVALID -p tcp -m tcp
--tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j INVDROP
-A INVALID -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j INVDROP -A
INVALID -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j INVDROP -A INVALID
-p tcp -m tcp --tcp-flags FIN,RST FIN,RST -j INVDROP -A INVALID -p tcp
-m tcp --tcp-flags FIN,ACK FIN -j INVDROP -A INVALID -p tcp -m tcp
--tcp-flags PSH,ACK PSH -j INVDROP -A INVALID -p tcp -m tcp --tcp-flags
ACK,URG URG -j INVDROP -A INVALID -p tcp -m tcp ! --tcp-flags
FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j INVDROP -A INVDROP -j
DROP -A LOCALINPUT ! -i lo -j ALLOWIN -A LOCALINPUT ! -i lo -j DENYIN -A
LOCALOUTPUT ! -o lo -j ALLOWOUT -A LOCALOUTPUT ! -o lo -j DENYOUT -A
LOGDROPIN -p tcp -m tcp --dport 67 -j DROP -A LOGDROPIN -p udp -m udp
--dport 67 -j DROP -A LOGDROPIN -p tcp -m tcp --dport 68 -j DROP -A
LOGDROPIN -p udp -m udp --dport 68 -j DROP -A LOGDROPIN -p tcp -m tcp
--dport 111 -j DROP -A LOGDROPIN -p udp -m udp --dport 111 -j DROP -A
LOGDROPIN -p tcp -m tcp --dport 113 -j DROP -A LOGDROPIN -p udp -m udp
--dport 113 -j DROP -A LOGDROPIN -p tcp -m tcp --dport 135:139 -j DROP
-A LOGDROPIN -p udp -m udp --dport 135:139 -j DROP -A LOGDROPIN -p tcp
-m tcp --dport 445 -j DROP -A LOGDROPIN -p udp -m udp --dport 445 -j
DROP -A LOGDROPIN -p tcp -m tcp --dport 500 -j DROP -A LOGDROPIN -p udp
-m udp --dport 500 -j DROP -A LOGDROPIN -p tcp -m tcp --dport 513 -j
DROP -A LOGDROPIN -p udp -m udp --dport 513 -j DROP -A LOGDROPIN -p tcp
-m tcp --dport 520 -j DROP -A LOGDROPIN -p udp -m udp --dport 520 -j
DROP -A LOGDROPIN -p tcp -m limit --limit 30/min -j LOG --log-prefix
"Firewall: *TCP_IN Blocked* " -A LOGDROPIN -p udp -m limit --limit
30/min -j LOG --log-prefix "Firewall: *UDP_IN Blocked* " -A LOGDROPIN -p
icmp -m limit --limit 30/min -j LOG --log-prefix "Firewall: *ICMP_IN
Blocked* " -A LOGDROPIN -j DROP -A LOGDROPOUT -p tcp -m tcp --tcp-flags
FIN,SYN,RST,ACK SYN -m limit --limit 30/min -j LOG --log-prefix
"Firewall: *TCP_OUT Blocked* " --log-uid -A LOGDROPOUT -p udp -m limit
--limit 30/min -j LOG --log-prefix "Firewall: *UDP_OUT Blocked* "
--log-uid -A LOGDROPOUT -p icmp -m limit --limit 30/min -j LOG
--log-prefix "Firewall: *ICMP_OUT Blocked* " --log-uid -A LOGDROPOUT -j
DROP COMMIT # Completed on Tue Mar 8 20:05:59 2016 # Generated by
iptables-save v1.4.21 on Tue Mar 8 20:05:59 2016 *nat :PREROUTING ACCEPT
[1163194:79910085] :INPUT ACCEPT [101074:6696262] :OUTPUT ACCEPT
[4878:671435] :POSTROUTING ACCEPT [4637:285468] COMMIT # Completed on
Tue Mar 8 20:05:59 2016
What is your idea about new iptables rules?

User avatar
TrevorH
Forum Moderator
Posts: 27384
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables rules for a Linux web server.

Post by TrevorH » 2016/03/08 18:39:43

Whatever you are using to paste that output is corrupting all the lines and flowing them all together into one amorphous mass. Please don't do that. Just cut and paste the output of iptables-save into the forum between tags. Make sure not to use <code></code> as those are different.

It's still unreadable. Please use preview next time to make sure you don't do it a third time.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

hack3rcon
Posts: 460
Joined: 2014/11/24 11:04:37

Re: iptables rules for a Linux web server.

Post by hack3rcon » 2016/03/08 19:06:41

TrevorH wrote:Whatever you are using to paste that output is corrupting all the lines and flowing them all together into one amorphous mass. Please don't do that. Just cut and paste the output of iptables-save into the forum between tags. Make sure not to use <code></code> as those are different.

It's still unreadable. Please use preview next time to make sure you don't do it a third time.
Thank you but I have not access to server right now. In your idea new iptables rules can make any problem for my server? For example, Web pages not loading and mail server not work.

User avatar
TrevorH
Forum Moderator
Posts: 27384
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables rules for a Linux web server.

Post by TrevorH » 2016/03/08 19:14:11

No, my idea is that no-one can read your existing rules so no-one can tell if they are the problem or not.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

hack3rcon
Posts: 460
Joined: 2014/11/24 11:04:37

Re: iptables rules for a Linux web server.

Post by hack3rcon » 2016/03/08 19:21:26

TrevorH wrote:No, my idea is that no-one can read your existing rules so no-one can tell if they are the problem or not.
Thank you but I mean from new iptables rules is :

Code: Select all

#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#  Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allows all outbound traffic
#  You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allows SSH connections (only 4 attempts by an IP every 3 minutes, drop the rest)
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 180 --hitcount 4 --name DEFAULT --rsource -j DROP
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT
Can these rules failed my web server?

giulix63
Posts: 1305
Joined: 2014/05/14 10:06:37
Location: GMT

Re: iptables rules for a Linux web server.

Post by giulix63 » 2016/03/09 08:45:40

Those rules allow HTTP, HTTPS and SSH. SSH with restrictions. So, no email incoming or outgoing unless it's on the loopback (local) interface.
Root is evil: Do not use root (sudo) to run any of the commands specified in my posts unless explicitly indicated. Please, provide the necessary amount of context to understand your problem/question.

User avatar
TrevorH
Forum Moderator
Posts: 27384
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: iptables rules for a Linux web server.

Post by TrevorH » 2016/03/09 09:36:56

And since your existing rules are completely incomprehensible we have no way to tell if the new ones will do the same as the old ones.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
CentOS 5 has been EOL for nearly 3 years and should no longer be used for anything!
Full time Geek, part time moderator. Use the FAQ Luke

Post Reply

Return to “CentOS 7 - Security Support”