Basic iptables configuration

Published 2006-05-03 14:17:59

This is the most basic iptables configuration for a CentOS/RHEL gateway (eth0 = WAN, eth1 = LAN)

/etc/sysconfig/iptables

01. *filter
02. :INPUT DROP [0:0]
03. :FORWARD DROP [0:0]
04. :OUTPUT ACCEPT [0:0]
05. -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
06. -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
07. -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
08. -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
09. -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
10. -A INPUT -i lo -j ACCEPT
11. -A INPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
12. -A INPUT -p tcp -m tcp --syn -j REJECT
13. -A INPUT -p udp -m udp -j REJECT
14. COMMIT

Explanations

Anything in INPUT will be dropped, except for:

  • line 06 : we will accept any input traffic in relation to traffic generated by the gateway to the internet (useful for passive ftp)
  • line 09 : we will accept connections on port 22 at anytime
  • line 11 : pings to the gateway will be allowed at a rate of 1 per second
  • line 10 : anything generated in input on the local interface will be allowed, the localhost should be considered safe by definition

FORWARD traffic will be dropped, except for :

  • line 07 : anything flowing from the LAN to the internet will be allowed
  • line 08 : anything related to the traffic generated by the internal network will be considered safe and be allowed

The OUTPUT traffic will be considered safe (not always a good thing, think about it)

Any other TCP and UDP traffic will be rejected with an icmp-port-unreachable response

iptables -L -n -v output

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 7412  656K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
  132  7908 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED icmp type 8 limit: avg 1/sec burst 5 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x16/0x02 reject-with icmp-port-unreachable 
 3093  391K REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp reject-with icmp-port-unreachable 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x16/0x02 limit: avg 1/sec burst 5 

    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

Chain OUTPUT (policy ACCEPT 11347 packets, 12M bytes)
 pkts bytes target     prot opt in     out     source               destination