Basic iptables configuration

Published 2006-05-03 14:17:59

This is the most basic iptables configuration for a CentOS/RHEL gateway (eth0 = WAN, eth1 = LAN)

/etc/sysconfig/iptables

01. *filter
02. :INPUT DROP [0:0]
03. :FORWARD DROP [0:0]
04. :OUTPUT ACCEPT [0:0]
05. -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
06. -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
07. -A FORWARD -i eth1 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
08. -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
09. -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
10. -A INPUT -i lo -j ACCEPT
11. -A INPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
12. -A INPUT -p tcp -m tcp --syn -j REJECT
13. -A INPUT -p udp -m udp -j REJECT
14. COMMIT

Explanations

Anything in INPUT will be dropped, except for:

FORWARD traffic will be dropped, except for :

The OUTPUT traffic will be considered safe (not always a good thing, think about it)

Any other TCP and UDP traffic will be rejected with an icmp-port-unreachable response

iptables -L -n -v output

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 7412  656K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
  132  7908 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:22 
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED icmp type 8 limit: avg 1/sec burst 5 
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x16/0x02 reject-with icmp-port-unreachable 
 3093  391K REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp reject-with icmp-port-unreachable 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x16/0x02 limit: avg 1/sec burst 5 

    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED 
    0     0 ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

Chain OUTPUT (policy ACCEPT 11347 packets, 12M bytes)
 pkts bytes target     prot opt in     out     source               destination



Thanks for reading this post!


If you found an issue in this article, you can create an issue on Github.

If you have a comment or question, please drop me a line below!