Increase Linux Server Security with iptables

Increase Linux Server Security with iptables

Below mentioned iptables rules should present as template for making tailored iptables rules to increase your Linux dedicated server security. You can make your firewall much stronger using these iptables rule.

Note: Do not consider this iptables as an inclusive guide. Kindly familiarize yourself with iptables before using below mentioned rules. Aware yourself before using any rule.

Iptables rule for refusing the incoming traffic

The second row of the following rules permits existing incoming traffic. This is helpful when logging via Telnet or SSH to your server.

# iptables -F INPUT
# iptables -A INPUT -m state \
–state ESTABLISHED -j ACCEPT
# iptables -A INPUT -j REJECT

Rule for refusing all outgoing traffic

The second row of the below iptables rule permits existing outgoing traffic. It is very helpful when logging via Telnet or SSH to your server.

# iptables -F OUTPUT
# iptables -A OUTPUT -m state \
–state ESTABLISHED -j ACCEPT
# iptables -A OUTPUT -j REJECT

Rule for refusing incoming and outgoing traffic

This is a rule to block or refuse all the network traffic (i.e. Incoming and outgoing), including your existing established connection.

# iptables -F
# iptables -A INPUT -j REJECT
# iptables -A OUTPUT -j REJECT
# iptables -A FORWARD -j REJECT

Rule for dropping incoming ping requests

In this rule, you can use REJECT rather using DROP, the only thing will be changed is that REJECT will result as an ICMP error and the DROP will discard the incoming package very silently.

# iptables -A INPUT -p icmp –icmp-type echo-request -j DROP

Rule for dropping outgoing Telnet traffic

The following iptables rule will refuse all the outgoing connections to any host having port 23 (i.e. Telnet)

# iptables -A OUTPUT -p tcp –dport telnet -j REJECT

Rule for rejecting incoming telnet Traffic

The following iptables rule will reject all incoming traffic requests to a local port 23.

# iptables -A INPUT -p tcp –dport telnet -j REJECT

Rule for refusing outgoing ssh connections

The following rule will refuse the outgoing connections to any SSH host.

# iptables -A OUTPUT -p tcp –dport ssh -j REJECT

Rule for refusing incoming ssh connections

The following rule will refuse the incoming connections to to a local port 22 (ie. SSH).

# iptables -A INPUT -p tcp –dport ssh -j REJECT

Rule for refusing all incoming connections eliminating ssh and local connections

# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -p tcp –dport ssh -j ACCEPT
# iptables -A INPUT -j REJECT

Rule for allowing incoming ssh traffic from particular IP address

The following rule will refuse all the incoming traffic to port 22 (ie. ssh) excluding host having a specific IP address. It means the host having the specific IP address will be allowed to ssh.

# iptables -A INPUT -p tcp -s 72.65.53.48 –dport ssh -j ACCEPT
# iptables -A INPUT -p tcp –dport ssh -j REJECT

Rule for refusing incoming connections on a particular TCP port

Using the below iptables rule will refuse all the incoming connections on TCP port 3333.

# iptables -A INPUT -p tcp –dport 3333 -j REJECT

Rule for refusing all incoming connections coming to a particular network interface

Using the below iptables rule will drop the incoming connections from a particular network interface coming from a specific subnet.

# iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP

Rule for creating a plain IP Masquerading

Using the below iptables rule a plain IP Masquerading will be created allowing all hosts to access Internet on the same subnet.

# echo “1” > /proc/sys/net/ipv4/ip_forward
# iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE

Rule for refusing all incoming telnet connections eliminating specific IP address

The below rule will refuse all the incoming telnet connections eliminating requests from the specific IP.

# iptables -A INPUT -t filter ! -s 222.111.111.222 -p tcp –dport 23 -j REJECT

Rule for refusing all incoming ssh connections excluding specific IP address range

Using the below rule will refuse all the incoming ssh connections excluding requests from a specific IP range.
Be careful, on removal of the negator (!) from the iptables rule will refuse all the traffic coming from the specified ip address range.

iptables -A INPUT -t filter -m iprange ! –src-range 10.1.1.90-10.1.1.100  -p tcp –dport 22 -j REJECT

Rule for refusing all outgoing connections to a specific remote host

Using the below rule you can refuse all the outgoing connections to a remote host having a specific ip address.

# iptables -A OUTPUT -d 222.111.111.222 -j REJECT

Rule for blocking an access to a specific website

Using the below rule will block all the incoming connections from a specific website, where the source port is 80.

# iptables -A INPUT -s twitter.com -p tcp –sport www -j DROP

The above rule will block all the access to twitter.com and www.twitter.com as well.

Like this post ?

Share on your Social Networking Profile ( Facebook, Twitter & Google+ ) and get a flat 10% Recurring discount on our VPS Hosting and Dedicated Servers.

Email us the shared link at : [email protected] or speak to our live chat operator now, by clicking on the Live Chat Scroller on the left-hand side of this page and we will provide you with the discount Coupon right away!

Sharing

Leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.