Setari/Settings firewall - iptable Print

  • iptables, firewall, rules, firewall rules
  • 122

#Flush all current rules from iptables
iptables –F

#Allow SSH connections on tcp port 22
iptables –A INPUT –p tcp –-dport 22 –j ACCEPT

#Set default policies for INPUT, FORWARD and OUTPUT chains
iptables –P INPUT DROP
iptables –P FORWARD DROP
iptables –P OUTPUT ACCEPT

#Set access for localhost
iptables –A INPUT –i lo –j ACCEPT

#Accept packets belonging to established and related connections
iptables –A INPUT –m state –-state ESTABLISHED,RELATED –j ACCEPT

#FTP
iptables –A INPUT –p tcp –-dport 21 -j ACCEPT

#HTTP/s
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

#SMTP
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 465 -j ACCEPT

#POP3
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -A INPUT -p tcp --dport 993 -j ACCEPT

#DNS
iptables -A INPUT -p tcp,udp --dport 53 -j ACCEPT

#MySql
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT

#COUNTER STRIKE/STEAM
    #Steam Friends Service
iptables -A INPUT -p udp --dport 1200 -j ACCEPT
iptables -A INPUT -p udp --dport 4380 -j ACCEPT

    #STEAM MAIN UDP
iptables -A INPUT -p udp --dport 27000:27015 -j ACCEPT
iptables -A INPUT -p udp --dport 27015:27030 -j ACCEPT
iptables -A INPUT -p tcp --dport 27014:27050 -j ACCEPT


#TEAMSPEAK
iptables -A INPUT -p udp --dport 9987 -j ACCEPT #Voice
iptables -I INPUT -p tcp --dport 30033 -j ACCEPT #Data
iptables -I INPUT -p tcp --dport 41144 -j ACCEPT #TSDNS
iptables -I INPUT -p udp --dport 10011 -j ACCEPT #Query
iptables -A INPUT -p udp --dport 2011:2110 -j ACCEPT #Weblist, Accouting Server /licences)

#SA:MP (+Protection)
iptables -N SAMP-DDOS
iptables -A INPUT -p udp --dport 7777 -m ttl --ttl-eq=128 -j SAMP-DDOS
iptables -A SAMP-DDOS -p udp --dport 7777 -m length --length 17:604 -j DROP
iptables -A INPUT -p udp -m ttl --ttl-eq=128 -j DROP
iptables -A INPUT -p udp --dport 7777 -m limit --limit 6/s --limit-burst 12 -j DROP

#SA:MP (without Protection)
iptables -A INPUT -p udp --dport 7777 -j ACCEPT

#METIN
iptables -A INPUT -p tcp -m tcp --dport 1022 -j ACCEPT

#Minecraft default port
iptables -A INPUT -p tcp --dport 25565 -j ACCEPT


#Depending on program or game more ports will be opened

#PROTECTION
#SYN-FLOOD This will detect all new TCP connections and will not allow not more than 1 new connections per second.
#This value can be edited as needed.
iptables -A INPUT -p tcp --syn -m limit --limit 1/s -j ACCEPT

#Furtive port scanner
iptables -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 2/s --limit-burst 2 -j ACCEPT

#ACCEPT INCOMING PING (first 2 rules for protection smurf attacks/ping of death)
iptables -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
iptables -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT

# Droping all invalid packets
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

# Protecting portscans
# Attacking IP will be locked for 24 hours (3600 x 24 = 86400 Seconds)
iptables -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP

# Remove attacking IP after 24 hours
iptables -A INPUT -m recent --name portscan --remove

#SAVE iptables
service iptables save

#RESTART iptables
service iptables restart

#List iptables
iptables -L --line-numbers


Was this answer helpful?

« Back

Powered by WHMCompleteSolution