Sunday, August 21, 2011

Common iptables command, cheatsheet


#!/bin/sh

#File: /etc/rc.d/rc.firewall

# Immediately log and drop any known abusive IPs

iptables -A INPUT -p tcp -s 87.118.104.44 -m limit –limit 1/minute  –limit-burst 10  -j LOG –log-prefix “[DROPPED_NODE]“   –log-level 4

iptables -A INPUT -p tcp -s 87.118.104.44 -j DROP

# Allow from any to any on 127.0.0.1/32

iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT

iptables -A OUTPUT -s 127.0.0.1/32 -j ACCEPT

# Track connection state

iptables -A INPUT -p tcp -m state –state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -m state –state NEW,ESTABLISHED -j ACCEPT

# Allow all foreign IPs to access ports 443 and 80

iptables -A INPUT -p TCP –dport 443 -j ACCEPT

iptables -A INPUT -p TCP –dport 80 -j ACCEPT

# Allow access from a specified foreign IP

# to this server’s port 8080

iptables -A INPUT -p TCP -s 172.16.88.2/32 –dport 8080 -j ACCEPT

# Allow access from a specified foreign IP

# to any port listening on this server

iptables -A INPUT -p TCP -s 172.13.88.3/32  -j ACCEPT

# Drop incoming UDP packets on port 137 and 138 without logging

iptables -A INPUT -p UDP –dport 137 -j DROP

iptables -A INPUT -p UDP –dport 138 -j DROP

# Accept all other incoming UDP packets

iptables -A INPUT -p UDP -j ACCEPT

# Log and Drop everything else

iptables -A INPUT -j LOG  -m limit –limit 1/minute   –limit-burst 10 –log-prefix “[DROPPED_NODE]” –log-level 4

iptables -A INPUT -j DROP

# View all rules

iptables -L -v

# View INPUT rules

iptables -L INPUT -nv



# View max tracked connections

cat /proc/sys/net/ipv4/netfilter/ip_conntrack_max

# Set max tracked connections

# add the following line to rc.local if sysctl.conf doesn’t exist

echo 128000 >  /proc/sys/net/ipv4/netfilter/ip_conntrack_max

# View Current HASHSIZE

cat /proc/sys/net/ipv4/netfilter/ip_conntrack_buckets