velizarn
By:
velizarn

CentOS iptables configuration

October 29, 2015 2.2k views
Security Firewall Networking System Tools CentOS

Hello,

I followed this tutorial and now my iptables configurations has following rules:

sudo iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
sudo iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
sudo iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -p tcp -s [some_IP_address] -m tcp --dport 22 -j ACCEPT
sudo iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P INPUT DROP

My question is - does it mean that all ports on my server are closed for inbound connections except 80, 443 and port 22 opened for a given IP address.

Regards,
Velizar

1 Answer

You are correct, above rules will block all incoming connections except for port 80 and 443. And port 22 is open for your IP address. :)

  • Thank you for the information!

    Now I'm trying to setup following architecture:

    droplet1 - webserver, public access
    droplet2 - db server, no apache, no php, no public access

    I wrote following iptables settings on my db server droplet:

    sudo iptables -F
    sudo iptables -A INPUT -i lo -j ACCEPT
    sudo iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    sudo iptables -A INPUT -p tcp -s [home_ip_address] -m tcp --dport 22 -j ACCEPT
    sudo iptables -A INPUT -p tcp -s [droplet_1_private_IP] --sport 3306 -j ACCEPT
    sudo iptables -A OUTPUT -p tcp -d [droplet_1_private_IP] --dport 3306 -j ACCEPT
    sudo iptables -P OUTPUT ACCEPT
    sudo iptables -P INPUT DROP
    sudo iptables -P FORWARD DROP
    

    Does it mean that all ports on my server are closed for inbound connections except 3306 , i.e. no public access on droplet2 and port 22 is opened for a given IP address.

    this are the nmap regular scan results:

    Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
    Nmap done: 1 IP address (0 hosts up) scanned in 5.01 seconds
    

    My host is not down, I can login via SSH.

    Thank you in advance!

    • Nmap is trying to ping the droplet but it's not getting a response back. Your iptables rules do not allow ping packets to go through, so, to Nmap, the droplet seems to be down.

      You can add the following rules to fix that, but it's not necessary:

      sudo iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
      sudo iptables -A OUTPUT -p icmp --icmp-type 0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
      
Have another answer? Share your knowledge.