Description
Below are some basic common sense defaults for a secure IPTables / IP6Tables setup. Each situation is uniquely different and you’ll need to assess your specific needs before blindly using rulesets that aren’t understood.
IPv4 – IPTables, with comments
Configuration file: /etc/sysconfig/iptables
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 | # mharris-iptables-example-config.txt version 1.3 # Copyright 2009-2013 by Mike A. Harris <mharris@mharris.ca> # License: GNU General Public License version 2 # Example iptables stateful firewall configuration for a router with # a single Internet interface (eth0) and a single LAN interface (eth1), using # IP masquerading (NAT), with optional port forwarding. # Features: # - All incoming connection attempts from the Internet to the router are # dropped by default. # # - All outbound Internet connections from the router itself, or from the # private LAN are allowed by default. This can be disabled for fine # grained outgoing traffic management if desired. # # - All incoming connection attempts from the LAN to the router are allowed # by default. Configurable. # # - All outgoing connections from the router to machines on the LAN are # allowed by default. Configurable. # # - Port forwarding: You can allow incoming connection attempts from the # Internet to be forwarded to machines on your LAN by adding entries # to the FORWARD_IN_ALLOW chain, and configure port forwarding in the # PREROUTING chain of the 'nat' table. # Bugreports and other feedback: # If you discover a bug, flaw, weakness in this configuration, have any # suggestions for improvements or alternative ways of tweaking it, need # some help customizing it, or just want to let me know you're using my # iptables configuration, please feel free to contact me via email at # mharris at mharris.ca *filter :INPUT DROP [0:0] :OUTPUT DROP [0:0] :FORWARD DROP [0:0] :INPUT_ALLOW - [0:0] :OUTPUT_ALLOW - [0:0] :FORWARD_IN - [0:0] :FORWARD_IN_ALLOW - [0:0] :FORWARD_OUT - [0:0] :FORWARD_OUT_ALLOW - [0:0] # INPUT: # Accept return packets from connections established by the router to # machines on the LAN. -A INPUT -i eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Accept return packets from connections initiated and established by the # router to systems on the Internet. -A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Accept incoming connections on loopback from the router itself. -A INPUT -i lo -j ACCEPT # ALLOW incoming connections and all traffic from machines on the LAN by # default. This rule can be disabled and rules added to allow access to # services running on the router on a port by port basis if desired. -A INPUT -i eth1 -j ACCEPT # Drop incoming 'ping' ICMP echo requests to the router. -A INPUT -i eth0 -p icmp --icmp-type echo-request -j DROP # Accept all other incoming ICMP requests for proper network operation. There # are some other ICMP types that can be dropped as well, but I've left them out # for now for simplicity. -A INPUT -i eth0 -p icmp -j ACCEPT # Jump to a custom chain where additional rules can be inserted to ACCEPT, # other incoming traffic from the Internet to the router itself. -A INPUT -i eth0 -j INPUT_ALLOW # Log and drop all packets to syslog that were not explicitly accepted with a # previous rule. -A INPUT -j LOG --log-prefix "INPUT:DROP" -A INPUT -j DROP # INPUT_ALLOW: # NOTE: Add rules here to allow incoming TCP/UDP etc. connections to the # router itself from the Internet. Use the FORWARD_IN_ALLOW chain instead # for incoming connection requests to machines on the LAN behind the router, # along with DNAT rules in PREROUTING in the 'nat' table. # # Example to accept incoming ssh connections to the router. -A INPUT_ALLOW -i eth0 -p tcp --dport ssh -m conntrack --ctstate NEW --syn -j ACCEPT -A INPUT_ALLOW -i eth1 -p tcp --dport ssh -m conntrack --ctstate NEW --syn -j ACCEPT # Example to accept incoming traffic to a bnetd server running on UDP port 6112 on the router. #-A INPUT_ALLOW -i eth0 -p udp --dport 6112 -m conntrack --ctstate NEW -j ACCEPT # OUTPUT: # Accept return packets from established connections to the LAN -A OUTPUT -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Accept outgoing packets to connections established on the router initiated # by remote computers. -A OUTPUT -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Accept outgoing packets through loopback -A OUTPUT -o lo -j ACCEPT # ALLOW all outgoing packets to the LAN by default when using default DROP/REJECT # policy on the OUTPUT chain. This rule is unnecessary if using a default ACCEPT # policy on the output chain, or if you prefer to set up individual explicit # rules, however that creates a lot of extra iptables administration. -A OUTPUT -o eth1 -j ACCEPT # NOTE: If the following "ACCEPT" rule in the OUTPUT chain is disabled, # you need to add rules to the OUTPUT_ALLOW chain to permit outgoing # connections from the router to the Internet, or else all outgoing traffic will # be REJECT'd by the catch-all below. -A OUTPUT -o eth0 -j ACCEPT # Jump to a custom chain where additional rules can be inserted to ACCEPT, # other outgoing traffic to the Internet from the router itself. -A OUTPUT -o eth0 -j OUTPUT_ALLOW # Log and reject all packets that were not explicitly accepted or dropped # above. Using REJECT instead of DROP makes it easier to diagnose problems # on the client side. -A OUTPUT -j LOG --log-prefix "OUTPUT:REJECT" -A OUTPUT -j REJECT # OUTPUT_ALLOW: # NOTE: Insert rules here to allow outgoing connections from the router to # the Internet to work when using default REJECT or DROP catch-all in the # OUTPUT chain. Use the firewall logs to figure out what rules are needed # when outgoing traffic fails. # # Allow outbound DNS #-A OUTPUT_ALLOW -o eth0 -p udp --dport domain -m conntrack --ctstate NEW -j ACCEPT #-A OUTPUT_ALLOW -o eth0 -p tcp --dport domain -m conntrack --ctstate NEW --syn -j ACCEPT # FORWARD: # Both incoming and outgoing traffic to be forwarded goes through the FORWARD # chain. Here we use 2 custom sub-chains created above to split incoming #(from the Internet - FORWARD_IN) and outgoing (from the LAN - FORWARD_OUT) # traffic to make it easier to visualize/manage. -A FORWARD -j FORWARD_IN -A FORWARD -j FORWARD_OUT # Log and drop all incoming or outgoing traffic that wasn't explicitly accepted # in FORWARD_IN or FORWARD_OUT, to aide in diagnosing iptables rule problems. -A FORWARD -j LOG --log-prefix "FORWARD:DROP" -A FORWARD -j DROP # FORWARD_IN: # Accept return packets from the Internet for connections initiated and # established by computers on the LAN. -A FORWARD_IN -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Jump to a custom chain to permit incoming connections from the Internet, # to computers on the LAN behind the router. In order for this to work when # using IP masquerading, you must also configure port forwarding in the # PREROUTING chain in the 'nat' table below. -A FORWARD_IN -i eth0 -o eth1 -j FORWARD_IN_ALLOW # Drop and log all incoming packets from the Internet destined to computers # on the LAN as a catchall safety net. This helps to troubleshooting port # forwarding issues as well. -A FORWARD_IN -i eth0 -o eth1 -j LOG --log-prefix "FORWARD_IN:DROP" -A FORWARD_IN -i eth0 -o eth1 -j DROP # FORWARD_IN_ALLOW: # You can add additional rules here to allow incoming connection attempts # from the Internet to be forwarded to hosts on your LAN. If using NAT, # you will need to set up port forwarding with DNAT rules in the PREROUTING # chain in the 'nat' table below also in order for this to work. # Example: Allow incoming connections to the http port on the router to be # forwarded to the LAN. Requires a port forwarding rule in the PREROUTING # chain in the 'nat' table. #-A FORWARD_IN_ALLOW -i eth0 -o eth1 -p tcp --dport http --syn -m conntrack --ctstate NEW -j ACCEPT # FORWARD_OUT: # Accept outgoing packets to the Internet from connections established by # computers on the LAN. -A FORWARD_OUT -i eth1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Accept all other outgoing traffic from the LAN by default also. # NOTE: If the following "ACCEPT" rule in the FORWARD_OUT chain is disabled, # you need to add rules to the FORWARD_OUT_ALLOW chain to permit outgoing # connections from the LAN to the Internet, or else all outgoing traffic will # be REJECT'd by the catch-all below. -A FORWARD_OUT -i eth1 -o eth0 -j ACCEPT # If you want to deny outgoing traffic from the LAN by default and micro-manage # what Internet traffic is allowed through the router from computers on your LAN, # comment out the rule above that ACCEPTs all traffic, and micro-manage # individual connections in the FORWARD_OUT_ALLOW chain instead. -A FORWARD_OUT -i eth1 -o eth0 -j FORWARD_OUT_ALLOW # Reject and log all outgoing packets that were not accepted or dropped by # previous rules in the FORWARD_OUT chain. This is helpful when diagnosing # custom outgoing connection rules. -A FORWARD_OUT -i eth1 -o eth0 -j LOG --log-prefix "FORWARD_OUT:REJECT" -A FORWARD_OUT -i eth1 -o eth0 -j REJECT # FORWARD_OUT_ALLOW: # NOTE: Insert rules here to allow outgoing connections to work when using # default REJECT or DROP catch-all in the FORWARD_OUT chain. Use the firewall # logs to figure out what rules are needed when outgoing traffic fails. # Example - allow outgoing http connections from computers on your LAN destined # for webservers on the Internet. You only need rules like this if you drop or # reject outgoing traffic in the FORWARD_OUT chain by default. This requires # a lot of iptables micro-management so you probably want to use the default # settings instead. #-A FORWARD_OUT -i eth1 -o eth0 -p tcp --dport http --syn -m conntrack --ctstate NEW -j ACCEPT COMMIT *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # PREROUTING: # Here is where we do port forwarding. # Forward the http port on the router, to a computer on the LAN. In order for # this to work properly, you must also have a rule in the FORWARD_IN_ALLOW chain # to allow the packets to pass through the router to the LAN. #-A PREROUTING -i eth0 -p tcp --dport http -j DNAT --to-dest <LAN-COMPUTER-IP-ADDRESS> # POSTROUTING: # Enable IP masquerading for Internet bound connections on eth0 -A POSTROUTING -o eth0 -j MASQUERADE COMMIT |
IPv6 – IP6Tables, with comments
Configuration file: /etc/sysconfig/ip6tables
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 | # mharris-ip6tables-example-config.txt version 0.2 # Copyright 2009-2013 by Mike A. Harris <mharris@mharris.ca> # License: GNU General Public License version 2 # Example ip6tables stateful firewall configuration for a router with # a single Internet interface (eth0) and a single LAN interface (eth1) # Features: # - All incoming connection attempts from the Internet to the router are # dropped by default. # # - All outbound Internet connections from the router itself, or from the # private LAN are allowed by default. This can be disabled for fine # grained outgoing traffic management if desired. # # - All incoming connection attempts from the LAN to the router are allowed # by default. Configurable. # # - All outgoing connections from the router to machines on the LAN are # allowed by default. Configurable. # # Bugreports and other feedback: # If you discover a bug, flaw, weakness in this configuration, have any # suggestions for improvements or alternative ways of tweaking it, need # some help customizing it, or just want to let me know you're using my # iptables configuration, please feel free to contact me via email at # mharris at mharris.ca *filter :INPUT DROP [0:0] :OUTPUT DROP [0:0] :FORWARD DROP [0:0] :INPUT_ALLOW - [0:0] :OUTPUT_ALLOW - [0:0] :FORWARD_IN - [0:0] :FORWARD_IN_ALLOW - [0:0] :FORWARD_OUT - [0:0] :FORWARD_OUT_ALLOW - [0:0] # INPUT: # Accept return packets from connections established by the router to # machines on the LAN. -A INPUT -i eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Accept return packets from connections initiated and established by the # router to systems on the Internet. -A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Accept incoming connections on loopback from the router itself. -A INPUT -i lo -j ACCEPT # ALLOW incoming connections and all traffic from machines on the LAN by # default. This rule can be disabled and rules added to allow access to # services running on the router on a port by port basis if desired. -A INPUT -i eth1 -j ACCEPT # Permit required ICMPv6 types - don't break the Internet! These could be # tweaked a bit more to follow RFC4890 more closely. -A INPUT -i eth0 -p icmpv6 --icmpv6-type destination-unreachable -j ACCEPT -A INPUT -i eth0 -p icmpv6 --icmpv6-type time-exceeded -j ACCEPT -A INPUT -i eth0 -p icmpv6 --icmpv6-type packet-too-big -j ACCEPT -A INPUT -i eth0 -p icmpv6 --icmpv6-type parameter-problem -j ACCEPT #-A INPUT -i eth0 -p icmpv6 --icmpv6-type echo-reply -j ACCEPT # Drop incoming 'ping' ICMPv6 echo requests to the router if we do not wish to be pinged. -A INPUT -i eth0 -p icmpv6 --icmpv6-type echo-request -j DROP # Accept all incoming ICMPv6 requests not denied above. -A INPUT -i eth0 -p icmpv6 -j ACCEPT # Jump to a custom chain where additional rules can be inserted to ACCEPT, # other incoming traffic from the Internet to the router itself. -A INPUT -i eth0 -j INPUT_ALLOW # Log and drop all packets to syslog that were not explicitly accepted with a # previous rule. -A INPUT -j LOG --log-prefix "INPUT:DROP " -A INPUT -j DROP # INPUT_ALLOW: # NOTE: Add rules here to allow incoming TCP/UDP etc. connections to the # router itself from the Internet. Use the FORWARD_IN_ALLOW chain instead # for incoming connection requests to machines on the LAN behind the router, # along with DNAT rules in PREROUTING in the 'nat' table. # # Example to accept incoming ssh connections to the router. -A INPUT_ALLOW -i eth0 -p tcp --dport ssh -m conntrack --ctstate NEW --syn -j ACCEPT -A INPUT_ALLOW -i eth1 -p tcp --dport ssh -m conntrack --ctstate NEW --syn -j ACCEPT # Example to accept incoming traffic to a bnetd server running on UDP port 6112 on the router. #-A INPUT_ALLOW -i eth0 -p udp --dport 6112 -m conntrack --ctstate NEW -j ACCEPT # OUTPUT: # Accept return packets from established connections to the LAN -A OUTPUT -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Accept outgoing packets to connections established on the router initiated # by remote computers. -A OUTPUT -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Accept outgoing packets through loopback -A OUTPUT -o lo -j ACCEPT # ALLOW all outgoing packets to the LAN by default when using default DROP/REJECT # policy on the OUTPUT chain. This rule is unnecessary if using a default ACCEPT # policy on the output chain, or if you prefer to set up individual explicit # rules, however that creates a lot of extra iptables administration. -A OUTPUT -o eth1 -j ACCEPT # NOTE: If the following "ACCEPT" rule in the OUTPUT chain is disabled, # you need to add rules to the OUTPUT_ALLOW chain to permit outgoing # connections from the router to the Internet, or else all outgoing traffic will # be REJECT'd by the catch-all below. -A OUTPUT -o eth0 -j ACCEPT # Jump to a custom chain where additional rules can be inserted to ACCEPT, # other outgoing traffic to the Internet from the router itself. -A OUTPUT -o eth0 -j OUTPUT_ALLOW # Log and reject all packets that were not explicitly accepted or dropped # above. Using REJECT instead of DROP makes it easier to diagnose problems # on the client side. -A OUTPUT -j LOG --log-prefix "OUTPUT:REJECT" -A OUTPUT -j REJECT # OUTPUT_ALLOW: # NOTE: Insert rules here to allow outgoing connections from the router to # the Internet to work when using default REJECT or DROP catch-all in the # OUTPUT chain. Use the firewall logs to figure out what rules are needed # when outgoing traffic fails. # # Allow outbound DNS #-A OUTPUT_ALLOW -o eth0 -p udp --dport domain -m conntrack --ctstate NEW -j ACCEPT #-A OUTPUT_ALLOW -o eth0 -p tcp --dport domain -m conntrack --ctstate NEW --syn -j ACCEPT # FORWARD: # Both incoming and outgoing traffic to be forwarded goes through the FORWARD # chain. Here we use 2 custom sub-chains created above to split incoming #(from the Internet - FORWARD_IN) and outgoing (from the LAN - FORWARD_OUT) # traffic to make it easier to visualize/manage. -A FORWARD -j FORWARD_IN -A FORWARD -j FORWARD_OUT # Log and drop all incoming or outgoing traffic that wasn't explicitly accepted # in FORWARD_IN or FORWARD_OUT, to aide in diagnosing iptables rule problems. -A FORWARD -j LOG --log-prefix "FORWARD:DROP " -A FORWARD -j DROP # FORWARD_IN: # Accept return packets from the Internet for connections initiated and # established by computers on the LAN. -A FORWARD_IN -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Jump to a custom chain to permit incoming connections from the Internet, # to computers on the LAN behind the router. In order for this to work when # using IP masquerading, you must also configure port forwarding in the # PREROUTING chain in the 'nat' table below. -A FORWARD_IN -i eth0 -o eth1 -j FORWARD_IN_ALLOW # Drop and log all incoming packets from the Internet destined to computers # on the LAN as a catchall safety net. This helps to troubleshooting port # forwarding issues as well. -A FORWARD_IN -i eth0 -o eth1 -j LOG --log-prefix "FORWARD_IN:DROP " -A FORWARD_IN -i eth0 -o eth1 -j DROP # FORWARD_IN_ALLOW: # You can add additional rules here to allow incoming connection attempts # from the Internet to be forwarded to hosts on your LAN. If using NAT, # you will need to set up port forwarding with DNAT rules in the PREROUTING # chain in the 'nat' table below also in order for this to work. # Example: Allow incoming connections to the http port on the router to be # forwarded to the LAN. Requires a port forwarding rule in the PREROUTING # chain in the 'nat' table. #-A FORWARD_IN_ALLOW -i eth0 -o eth1 -p tcp --dport http --syn -m conntrack --ctstate NEW -j ACCEPT # FORWARD_OUT: # Accept outgoing packets to the Internet from connections established by # computers on the LAN. -A FORWARD_OUT -i eth1 -o eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Accept all other outgoing traffic from the LAN by default also. # NOTE: If the following "ACCEPT" rule in the FORWARD_OUT chain is disabled, # you need to add rules to the FORWARD_OUT_ALLOW chain to permit outgoing # connections from the LAN to the Internet, or else all outgoing traffic will # be REJECT'd by the catch-all below. -A FORWARD_OUT -i eth1 -o eth0 -j ACCEPT # If you want to deny outgoing traffic from the LAN by default and micro-manage # what Internet traffic is allowed through the router from computers on your LAN, # comment out the rule above that ACCEPTs all traffic, and micro-manage # individual connections in the FORWARD_OUT_ALLOW chain instead. -A FORWARD_OUT -i eth1 -o eth0 -j FORWARD_OUT_ALLOW # Reject and log all outgoing packets that were not accepted or dropped by # previous rules in the FORWARD_OUT chain. This is helpful when diagnosing # custom outgoing connection rules. -A FORWARD_OUT -i eth1 -o eth0 -j LOG --log-prefix "FORWARD_OUT:REJECT" -A FORWARD_OUT -i eth1 -o eth0 -j REJECT # FORWARD_OUT_ALLOW: # NOTE: Insert rules here to allow outgoing connections to work when using # default REJECT or DROP catch-all in the FORWARD_OUT chain. Use the firewall # logs to figure out what rules are needed when outgoing traffic fails. # Example - allow outgoing http connections from computers on your LAN destined # for webservers on the Internet. You only need rules like this if you drop or # reject outgoing traffic in the FORWARD_OUT chain by default. This requires # a lot of iptables micro-management so you probably want to use the default # settings instead. #-A FORWARD_OUT -i eth1 -o eth0 -p tcp --dport http --syn -m conntrack --ctstate NEW -j ACCEPT COMMIT |
Last Modified: 19 Apr, 2023 at 10:26:35