25 Useful IPtable Firewall Rules Every Linux Administrator Should Know

If You Appreciate What We Do Here On TecMint, You Should Consider:

  1. Stay Connected to: Twitter | Facebook | Google Plus
  2. Subscribe to our email updates: Sign Up Now
  3. Use our Linode referral link if you plan to buy VPS (it starts at only $10/month).
  4. Support us via PayPal donate - Make a Donation
  5. Support us by purchasing our premium books in PDF format.
  6. Support us by taking our online Linux courses

We are thankful for your never ending support.

Marin Todorov

I am a bachelor in computer science and a Linux Foundation Certified System Administrator. Currently working as a Senior Technical support in the hosting industry. In my free time I like testing new software and inline skating.

Your name can also be listed here. Got a tip? Submit it here to become an TecMint author.

RedHat RHCE and RHCSA Certification Book
Linux Foundation LFCS and LFCE Certification Preparation Guide

You may also like...

11 Responses

  1. Marc says:

    I am wondering why everyone configure iptables but forget ip6tables?

  2. Riyad says:

    Awsome ! I am beginner in Linux, Can you suggest me some tips about Linux Securiy Please

  3. Shany says:

    Great article!
    Is it possible to route a packet to one of several proxy servers randomly then have it return back to the sender?

    • cybernard says:

      connections are IP based. TCP uses a 3 way handshake, if all 3 packets don’t come from the same IP no connection will ever be established. All websites, servers(except DNS sometimes uses UDP) use TCP. UDP packets will go through, but since each proxy has a different IP the other side would assume they were new connections and the initial request would have to be re-issued.

      Each connection from start to finish could be routed to a different proxy, setting it up would not be trivial.

      Pretend you did establish a connection to a web server, the first packet is expected to contain a command, like GET index.html. Then normally you would start receiving the results, however, with a new IP from a different proxy the web server would be expecting a command all over again and the results would not arrive because no established connection exists with proxy 2. The data would attempt to come back to the originating proxy.

      The remote web server would somehow have to know which proxy to send the data to, and alternate on a per packet basis.

      You would have to write and deploy your own custom web server. Given apache and Microsoft and the other big names spend millions continuously testing and updating their products against attack no one would trust your server as secure without equal testing. The project would consume your life as you have to either write it all yourself or manage a community of users contributing code to it.

      • Shany says:

        As far as I know, proxy servers can cooperate (Squid for example), but continuing your line of thought, how would you randomly route a sessions through one of several proxies?

  4. chanuka says:

    Really needful

  5. cybernard says:

    Step 21: Instead of having a 2 potiential long blocks
    iptables -I INPUT -d SITE -p tcp -m multiport –dports 21,25,110,143,465,587,993,995 -j DROP
    use this instead
    iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
    iptables -I INPUT -d SITE i -p tcp -m multiport ! –dports 80,443 -j DROP

    This teaches the allow only was is required principle instead of a long blacklist.

  6. Wodin says:

    You don’t want to block ALL incoming ICMP. If you just want to block PING requests, then you need to block ICMP echo requests like this:
    iptables -A INPUT -p icmp –icmp-type echo-request -j DROP

  7. me says:

    For black/white lists, banning IP, you should teach people IPSET as it is way more efficient. Blocking with iptables doesn’t scale well, and at approx 2000 blocks (depending on your CPU) your CPU utilization will go through the roof.

Got something to say? Join the discussion.

Your email address will not be published. Required fields are marked *

Join Over 300K+ Linux Users
  1. 177,942
  2. 8,310
  3. 37,548

Are you subscribed?