{"id":77,"date":"2018-06-13T15:40:06","date_gmt":"2018-06-13T15:40:06","guid":{"rendered":"https:\/\/techplushost.com\/blog\/?p=77"},"modified":"2019-04-29T14:54:58","modified_gmt":"2019-04-29T14:54:58","slug":"basic-and-most-common-iptables-rules","status":"publish","type":"post","link":"https:\/\/techplushost.com\/blog\/basic-and-most-common-iptables-rules\/","title":{"rendered":"Basic and most common iptables rules"},"content":{"rendered":"

Iptables is basically a powerful firewall, which can allow a user to set specific rules to control incoming and outgoing traffic. You can use it to block specific port, IP addresses and much more. In this article we present most common uses of iptables.<\/p>\n

The iptables rules can be specified with 3 blocks, which are used for specific purpose (called\u00a0Chains<\/b>):<\/p>\n

INPUT<\/b>\u00a0– All packets destined for the host computer.
\nOUTPUT<\/b>\u00a0– All packets originating from the host computer.
\nFORWARD<\/b>\u00a0– All packets neither destined for nor originating from the host computer, but passing through (routed by) the host computer. This chain is used if you are using your computer as a router.<\/p>\n

The first command we present is used to flush the existing iptables rules, this can be useful if we want to start with new rules or if we have accidentally blocked ourselves (Our Clients Area has a button for this case specifically – “Flush iptables<\/b>“):<\/p>\n

iptables -F<\/pre>\n
Note<\/b>. If you want to flush a single Chain, specific rules. You can use this:<\/p>\n
sudo iptables -F INPUT<\/pre>\n
Next commands are used to check current rules that are active within your server:<\/p>\n
iptables -L<\/pre>\n
iptables -S<\/pre>\n
Note<\/b>. You can add specific word, like: INPUT, FORWARD OR OUTPUT. For example:<\/p>\n
iptables -L INPUT<\/pre>\n
This will let you specify the rules by their purpose (Chains).<\/p>\n
Note.<\/b>\u00a0You can also add “-v” to your command (iptables -L -v<\/i>), this will let you check the packets and their size matched with each rule.<\/p>\n
Now we can continue with more specific rules to make some simple rules. Usually Firewall is used to block something first, and only then to allow something. So here are some rules which helps you to block the connections.<\/p>\n
In order to block a connection from specific IP address you can use this:<\/p>\n
iptables -A INPUT -s 1.1.1.1 -j DROP<\/pre>\n
iptables -A OUTPUT -s 1.1.1.1 -j DROP<\/pre>\n
iptables -A INPUT -s 1.1.1.1 -j REJECT<\/pre>\n
Note.<\/b>\u00a0REJECT is used to give a respond that the connection is not blocked and sends a message “connection refused”.<\/p>\n
If you want to block specific port, for example SMTP port 25, you can use this:<\/p>\n
iptables -A INPUT -p tcp --dport 25 -j DROP\r\niptables -I OUTPUT -p tcp --dport 25 -j DROP<\/pre>\n
Allow Incoming SSH connection only from a specific IP:<\/p>\n
iptables -A INPUT -i venet0<\/code> -p tcp -s 1.1.1.1 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT<\/pre>\n
iptables -A OUTPUT -o venet0<\/code> -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT<\/pre>\n
This actually allows only specific IP to connect to server using 22 port. Also, every time it happens, it establish a status, which will be used in the second rule to allow the same IP the outgoing traffic.<\/p>\n
Following sets of rules are for HTTP and HTTPS connections:<\/p>\n
iptables -A INPUT -i venet0<\/code> -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT<\/pre>\n
iptables -A OUTPUT -o venet0<\/code> -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT<\/pre>\n
 <\/p>\n
iptables -A INPUT -i venet0<\/code> -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT<\/pre>\n
iptables -A OUTPUT -o venet0<\/code> -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT<\/pre>\n
First set of rules allows HTTP and the second set of rules allows HTTPS connection using the default ports 80 and 443<\/p>\n
Next rules allows outside users to ping to your server:<\/p>\n
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT<\/pre>\n
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT<\/pre>\n
The same applies for blocking it:<\/p>\n
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP<\/pre>\n
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j DROP<\/pre>\n
To allow loopback access to your server, for example using local host:<\/p>\n
iptables -A INPUT -i lo -j ACCEPT\r\niptables -A OUTPUT -o lo -j ACCEPT<\/pre>\n
Allowing MySQL connection from specific IP address:<\/p>\n
iptables -A INPUT -i venet0<\/code> -p tcp -s 1.1.1.1 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT<\/pre>\n
iptables -A OUTPUT -o venet0<\/code> -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT<\/pre>\n
Allowing POP3 or IMAP traffic:<\/p>\n
iptables -A INPUT -i venet0<\/code> -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT<\/pre>\n
iptables -A OUTPUT -o venet0<\/code> -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT<\/pre>\n
 <\/p>\n
iptables -A INPUT -i venet0<\/code> -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT<\/pre>\n
iptables -A OUTPUT -o venet0<\/code> -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT<\/pre>\n
Also, this can be applied for POP3\/IMAP using secure connection:<\/p>\n
iptables -A INPUT -i venet0<\/code> -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT<\/pre>\n
iptables -A OUTPUT -o venet0<\/code> -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT<\/pre>\n
 <\/p>\n
iptables -A INPUT -i venet0<\/code> -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT<\/pre>\n
iptables -A OUTPUT -o venet0<\/code> -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT<\/pre>\n
Note.<\/b>\u00a0When you describe network interface in the rules, for example\u00a0venet0<\/i>, do not forget to change it, if you server uses different network interface, for example:\u00a0eth0<\/i>\u00a0or other.<\/p>\n
One last use of iptables\u00a0 is that it can be used to prevent the DDoS as well, by limiting the connections per minute:<\/p>\n
iptables -A INPUT -p tcp --dport 80 -m limit --limit 10\/minute --limit-burst 100 -j ACCEPT<\/pre>\n
More details about this one:<\/p>\n
-m limit: This uses the limit iptables extension
\n\u2013limit 25\/minute: This limits only maximum of 10 connection per minute.
\n\u2013limit-burst 100: This value indicates that the limit\/minute will be enforced only after the total number of connection have reached the limit-burst level.<\/p>\n
You can change the details based on your requirements, to prevent some attacks.<\/p>\n","protected":false},"excerpt":{"rendered":"
Iptables is basically a powerful firewall, which can allow a user to set specific rules to control incoming and outgoing traffic. You can use it to block specific port, IP addresses and much more. In this article we present most common uses of iptables. The iptables rules can be specified … <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[4,5],"tags":[60,59,61,62],"jetpack_featured_media_url":"","jetpack_publicize_connections":[],"yoast_head":"\nBasic and most common iptables rules | TechPlusHost | Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/techplushost.com\/blog\/basic-and-most-common-iptables-rules\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Basic and most common iptables rules | TechPlusHost | Blog\" \/>\n<meta property=\"og:description\" content=\"Iptables is basically a powerful firewall, which can allow a user to set specific rules to control incoming and outgoing traffic. You can use it to block specific port, IP addresses and much more. In this article we present most common uses of iptables. The iptables rules can be specified …\" \/>\n<meta property=\"og:url\" content=\"https:\/\/techplushost.com\/blog\/basic-and-most-common-iptables-rules\/\" \/>\n<meta property=\"og:site_name\" content=\"TechPlusHost | Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/web.facebook.com\/techplushost\" \/>\n<meta property=\"article:published_time\" content=\"2018-06-13T15:40:06+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-04-29T14:54:58+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@techplushost\" \/>\n<meta name=\"twitter:site\" content=\"@techplushost\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\">\n\t<meta name=\"twitter:data1\" content=\"Tolulope Oyeniyi\">\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\">\n\t<meta name=\"twitter:data2\" content=\"4 minutes\">\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Organization\",\"@id\":\"https:\/\/techplushost.com\/blog\/#organization\",\"name\":\"TechPlusHost\",\"url\":\"https:\/\/techplushost.com\/blog\/\",\"sameAs\":[\"https:\/\/web.facebook.com\/techplushost\",\"https:\/\/www.instagram.com\/techplushost\/\",\"https:\/\/twitter.com\/techplushost\"],\"logo\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/techplushost.com\/blog\/#logo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/i1.wp.com\/techplushost.com\/blog\/wp-content\/uploads\/2018\/04\/logo.png?fit=314%2C108&ssl=1\",\"width\":314,\"height\":108,\"caption\":\"TechPlusHost\"},\"image\":{\"@id\":\"https:\/\/techplushost.com\/blog\/#logo\"}},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/techplushost.com\/blog\/#website\",\"url\":\"https:\/\/techplushost.com\/blog\/\",\"name\":\"TechPlusHost\",\"description\":\"Our Blog\",\"publisher\":{\"@id\":\"https:\/\/techplushost.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/techplushost.com\/blog\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/techplushost.com\/blog\/basic-and-most-common-iptables-rules\/#webpage\",\"url\":\"https:\/\/techplushost.com\/blog\/basic-and-most-common-iptables-rules\/\",\"name\":\"Basic and most common iptables rules | TechPlusHost | Blog\",\"isPartOf\":{\"@id\":\"https:\/\/techplushost.com\/blog\/#website\"},\"datePublished\":\"2018-06-13T15:40:06+00:00\",\"dateModified\":\"2019-04-29T14:54:58+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/techplushost.com\/blog\/basic-and-most-common-iptables-rules\/\"]}]},{\"@type\":\"Article\",\"@id\":\"https:\/\/techplushost.com\/blog\/basic-and-most-common-iptables-rules\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/techplushost.com\/blog\/basic-and-most-common-iptables-rules\/#webpage\"},\"author\":{\"@id\":\"https:\/\/techplushost.com\/blog\/#\/schema\/person\/05c8d030ad69f48b481298cd68c7df43\"},\"headline\":\"Basic and most common iptables rules\",\"datePublished\":\"2018-06-13T15:40:06+00:00\",\"dateModified\":\"2019-04-29T14:54:58+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/techplushost.com\/blog\/basic-and-most-common-iptables-rules\/#webpage\"},\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/techplushost.com\/blog\/#organization\"},\"keywords\":\"firewall,iptable,port blocked,unblock port\",\"articleSection\":\"General,Tutorials\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/techplushost.com\/blog\/basic-and-most-common-iptables-rules\/#respond\"]}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/techplushost.com\/blog\/#\/schema\/person\/05c8d030ad69f48b481298cd68c7df43\",\"name\":\"Tolulope Oyeniyi\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/techplushost.com\/blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/862d4163a73f8f6f83733690bfb1b535?s=96&d=wavatar&r=g\",\"caption\":\"Tolulope Oyeniyi\"},\"sameAs\":[\"https:\/\/techplushost.com\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9RiNW-1f","jetpack-related-posts":[{"id":57,"url":"https:\/\/techplushost.com\/blog\/make-minimal-os\/","url_meta":{"origin":77,"position":0},"title":"Make minimal OS","date":"April 25, 2018","format":false,"excerpt":"In order to make standard OpenVZ OS image minimal you need to follow this instruction: 1. Install standard OS from the\u00a0client area 2. Login to the VPS SSH and execute one of the following commands (depending on your OS): CentOS 6 64-bit yum remove acl apr apr-util apr-util-ldap aspell attr\u2026","rel":"","context":"In "General Discussions"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":90,"url":"https:\/\/techplushost.com\/blog\/windows-connecting-to-windows-vps-server-using-rdp\/","url_meta":{"origin":77,"position":1},"title":"[Windows] Connecting to Windows VPS server using RDP","date":"May 3, 2019","format":false,"excerpt":"Remote Desktop Protocol (RDP)\u00a0- is protocol created by Microsoft, which provides a graphical interface for a user. RDP client is available in most operating systems. By default RDP uses 3389 TCP port.\u00a0Remote Desktop Connection\u00a0is the official program meant for login via RDP.\u00a0 Requirements: Windows VPS server with Windows 2012 or\u2026","rel":"","context":"In \"RDP\"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":92,"url":"https:\/\/techplushost.com\/blog\/windows-plesk-installation-guide\/","url_meta":{"origin":77,"position":2},"title":"[Windows] Plesk installation guide","date":"July 22, 2019","format":false,"excerpt":"Plesk\u00a0- commercial web hosting control panel. As most of such control panels, it allows a server administrator to set up new websites, reseller accounts, e-mail accounts, and DNS entries through a web-based interface. Requirements: Windows VPS server 0. Log-in to the server via\u00a0RDP. 1. Visit Plesk\u00a0webpage\u00a0on your browser. At the\u2026","rel":"","context":"Similar post","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":56,"url":"https:\/\/techplushost.com\/blog\/sentora-installation-of-sentora-control-panel\/","url_meta":{"origin":77,"position":3},"title":"[Sentora] Installation of Sentora Control Panel","date":"April 25, 2018","format":false,"excerpt":"Sentora server control panel by default comes with PHP 5.3.20, MySQL 5.5.29, Apache 2.4.3, yet these packets can be upgraded to another versions in the future from the Sentora creators side. This guide is compatible with our Standard VPS or KVM Linux services while using our\u00a0Ubuntu 14.04\u00a0OS template. Disclaimer Sentora\u2026","rel":"","context":"In "Web hosting control panels"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":86,"url":"https:\/\/techplushost.com\/blog\/how-to-manually-import-emails\/","url_meta":{"origin":77,"position":4},"title":"How to manually import emails","date":"May 1, 2019","format":false,"excerpt":"Instructions for manual import of the emails to your CWP server. 1. Create all required mailboxes via CWP2. Login in each created mailbox (this will create required file and folder structure)3. Copy the emails (like any other files) in \/var\/vmail\/DOMAIN.COM\/USERNAME4. Fix Permissions (chown uploaded files vmail:mail) Example path for email\u2026","rel":"","context":"In "Web hosting control panels"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":45,"url":"https:\/\/techplushost.com\/blog\/centmin-mod-installation-of-centmin-mod-control-panel\/","url_meta":{"origin":77,"position":5},"title":"[Centmin Mod] Installation of Centmin Mod control panel","date":"April 25, 2018","format":false,"excerpt":"CentMin Mod\u00a0is a shell based control panel for CentOS operating system with LEMP Stack install. It was intended for a single root user\/administrator to manage multiple or single website on a VPS. It is highly recommended for those who wish a simple control panel for their websites with no fancy\u2026","rel":"","context":"In "KVM Based Servers"","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/techplushost.com\/blog\/wp-json\/wp\/v2\/posts\/77"}],"collection":[{"href":"https:\/\/techplushost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techplushost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techplushost.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techplushost.com\/blog\/wp-json\/wp\/v2\/comments?post=77"}],"version-history":[{"count":1,"href":"https:\/\/techplushost.com\/blog\/wp-json\/wp\/v2\/posts\/77\/revisions"}],"predecessor-version":[{"id":78,"href":"https:\/\/techplushost.com\/blog\/wp-json\/wp\/v2\/posts\/77\/revisions\/78"}],"wp:attachment":[{"href":"https:\/\/techplushost.com\/blog\/wp-json\/wp\/v2\/media?parent=77"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techplushost.com\/blog\/wp-json\/wp\/v2\/categories?post=77"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techplushost.com\/blog\/wp-json\/wp\/v2\/tags?post=77"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}