iptables rules in Linux

###common use iptables rules###

##Present in SuSE Linux Enterprise Server 11##

#Stop firewall

rcSuSEfirewall2 stop

 

#Define variable

server_if=eth1

lan1_if=eth2

lan2_if=eth3

internet_if=eth4

client_ftp=20.20.74.20-20.20.74.40

server_ip=192.168.64.2

 

#Drop and Clear all existing rules and policies

iptables -P INPUT DROP

iptables -P OUTPUT DROP

iptables -P FORWARD DROP

 

iptables -F

iptables -X

 

iptables -t nat -F

iptables -t nat -X

 

#Enable default route from all router interfaces

echo 1 > /proc/sys/net/ipv4/ip_forward

 

#Allow established,related (auto reply requested)

iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

 

#Allow clients get IP from DHCP server

iptables -A OUTPUT -o $server_if -p udp –dport 67 -d $server_ip -j ACCEPT

 

#Allow servers ping to client both LAN

iptables -A FORWARD -i $server_if -o $lan1_if -p icmp –icmp-type 8 -j ACCEPT

 

iptables -A FORWARD -i $server_if -o $lan2_if -p icmp –icmp-type 8 -j ACCEPT

 

#Allow LAN1 can access FTP server

iptables -A FORWARD -i $lan1_if -o $server_if -p tcp -m multiport –dports 20,21,30000:30100 -d 192.168.74.10 -j ACCEPT

 

 

#Allow LAN2 can access FTP server, limited from 20.20.74.20 – 40

iptables -A FORWARD -i $lan2_if -o $server_if -p tcp -m multiport –dports 20,21,30000:30100 -m iprange –src-range $client_ftp -d 192.168.74.11 -j ACCEPT

 

#Allow Masquerading

iptables -t nat -A POSTROUTING -o $internet_if -j MASQUERADE

 

#Forward DNS local to internet

iptables -A FORWARD -i $server_if -o $internet_if -p udp –dport 53 -s $server_ip -d 192.168.2.2 -j ACCEPT

 

#LAN1 and LAN2 access internet using DNS local

iptables -A FORWARD -i $lan1_if -o $server_if -p udp –dport 53 -d $server_ip -j ACCEPT

 

iptables -A FORWARD -i $lan2_if -o $server_if -p udp –dport 53 -d $server_ip -j ACCEPT

 

#Allow client can access Internet on ports 80 and 443 only

#clients LAN1

iptables -A FORWARD -i $lan1_if -o $internet_if -p tcp -m multiport –dports 80,443 -j ACCEPT

 

#client LAN2

iptables -A FORWARD -i $lan2_if -o $internet_if -p tcp -m multiport –dports 80,443 -j ACCEPT

By vichhaiy Posted in Linux

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s