Simple IPTables, real live example…

In an earlier post, we talked a bit about iptables in Linux…

Here’s a real example from real life, used on a real Linux-based gateway…

As usual, I’ve altered the IPs from the real IPs, for obvious reasons…

Creating a custom IPTables chain, can help facilitate using IPTables in more organized way, without sacrificing the performance/security…

iptables –new site.com

iptables -A FORWARD -p icmp -j ACCEPT
iptables -A FORWARD -m state -d 6.16.12.13 –state NEW -j site.com
iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

iptables -A site.com -s 16.18.3.2 -j ACCEPT
iptables -A site.com -p tcp -m tcp -m multiport -j ACCEPT –dports 25,26,80,443,110,143
iptables -A site.com -p udp -m udp –dport 53 -j ACCEPT
iptables -A site.com -j DROP

[root@FMT1 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination        

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination        
ACCEPT     icmp –  0.0.0.0/0            0.0.0.0/0          
site.com  all  –  0.0.0.0/0            6.16.12.13      state NEW
ACCEPT     all  –  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

Chain site.com (1 references)
target     prot opt source               destination        
ACCEPT     all  –  16.18.3.2        0.0.0.0/0          
ACCEPT     tcp  –  0.0.0.0/0            0.0.0.0/0           tcp multiport dports 25,26,80,443,110,143
ACCEPT     udp  –  0.0.0.0/0            0.0.0.0/0           udp dpt:53
DROP       all  –  0.0.0.0/0            0.0.0.0/0

The advantage you get from such separation is simple management in the future, esp. if you have lots of rules for each IP, or if you want to apply a certain set of rules to some IPs, simply make more of this

iptables -A FORWARD -m state -d 6.16.12.13 –state NEW -j site.com

Without entering the whole set of rules all over again, and makes troubleshooting much easier… neat, isn’t it??

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: