Some Tricky Rules with Iptables!

Welcome Friends, today we i’ll present some rules that might be beneficial to you! I’ll write about

  • blocking IP Address
  • allow incoming SSH
  • allow incoming HTTP
  • allow ping from inside to outside
  • Logging of packets
  • and some ICMP queries

How to block a specific IP address?

# suppose you have an ip address, you want to block, it might be of any website or computer, as an example if I don’t want to allow someone to watch youtube on my PC, what i will do is just ping youtube and copy the IP address or from DNS queries. Then I will run the following command:

ip_address=”x.x.x.x” # storing ip address in variable for further use

sudo iptables –append INPUT –source “$ip_address” –jump Drop

The above command tells the iptables to make an input rule to drop packets coming from that particular IP address. (It’s not complete solution but a starting point.)

How to allow Incoming SSH?

Run this command:

sudo iptables –append INPUT –source 192.168.0.0/16 –match state –state NEW –protocol tcp –dport 223 –jump ACCEPT

The above command is making another input policy rule, saying if anything comes from port 223 (actually the port is 22, i’ve configured ssh to work on 223) and from network 192.168.0.0/16 (you can change it, currenlty it is for LAN), with the condition that the state of packet is NEW, it means someone from LAN is initiating the connection to our host, let the packet in.

If you have read my previous post, you will know that for established connection, I’ve a rule, that let the packets in and out in Established state. So I’ve to just make sure once the connection is established by allowing incoming new packet.

How to allow Incoming HTTP?

Run this command:

sudo iptables –append INPUT –source 192.168.0.0/16 –match state –state NEW –protocol tcp –dport 80 –jump ACCEPT

Just like the SSH rule, this command will work on HTTP, as we have specified port number 80 here. So if you have a web server, anyone can access that on local network.  In the same way you can allow any kind of services by just changing the port numbers and running the above commands.

Allow ping from inside to outside!

Why not from outside to inside? well, if you are not giving any service to outside world, it’s not good to allow outside world to ping you, It will allow script kiddies to know that you are there, and they will try to get information, even launch their attacks on you, and may be able to hack into you. (terrible!)

Okay, the command is:

sudo iptables –append OUTPUT –protocol icmp –icmp-type echo-request –jump ACCEPT

sudo iptables –append INPUT –protocol icmp –icmp-type echo-request –jump DROP

The first rule append to output policy for ICMP protocol, saying, let the ping request go to outside world. The second rule says drop the packets if any echo/ ping request is received, so that my computer will not reply to outside world. (and people will think, i’m sleeping). NOTE: it’s not enough!

Logging of Packets!

well as you see and know, logging means just keep record of something, here we are keep record of packets, so that I may find out who was doing what?

For just a simple rule:

sudo iptables –append INPUT –jump LOG –log-prefix “INPUT: “

here, we are appending logging rule to input policy, and logging everything that is coming inside, and attaching a string “INPUT: ” to it, so that when we have to check input rules in log file, it will be easy.

sudo iptables –append OUTPUT –jump LOG –log-prefix “OUTPUT: “

The same command for outgoing packets, logging every output packet!

These are simple rules, just to make understand, we can add matching states and manything, but this tutorial is for just beginner. I’ll describe these thing later.

ICMP queries rule!

Now what is this? well in short it means Internet Control Message Protocol. It communicates error messages and other conditions that require attention. Just like we have made a ping request, and we will get ping reply. There are many types of queries and error messages with ICMP, we often used Ping. Ping is just one of them.

I’m stating two more queries of ICMP here,

sudo iptables –append OUTPUT –protocol icmp –icmp-type timestamp-request –jump ACCEPT

sudo iptables –append INPUT –protocol icmp –icmp-type timestamp-request –jump DROP

The above two are for timestamp request, it is also a good method to find out if the host is available, if he is dropping packets of ping request. So be carefull about this too. Another one is:

sudo iptables –append OUTPUT –protocol icmp –icmp-type address-mask-request –jump ACCEPT

sudo iptables –append INPUT –protocol icmp –icmp-type address-mask-request –jump DROP

Now overall your firewall.sh will look like this (if you have made one, from my previous post ):


#! /bin/bash

sudo iptables –flush

sudo iptables –policy INPUT DROP

sudo iptables –policy OUTPUT DROP

sudo iptables –policy FORWARD DROP

sudo iptables –append INPUT –in-interface lo –jump ACCEPT

sudo iptables –append OUTPUT –out-interface lo –jump ACCEPT

# logging rule before any input rule but after localhost rule, we don’t want to collect local packets, it’s of no use.

sudo iptables –append INPUT –jump LOG –log-prefix “INPUT: “

# actually you don’t need echo request rule, because we have configured our system to drop new incoming packets by default.

sudo iptables –append INPUT –protocol icmp –icmp-type echo-request –jump DROP

sudo iptables –append INPUT –source 192.168.0.0/16 –match state –state NEW –protocol tcp –dport 22 –jump ACCEPT

sudo iptables –append INPUT –source 192.168.0.0/16 –match state –state NEW –protocol tcp –dport 80 –jump ACCEPT

sudo iptables –append INPUT –match state –state ESTABLISHED, RELATED –jump ACCEPT

# logging outside going packets, but not localhost because, we have placed it after localhost rule and before outgoing rules.

sudo iptables –append OUTPUT –jump LOG –log-prefix “OUTPUT: “

# actually you don’t need echo request rule, because we have configured our system to allow outgoing.

sudo iptables –append OUTPUT –protocol icmp –icmp-type echo-request –jump ACCEPT

sudo iptables –append OUTPUT –match state –state NEW,ESTABLISHED –jump ACCEPT

sudo iptables-save | sudo tee /etc/iptables/iptables.rules


Now, change the executable permission to let the script run, run it and see the result by:

sudo iptables –list –verbose

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: