Skip to end of metadata
Go to start of metadata

 

Managing Firewall for your system

Category: Template Information &nbsp

The system firewall is based on iptables. Please read about iptables at Netfilter page.

Make sure you are root while running commands below

In general your sytem firewall is configured like:

/etc/init.d/iptables status
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all — 0.0.0.0/0 0.0.0.0/0
2 syn_flood tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
3 allow_icmp all — 0.0.0.0/0 0.0.0.0/0
4 syn_protect all — 0.0.0.0/0 0.0.0.0/0
5 ACCEPT all — 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 state NEW
7 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW

Chain FORWARD (policy DROP)
num target prot opt source destination
1 ACCEPT all — 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain OUTPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all — 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all — 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED

Chain allow_icmp (1 references)
num target prot opt source destination
1 ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmp type 8

Chain syn_flood (1 references)
num target prot opt source destination
1 RETURN all — 0.0.0.0/0 0.0.0.0/0 limit: avg 16/sec burst 32
2 DROP all — 0.0.0.0/0 0.0.0.0/0

Chain syn_protect (1 references)
num target prot opt source destination
1 DROP tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW

To allow access to HTTP (port 80/tcp) from any run:

 

iptables -A INPUT -p tcp --dport 80 -j ACCEPT -m state --state NEW

 

The same for HTTPS (port 443/tcp):

 

iptables -A INPUT -p tcp --dport 443 -j ACCEPT -m state --state NEW

 

To allow your service(s) access to HTTP (port 80/tcp) at 1.1.1.1 run:

 

iptables -A OUTPUT -p tcp --dport 80 -d 1.1.1.1 -j ACCEPT -m state --state NEW

 

To block all outgoing ESTABLISHED,RELATED requests run:

 

iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED

 

To store rules run:

 

service iptables save

 

To check/show the status:

 

/etc/init.d/iptables status

 

Save this article
Tags: syn flood