Setup CentOS iptables for IPv4

There are several ways to configure iptables on CentOS. In this tutorial, I will show you a few basic but essential examples of how to use iptables on CentOS:

You can configure the iptables rules according to your needs. All the following commands should be input from your SSH terminal as root.

Check the existing rules:

iptables -L -n

Flush all existing rules (erase all of them):

iptables -F; iptables -X; iptables -Z

Using a stateful rule to allow all established connections:

iptables -A INPUT -p all -m state –state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p all -m state –state ESTABLISHED -j ACCEPT

Some services requires you to allow related connections (ftp,tftp…):

iptables -A INPUT -p all -m state –state RELATED -j ACCEPT
iptables -A OUTPUT -p all -m state –state RELATED -j ACCEPT

Allow LocaHost rule to communicate:

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

Allow Web Browsing

iptables -A OUTPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
iptables -A OUTPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT

Allow Outgoing SSH

iptables -A OUTPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT

Allow Incoming SSH

Allow Incoming SSH from a specified subnet/ip address

iptables -A INPUT -p tcp -s 192.168.1.0/24 –dport 22 -m state –state NEW -j ACCEPT

Allow Incoming SSH from all

iptables -A INPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT

Allow Incoming Web Server

iptables -A INPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
iptables -A INPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT

Allow DNS requests out

iptables -A OUTPUT -p udp –dport 53 -m state –state NEW -j ACCEPT

 Allow Incoming ping

iptables -A INPUT -p icmp –icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp –icmp-type echo-reply -j ACCEPT

Allow Outgoing ping

iptables -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp –icmp-type echo-reply -j ACCEPT

Allow SMTP Server

iptables -A INPUT -p tcp –dport 25 -m state –state NEW -j ACCEPT

Allow SMTP Client

iptables -A OUTPUT -p tcp –dport 25 -m state –state NEW -j ACCEPT

Allow IMAP Server

iptables -A INPUT -p tcp –dport 143 -m state –state NEW -j ACCEPT

Allow IMAP Client

iptables -A OUTPUT -p tcp –dport 143 -m state –state NEW -j ACCEPT

Allow mySQL Server

iptables -A INPUT -p tcp –dport 3306 -m state –state NEW -j ACCEPT

Allow mySQL Client

iptables -A OUTPUT -p tcp –dport 3306 -m state –state NEW -j ACCEPT

Allow NTP Server

iptables -A INPUT -p udp –dport 123 -m state –state NEW -j ACCEPT

Allow NTP Client

iptables -A OUTPUT -p udp –dport 123 -m state –state NEW -j ACCEPT

Allow rsyslogd in

iptables -A INPUT -p tcp –dport 514 -m state –state NEW -j ACCEPT
iptables -A INPUT -p udp –dport 514 -m state –state NEW -j ACCEPT

Allow rsyslogd out

iptables -A OUTPUT -p tcp –dport 514 -m state –state NEW -j ACCEPT
iptables -A OUTPUT -p udp –dport 514 -m state –state NEW -j ACCEPT

Specify port range, e.g. allow all communication from ports 50-150 to ports 300-400:

iptables -A OUTPUT –sport 50:150 –dport 300:400 -j ACCEPT

Specify IP Address range, this requires the ‘iprange’ module. For example allow all communication to and from 192.168.1.1-192.168.1.31

iptables -A OUTPUT -m iprange –dst-range 192.168.1.1-192.168.1.31-j ACCEPT
iptables -A INPUT -m iprange –src-range 192.168.1.1-192.168.1.31 -j ACCEPT

At last, set the default policies:

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

Save the iptables configuration with the following command:

service iptables save

or

/sbin/service iptables save

Other Knowledge Base Topics

Referral Partner
Enquiry Form

send us your details and we will contact you with all the details about our referral partnership

You can also contact us directly:
Tel: 0161 464 6101
Email:
Sales@datacentreplus.co.uk
"