Archive for the ‘iptables’ category

Iptables – Add FTP passive support

October 17th, 2010

Adding passive FTP support to iptables is very easy. Type the following:

first to add support on the currently running system

sudo modprobe ip_nat_ftp
sudo modprobe ip_conntrack_ftp

This will add support on the running iptables

Next modify the file

sudo vi /etc/modules  (/etc/modprob.conf for redhat/centos)

and add the following 2 lines to the bottom

ip_nat_ftp
ip_conntrack_ftp

This will load it on the next reboot. Passive FTP should now work.

if you found this helpful feel free to donate to:
ZEC: t1NQp1UuqQbmnXzazbLTSreS2AbaZpRBuTM
LTC: LZyNF1qkBUA7XFz83m5xwzGgmmj1owQn9d
BTC: 1PY95KFPTEJTR7f2NnSgaB6xB9pwDJkcJz

IP tables – File and script locations

August 5th, 2010

Debian

  • /etc/init.d/iptables INIT script to start|stop|restart the service (and save rulesets). This file is no longer default as of Sarge but you can still get it (I’ll show you).
  • /var/lib/iptables Debian’s home for the ‘active’ and ‘inactive’ iptables-save counter files (i.e. The saved rulesets). On RedHat you would find the saved rules in ‘/etc/sysconfig/iptables’.
  • /var/lib/iptables/active Active Counters (more on that later)
  • /var/lib/iptables/inactive Inactive Counters
  • /sbin/iptables The administration utility/binary.

RedHat

  • /etc/init.d/iptables INIT script to start|stop|restart the service (and save rulesets).
  • /etc/sysconfig/iptables RedHat’s file for the iptables-save counter files (i.e. The saved rulesets).
  • /sbin/iptables The administration utility/binary.
if you found this helpful feel free to donate to:
ZEC: t1NQp1UuqQbmnXzazbLTSreS2AbaZpRBuTM
LTC: LZyNF1qkBUA7XFz83m5xwzGgmmj1owQn9d
BTC: 1PY95KFPTEJTR7f2NnSgaB6xB9pwDJkcJz

IP tables – Block outgoing connections to IP and Port

August 5th, 2010

Following rule will block ip address IPADDRESS from making any outgoing connection:

iptables -A OUTPUT -d IPADDRESS -j DROP

This way you can block chat server ip address or site having dangerous contains such as viruses. It is also possible to block specific port. For example to you can block tcp 5050 port as follows:

iptables -A OUTPUT -p tcp –dport 5050 -j DROP

OR block 5050 for IP address IPADDRESS only:

iptables -A OUTPUT -p tcp -d IPADDRESS –dport 5050 -j DROP
if you found this helpful feel free to donate to:
ZEC: t1NQp1UuqQbmnXzazbLTSreS2AbaZpRBuTM
LTC: LZyNF1qkBUA7XFz83m5xwzGgmmj1owQn9d
BTC: 1PY95KFPTEJTR7f2NnSgaB6xB9pwDJkcJz

Iptables – Basic command line configuration commands

February 26th, 2010

This is a list of basic commands to use/manage iptables.

View Running:     iptables -L -n
Save running:     iptables-save > filename
Load file:     iptables-load < filename
Stop IPtables:     /etc/init.d/iptables stop
Start iptables: /etc/init.d/iptables start
Save rules:     /etc/init.d/iptables save

Deleting a rule:     iptables -D INPUT -s "207.58.140.12" -j DROP
Blocking IP:          iptables -I INPUT -s "207.58.140.12" -j DROP
Blocking IP range:     iptables -I INPUT -s "207.58.140.0/24" -j DROP

Blocking all connections to a port: 
iptables -A INPUT -p tcp --dport port# -j REJECT
Allow an IP on a Blocked Port:
iptables -A INPUT -p tcp -s 192.168.0.0/16 --dport port# -j ACCEPT
note: port# = 21,22,3389 etc... 

These basic rules should allow you to manage iptables from the command line

if you found this helpful feel free to donate to:
ZEC: t1NQp1UuqQbmnXzazbLTSreS2AbaZpRBuTM
LTC: LZyNF1qkBUA7XFz83m5xwzGgmmj1owQn9d
BTC: 1PY95KFPTEJTR7f2NnSgaB6xB9pwDJkcJz