Iptables

Iptables are used in the Debian install script.

Basic Rules

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 5060:5069 -j ACCEPT
iptables -A INPUT -p udp --dport 5060:5069 -j ACCEPT
iptables -A INPUT -p tcp --dport 5080 -j ACCEPT
iptables -A INPUT -p udp --dport 5080 -j ACCEPT
iptables -A INPUT -p udp --dport 16384:32768 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p udp --dport 1194 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

Optional Rules

OPENVPN: iptables -A INPUT -p udp --dport 1194 -j ACCEPT
ICMP: iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

Friendly Scanner

Rules to block not so friendly scanner

iptables -I INPUT -j DROP -p tcp --dport 5060 -m string --string "friendly-scanner" --algo bm
iptables -I INPUT -j DROP -p tcp --dport 5080 -m string --string "friendly-scanner" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string "friendly-scanner" --algo bm
Optional
iptables -I INPUT -j DROP -p tcp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "VaxIPUserAgent" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string "VaxSIPUserAgent" --algo bm
iptables -I INPUT -j DROP -p tcp --dport 5080 -m string --string "VaxIPUserAgent" --algo bm
iptables -I INPUT -j DROP -p tcp --dport 5060 -m string --string "VaxSIPUserAgent/3.1" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "VaxSIPUserAgent/3.1" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5080 -m string --string "VaxSIPUserAgent/3.1" --algo bm
iptables -I INPUT -j DROP -p tcp --dport 5080 -m string --string "VaxSIPUserAgent/3.1" --algo bm

Add DSCP rules

iptables -t mangle -A OUTPUT -p udp -m udp –sport 16384:32768 -j DSCP –set-dscp 46 iptables -t mangle -A OUTPUT -p udp -m udp –sport 5060:5091 -j DSCP –set-dscp 26 iptables -t mangle -A OUTPUT -p tcp -m tcp –sport 5060:5091 -j DSCP –set-dscp 26

Show iptable rules

sudo iptables -L -v

Show line numbers

iptables -L -v -n --line-numbers

Show DSCP rules

iptables -vL -t mangle

Delete a line

Delete line 2

iptables -D INPUT 2

Flush Out Iptables

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F

Open a Port for a Specific IP Address

iptables -A INPUT -j ACCEPT -p tcp --dport 5432 -s x.x.x.x/32

Block IP address

iptables -I INPUT -s 62.210.245.132 -j DROP

Restore Rules from rules.v4

This reads the file rules.v4 and saved iptables rules back into active memory. | iptables-restore < /etc/iptables/rules.v4

Flush iptables

How to flush iptables without loosing access to ssh.

iptables -P INPUT ACCEPT
iptables -F

Save Changes

Debian / Ubuntu

apt-get install iptables-persistent
service iptables-persistent save
dpkg-reconfigure iptables-persistent
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6