newbie with ruleset needs help

My rule set generated by

formatting link
is below. I have ssh access to my Centos 5.2 server. How do I apply the rule set to my server? Do I save it as a file somewhere? Do I have to apply them on by one using iptables?

As you can see, I am an absolute newbie and it shut my server down the last week so I don't want to do it again.

Many thanks for your help!!


# iptables script generated 2009-05-08 #

formatting link

# Flush old rules, old custom tables $IPT --flush $IPT --delete-chain

# Set default policies for all three default chains $IPT -P INPUT DROP $IPT -P FORWARD DROP $IPT -P OUTPUT ACCEPT

# Enable free use of loopback interfaces $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT

# All TCP sessions should begin with SYN $IPT -A INPUT -p tcp ! --syn -m state --state NEW -s -j DROP

# Accept inbound TCP packets $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p tcp --dport 21 -m state --state NEW -s -j ACCEPT $IPT -A INPUT -p tcp --dport 22 -m state --state NEW -s -j ACCEPT $IPT -A INPUT -p tcp --dport 25 -m state --state NEW -s -j ACCEPT $IPT -A INPUT -p tcp --dport 80 -m state --state NEW -s -j ACCEPT $IPT -A INPUT -p tcp --dport 110 -m state --state NEW -s -j ACCEPT $IPT -A INPUT -p tcp --dport 443 -m state --state NEW -s -j ACCEPT

# Accept inbound UDP packets $IPT -A INPUT -p udp -m udp --dport 53 -s -j ACCEPT

Reply to
Loading thread data ...

[snip rules]


You can save it as a normal file. In order to get it to run you would need to make the file executable. Assuming you saved the file as just 'iptables' (minus the quotes) :

(all as root, in the same directory you saved the file 'iptables' to)

chmod 750 iptables

You can then run the file like so :


Assuming no errors, you can then have your script saved and run automatically the next time the machine is rebooted by using :

service iptables save

You can then view the rules by using :

iptables -v -nL


service iptables status

*Before* performing the above, wait for more replies to your original post. Have you run this script already somehow ? Your server shut down after you ran this script ?



Reply to

Chosen because of...

Hopefully on a home or private network until you gain more skills.

Normally, the rule set would be configured in one of the system boot files. Red Hat supplies a complete firewall setup tool, including the needed boot scripts. Centos should do the same.

No, you would run a script similar to this. You appear not to know that the "$IPT" at the beginning of the lines in the script below are translated by the shell into the command '/sbin/iptables' and the rest of each line is supplied as an argument to that command. This script looks to be designed to run out of /etc/rc.d/rc.local which should normally be the last boot script run. Not a great idea, but better than nothing at all.

Does the firewall script include a 'LOG' target? (If not, why not?) What data showed up in the log files? What errors showed up on your client when you attempted to connect??

You should have a directory called /usr/share/HOWTO/ and in there, you should find over 450 documents. If you can't find them on your system, go to

formatting link
or the LDP site at
formatting link
43309 Nov 5 2000 From-PowerUp-To-Bash-Prompt-HOWTO 85507 Aug 20 2001 Firewall-HOWTO 708351 Nov 14 2005 IP-Masquerade-HOWTO 155096 Jan 23 2004 Security-HOWTO 287057 Jul 23 2002 Security-Quickstart-Redhat-HOWTO 45604 Apr 18 2006 Networking-Overview-HOWTO 71776 Nov 28 21:45 Unix-and-Internet-Fundamentals-HOWTO

The 'From-PowerUp-To-Bash-Prompt-HOWTO' explains how your system boots and tells where to look for specific files. The next four documents describe how firewalls are set up. The last two give some clues about how IP networking works.

formatting link
the website run by the author of the firewall code in the kernel, and it has seven more HOWTOs you really should be looking at:

[TXT] NAT-HOWTO.txt 24-Dec-2006 16:06 25K [TXT] netfilter-double-nat-HOWTO.txt 24-Dec-2006 16:06 9.4K [TXT] netfilter-extensions-HOWTO.txt 24-Dec-2006 16:06 79K [TXT] netfilter-hacking-HOWTO.txt 24-Dec-2006 16:06 84K [TXT] netfilter-mirror-HOWTO.txt 24-Dec-2006 16:06 8.1K [TXT] networking-concepts-HOWTO.txt 24-Dec-2006 16:06 28K [TXT] packet-filtering-HOWTO.txt 24-Dec-2006 16:06 52K

Most of the scripts you will use are pretty simple, but if you are not comfortable with the command prompt and shell scripting, reading the Bash-Prog-Intro-HOWTO would be a good idea.


Probably not the best idea ever - this would accept SSH connections from all 2.8 billion IP addresses in use around the world, including the 2.799 billion zombies and 'bots used by crackers. You should limit this access to those addresses or address ranges that you know YOU will be using to connect to this system. (The firewall at my house allows _inbound_ access from a /22 and two /24s "outside" or a total of 1530 addresses, because I can't see any reason to allow connections from you or anyone else that I haven't approved in advance, and I really don't expect authorized users to be connecting from Kazakhstan, Kenya, Kiribati, Korea, or Kuwait or a lot of other places either. Lest someone from those countries object, I also don't allow access from nearly all ISPs in North America.)

Likewise probably not the best idea ever - even assuming your ISP doesn't block these connections. You would need this rule only if this system is listed in your DNS as the MX or 'Mail eXchange' server for your registered domain.

Again - do you really need to offer POP-3 to the entire world?

Actually, that's DNS inbound - are you running a DNS server that is listed by an Internet registry service (meaning you are running your own real domain) and therefore need to provide DNS to the entire world?

Old guy

Reply to
Moe Trin

thanks to you both!

I'll read the how-tos and figure it out.

Reply to
webdevguy Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.