Web Server iptables Script

Here is an iptables script to set up a solid firewall on a CentOS web server. Remember to change the ip address on line 26 with your IP address, or you will lock yourself out of your own server!


# Backup current iptables rules
iptables-save > /etc/sysconfig/iptables-previous

# Flush tables
iptables -F

# Block null packets
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP

# Reject syn-flood attacks
iptables -A INPUT -p tcp ! –syn -m state –state NEW -j DROP

# Reject XMAS packets
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP

# Allow specific traffic
iptables -A INPUT -i lo -j ACCEPT

# HTTP and HTTPS traffic
iptables -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp –dport 443 -j ACCEPT

# SSH from specified clients
iptables -A INPUT -p tcp -s -m tcp –dport 22 -j ACCEPT

# Allow related connections
iptables -I INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections

# Block all other connections
iptables -P INPUT DROP

# Save iptables and restart service
iptables-save | sudo tee /etc/sysconfig/iptables[/bash]

Leave a Reply