Following are used to allow and restrict access:

1. IPTABLES
2. TCP/WRAPPER
   a) Allow
   b) Deny
3. SELINUX

IPTABLES:

Switches used in IPTABLES:

-A	Append rule to the INPUT Chain
-I	Insert rule to the INPUT Chain
-D	Delete rule from the INPUT Chain
-F	Flush
-s	Source Address (Traffic coming from this IP). Substitute with the IP address of client computer.
-d	Destination Address (Traffic going to this IP). Substitute with the IP of this Server.
-p	Protocol. Specifying traffic which is TCP/UDP.
--dport	Destination Port Number.
-j	Jump. If everything in this rule matches then 'jump' to ACCEPT

Action:

ACCEPT	Traffic is accepted for delivery.
REJECT	Traffic is rejected, sending a packet back to the sending host.
DROP	The traffic is dropped. Nothing is sent back to the sending host.

Note: You have to be very careful when appending rules to the iptables. For example, if your first rule is to deny everything, then no matter what you specifically allow, it will be denied.

 

Example:

1. To allow a PC (10.0.0.100) to access Telnet Server (10.0.0.111), Run following command:

[root@wtuto ~]# iptables -A INPUT -s 192.168.1.100 -d 10.0.0.111 -p tcp --dport 23 -j ACCEPT

Note: Port number of telnet is 23.

Now that we have our basics set in place, let’s see what iptables lists for our rule sets:

From here you can add whatever rules you like. If you’re running a basic web server, you'll probably need something similar to:

INIVIDUAL REJECTS FIRST:

---

BAD GUYS (Block Source IP Address):

[root@wtuto ~]# iptables -A INPUT -s 172.34.5.8 -j DROP

NO SPAMMERS (notice the use of FQDN):

[root@wtuto ~]# iptables -A INPUT -s mail.spamsite.com -d 10.1.15.1 -p tcp --dport 25 -j REJECT

---

THEN OPEN IT UP:

MYSQL (Allow Remote Access To Particular IP):

[root@wtuto ~]# iptables -A INPUT -s 172.50.3.45 -d 10.1.15.1 -p tcp --dport 3306 -j ACCEPT

SSH:

[root@wtuto ~]# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 22 -j ACCEPT

Sendmail/Postfix:

[root@wtuto ~]# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 25 -j ACCEPT

FTP: (Notice how you can specify a range of ports 20-21)

[root@wtuto ~]# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 20:21 -j ACCEPT

Passive FTP Ports Maybe: (Again, specifying ports 50000 through 50050 in one rule):

[root@wtuto ~]# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 50000:50050 -j ACCEPT

HTTP/Apache

[root@wtuto ~]# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 80 -j ACCEPT

SSL/Apache

[root@wtuto ~]# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 443 -j ACCEPT

IMAP

[root@wtuto ~]# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 143 -j ACCEPT

IMAPS

[root@wtuto ~]# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 993 -j ACCEPT

POP3

[root@wtuto ~]# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 110 -j ACCEPT

POP3S

[root@wtuto ~]# iptables -A INPUT -d 10.1.15.1 -p tcp --dport 995 -j ACCEPT

Any Traffic From Localhost:

[root@wtuto ~]# iptables -A INPUT -d 10.1.15.1 -s 127.0.0.1 -j ACCEPT

ICMP/Ping:

[root@wtuto ~]# iptables -A INPUT -d 10.1.15.1 -p icmp -j ACCEPT

---

GLOBAL REJECTS LAST:

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Reject everything else to that IP:

[root@wtuto ~]# iptables -A INPUT -d 10.1.15.1 -j REJECT

Or, reject everything else coming through to any IP:

[root@wtuto ~]# iptables -A INPUT -j REJECT
[root@wtuto ~]# iptables -A FORWARD -j REJECT

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

Notice that we do the global REJECT lines last! These must be last.


If you modify (append, delete, insert etc) rule to iptables, either by editing iptables file or running commands at the prompt, You must save the iptables.

To save your active rules execute the following:

[root@wtuto ~]# /etc/init.d/iptables save

This above command will save your rules to '/etc/sysconfig/iptables'.

When you start iptables, the rules are read from '/etc/sysconfig/iptables':

[root@wtuto ~]# /etc/init.d/iptables start

Starting iptables [OK]

And when you stop iptables, all active rules (that are not saved) are flushed:

[root@wtuto ~]# /etc/init.d/iptables stop

Stopping iptables [OK]

Note: Incase you edited iptables file or ran commands to modify iptables, and you stopped/started/restarted the iptables service, changes in iptables will not apply.

Example1: We are going allow a port no. 25 for every computers in the network.

iptables -A INPUT -p tcp --dport 25 -j ACCEPT
/etc/init.d/iptables save
/etc/init.d/iptables restart

Manual Save and Restore:

You can also manually use the iptables-save and iptables-restore utilities like so:

Save the rules to a files:

[root@wtuto ~]# iptables-save > /root/iptables-save.out

Restore the rules:

[root@wtuto ~]# iptables-restore -c /root/iptables-save.out

The -c tells iptables-restore that this is file was created using iptables-save

State of packets:

1. NEW: Server1 connects to Server2 issuing a SYN (Synchronize) packet.
2. RELATED: Server 2 receives the SYN packet, and then responds with a SYN-ACK (Synchronize Acknowledgment) packet.
3. ESTABLISHED: Server 1 receives the SYN-ACK packet and then responds with the final ACK (Acknowledgment) packet.

After this 3 way handshake is complete, the traffic is now ESTABLISHED. In order for this type of TCP communication, something similar to these three rules are necessary:

[root@wtuto ~]# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@wtuto ~]# iptables -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
[root@wtuto ~]# iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

The last rule obviously allows any traffic the leave the server.