1 – TUM KURALLARI SILME :::

iptables -F
iptables --flush

2 – VARSAYILAN KURALLAR :::

 

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

 

3 – IP ADRESI FILTRELEME :::

iptables -A INPUT -s "$yasak_ip" -j DROP
iptables -A INPUT -i eth0 -p tcp -s "$yasak_ip" -j DROP

4 – IKI YONLU SSH a IZIN VERME :::

INCOMING:

iptables -A  INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

OUTGOING:

iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

 

5 – OZEL NETWORKDEN GELEN SSH A IZIN VERME :::

iptables -A  INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

6 – GELEN VE GIDEN HTTP-HTTPS 80,443 TRAFIGINE IZIN VERME :::

iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

7 – BIRDEN FAZLA FARKLI PORTLARIN GELEN GIDEN TRAFIK KURALLARI :::

iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT

8 – OZEL NETWORKE ÇIKAN SSH A IZIN VERME :::

iptables -A OUTPUT -o eth0 -p tcp -d 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

9 – SUNUCUDAN ÇIKAN HTTPS KURALI :::

iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

10 – GELEN LOADBALANCER WEB TRAFIK KURALLARI :::

iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443

11 – DIŞARIDAN İÇERİYE PING TRAFİĞİ :::

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

12 – İÇERİDEN DIŞARIYA PING TRAFIGI :::

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

13 – LOOPBACK ADRESINE IZIN VERME :::

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

14 – INTERNAL NETWORKDEN EXTERNAL NETWORKE IZIN VERME :::

iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

15 – GİDEN DNS E IZIN VERME :::

iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

16 – BELLI BIR AGDAN RSYNC E IZIN VERME :::

iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT

17 – BELLI BIR AGDAN MYSQL BAGLANTIYA IZIN VERME :::

iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

18 – MAIL GONDERME VE POSTFIX TRAFIGINE IZIN VERME :::

iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

19 – IMAP VE IMAPS E IZIN VERME :::

iptables -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT

20 – POP3 VE POP3S E IZIN VERME :::

iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT

21 – Dos ATAKLARINI ENGELLEME :::

iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

22 – PORT FORWARDING :::

iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22
iptables -A INPUT -i eth0 -p tcp --dport 422 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 422 -m state --state ESTABLISHED -j ACCEPT

23 – LOG PAKETLERINI DROPLAMA :::

iptables -N LOGGING

iptables -A INPUT -j LOGGING

iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7

iptables -A LOGGING -j DROP

————————————————————
:::DİĞER YARARLI KURALLAR:::

Kayıt:

iptables-save

Yedekleme için Paket Kurulumu:

apt-get install iptables-persistent

Yedekleme:

iptables-save > /home/ovural/iptables_manuel.rule

Restore:

iptables-restore < /home/ovural/iptables_manuel.rule

Kural Numaralarını Görme:

iptables -L --line-numbers

Kural No’dan Kural Silme:

iptables -D OUTPUT 1

Bir Bloktan Gelen Tüm Portları Kapama:

iptables -I OUTPUT -p tcp -d 10.10.10.0/24 --dport 0:65535 -j REJECT

Sıralamaya Koyarak IP ye SSH İzni Verme ve Diğerleri:

iptables -R INPUT 7 -p tcp -s 10.10.20.180 --dport 22 -j ACCEPT
iptables -I INPUT -s 10.10.10.0/24 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -s 10.10.10.0/24 -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -s 10.10.10.250 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -s 0.0.0.0/0 -p tcp  --dport 0:65535 -j REJECT

Leave a Reply

Your email address will not be published.