Example IPTables rules for a webserver

Just a quick and basic example IPTables ruleset to secure a web/mail server:

# Allow outgoing traffic and disallow any passthroughs

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Allow traffic already established to continue

iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

# Allow web services

iptables -A INPUT -p tcp –dport ssh -i eth0 -j ACCEPT
iptables -A INPUT -p tcp –dport domain -i eth0 -j ACCEPT
iptables -A INPUT -p tcp –dport ftp -i eth0 -j ACCEPT
iptables -A INPUT -p udp –dport ftp -i eth0 -j ACCEPT
iptables -A INPUT -p tcp –dport ftp-data -i eth0 -j ACCEPT
iptables -A INPUT -p udp –dport ftp-data -i eth0 -j ACCEPT
iptables -A INPUT -p tcp –dport 80 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp –dport 443 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp –dport 25 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp –dport 465 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp –dport 110 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp –dport 143 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp –dport 585 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp –dport 993 -i eth0 -j ACCEPT
iptables -A INPUT -p tcp –dport 995 -i eth0 -j ACCEPT

# Allow local loopback services

iptables -A INPUT -i lo -j ACCEPT

# Allow pings

iptables -I INPUT -p icmp –icmp-type destination-unreachable -j ACCEPT
iptables -I INPUT -p icmp –icmp-type source-quench -j ACCEPT
iptables -I INPUT -p icmp –icmp-type time-exceeded -j ACCEPT

You can leave a response, or trackback from your own site.

2 Responses to “Example IPTables rules for a webserver”

  1. fern17 says:

    Hey, thanks for the data.
    I’m trying to write a few rules for a mail server on iptables. I’ve read a lot of examples. In yours, you don’t write any rules for OUTPUT. Why?

    In my case, this is what I have:
    IP_SERVER_MAIL = 192.168.1.2 #just a descriptive
    #flushing
    iptables -F
    iptables -X
    #defaults
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD DROP

    #localhost
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

    #previous connections
    iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

    #mail server
    iptables -A INPUT -p tcp –dport 25 -d $IP_SERVER_MAIL -m state –state NEW,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -p tcp -s $IP_SERVER_MAIL –sport 25 -m state –state ESTABLISHED -j ACCEPT

    COMMIT
    thank you!

  2. Tom Vernon says:

    Hi there – sorry for late reply! On your average server I don’t bother with outbound rules, I just allow all outgoing traffic. From a security point of view – if it doesn’t affect functionality then it is best lock down outbound traffic as much as possible as well. I guess for a mail server you would just need outbound SMTP/DNS/Maybe HTTP for updating blocklists?

Leave a Reply