Sorry, bit late reply. Unless you have a need for those: router-solicitation, router-advertisement, echo-request, TOS-host-redirect, TOS-network-redirect, host-redirect, network-redirect, redirect, source-quench or by type(/code): 4, 5, 5/0, 5/1, 5/2, 5/3, 8, 9, 10. Also see 'sysctl -a|grep icmp'.


Personally I'd first set up proper access restrictions and anti-spam protection and then expose the service but it's your call.


Instead run a 'dig +trace' on your domain name and you know what the authoritative Name Server is. BTW it's good to check your domain name contract. (In my best Jedi voice: you really do want a backup MX and Name server.) Package deals may often not sound like a really good deal but in the case of domain names it is because they have the infrastructure and money to configure a backup Name Server in another network.


I would put it above the TCP rule and make the TCP/53 a separate rule below the current TCP rule. Watch how many requests you get on average then put a cap on it ("-m limit"). Also tune your name servers configuration (auth for changing things, lame resolvers, what to log) and watch those logs (Logwatch?) for common errors to correct or anomalies to inspect.


One of the basics of computing is that you can measure about any aspect: memory, CPU usage, network throughput, etc, etc. Logging SAR data leads to bottleneck / resource utilization reports which leads (or should lead) to you prioritizing changes and making informed decisions based on facts. Since it all boils down to spending more money it's only logical to be able to justify expenses based on cold, hard facts and not on what others think you need.

Hi all

this is my first post , going through this topic , i find it really amusing & helps alot in troubleshooting issues

I have pasted below rules which i use in my client's system , hope this may help.

#!/bin/bash

# 2. Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# 3. Block a specific ip-address
#BLOCK_THIS_IP="x.x.x.x"
#iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP

# 4. Allow ALL incoming SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# 5. Allow incoming SSH only from a sepcific network
#iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# 6. Allow incoming HTTP
#iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# Allow incoming HTTPS
#iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# 7. MultiPorts (Allow incoming SSH, HTTP, and HTTPS)
iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT

# 8. Allow outgoing SSH
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# 9. Allow outgoing SSH only to a specific network
#iptables -A OUTPUT -o eth0 -p tcp -d 192.168.101.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

# 10. Allow outgoing HTTPS
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# 11. Load balance incoming HTTPS traffic
#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
#iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443

# 12. Ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

# 13. Ping from outside to inside
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

# 14. Allow loopback access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# 15. Allow packets from internal network to reach external network.
# if eth1 is connected to external network (internet)
# if eth0 is connected to internal network (192.168.1.x)
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# 16. Allow outbound DNS
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

# 17. Allow NIS Connections
# rpcinfo -p | grep ypbind ; This port is 853 and 850
#iptables -A INPUT -p tcp --dport 111 -j ACCEPT
#iptables -A INPUT -p udp --dport 111 -j ACCEPT
#iptables -A INPUT -p tcp --dport 853 -j ACCEPT
#iptables -A INPUT -p udp --dport 853 -j ACCEPT
#iptables -A INPUT -p tcp --dport 850 -j ACCEPT
#iptables -A INPUT -p udp --dport 850 -j ACCEPT

# 18. Allow rsync from a specific network
iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT

# 19. Allow MySQL connection only from a specific network
iptables -A INPUT -i eth0 -p tcp -s 192.168.200.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT

# 20. Allow Sendmail or Postfix
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

# 21. Allow IMAP and IMAPS
iptables -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT

# 22. Allow POP3 and POP3S
iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT

# 23. Prevent DoS attack
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

# 24. Port forwarding 422 to 22
iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22
iptables -A INPUT -i eth0 -p tcp --dport 422 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 422 -m state --state ESTABLISHED -j ACCEPT

# 25. Log dropped packets
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROP

## Load Balance incoming https traffic## (Can be applied to http traffic also)

iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443

##Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them.
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
##Packets with incoming fragments drop them. This attack result into Linux server panic such data loss.
iptables -A INPUT -f -j DROP
##Incoming malformed XMAS packets drop them:
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
##Incoming malformed NULL packets:
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

1 members found this post helpful.

Hi Fengg,
Nice one!!
it would be a quick reference :-)
I really appreciate the effort.

Is it now? I see an inefficient rule order and rule duplication...

Hi UnSpawn,

I consider that post is a reference for Newbies and wanted to encourage and appreciate the efforts, which has taken by fengg as a newbie (That is his first post). The post might not be good or might have duplicate entries...So in future we can expect good threads from him.....

That's a good thing, yes...


Sure you can have an opinion but can you make assess if it is usable as "a reference for Newbies" without modification?

This is what solely the filter table could look like with all the commented and duplicate rules removed, some errors corrected and re-ordered:
*the "LOGGING" chain shouldn't really log anything because of the default INPUT chain DROP policy and explicit port rules.

1 members found this post helpful.

Ah... Well in light of that response, perhaps what I should have asked is what icmp types should I allow? If I am following correctly, I should allow types 0,3,and 11. Do I need 8/0?

Also, what is the difference between icmp type "8" and "8/0"? I did a lot of reading and did not find much info on that. What does the forward slash mean?

Also, can I string together several types on one line, or do they all need to be on separate lines? e.g:
-A INPUT -p icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp --icmp-type 8/0 -j ACCEPT
-A INPUT -p icmp --icmp-type 11 -j ACCEPT



So far, what I have is:

That is exactly what CYMRU suggests as the minimum set see "Allowed Types and Codes": http://www.cymru.com/Documents/icmp-messages.html


If you want 8/0 then you also want 0/0. While 'man 7 icmp' contains valuable info it doesn't say things like https://tools.ietf.org/html/rfc792 does and maybe http://en.wikipedia.org/wiki/Interne...ssage_Protocol may be easier to read. ICMP messages are classified as types and types must have a code attached. Ergo "/0" code can mean two meanings: 0.) a specific message like 3/0 "Net Unreachable" or in absence of any type-related codes, like "8" doesn't have any, it just means "No Code".


You can test that yourself ;-p

So deciphering what you said above, I take it that the number to the left of the forward slash is the type, and the number to the right of the forward slash is the code. And that "8" and "8/0" mean the same thing, as type "8" has no codes except "0"?


Well, I did try searching for several hours before asking, and did not see any example on the entire Internet (that I could find) that had them on one line. Before I asked you, I did try:
-A INPUT -p icmp -m icmp --icmp-type 0,3,11 -j ACCEPT
but that didn't seem to work, so I'm assuming that it can't be done?

Type and code, yes. And "--icmp-type 8" is OK as it doesn't have any codes, yes. *BTW it seems RFC 6633 deprecated Source Quench (type 4) last year.


You found empirically it can't be done. +1. *BTW if you try something it's always appreciated if you let us know you've tried.

Well, thanks. I guess I found it can't be done, if my empirical techniques were correct--which may not be completely the case, considering that I'm not necessarily aware of all ways that one might try to put ICMP types/codes on one line. E.g. if there was some corollary to "multiport" for ICMP that I was not aware of.


Sort of on that note, I did find that you can't close port 25 (if you're running an email server), even if all email clients (e.g. Outlook, Thunderbird, etc.) use 465 and 995, as port 25 is used by all external servers that are trying to send email to your email server--and that can't be changed (since you have no control over other servers on the Internet, and the port they look at). So that port must remain open for that reason (or at least it must remain open between your email server and the servers sending to you).