Iptables port reference

From Gentoo Linux Wiki

Jump to: navigation, search
This article is part of the Security series.

Contents

[edit] This Page is not a HOWTO IPTABLES

If you're looking for a HOWTO to get started, go here: HOWTO Iptables for newbies

This is a reference for what has to be opened in iptables so you are able to use your favorite applications. I intend that this should have minimalist but secure rules. Feel free to add applications, modify rules if they aren't secure or accurate, or add suggested rules.

This page is focused entirely on the filter table, and does not currently include any nat rules.


Tip: DROP is the opposite of ACCEPT so if you want to block a service just change my ACCEPT to a DROP
Tip: If you would like all blocked services to be notified about being blocked and not wait until their connection attempts time out, replace DROP by REJECT

[edit] Policies & Default rules

any packet that reaches the end of the chain will do as the policy says.

Code: format
iptables -P chain action
for action you can have ACCEPT which will allow the packet to be used or DROP which makes it go away.

[edit] Desktops (clients)

When I say desktop I am referring to an end user system (meaning this has nothing to do with hardware you could be running a Laptop, or a SPARC, etc). This means that it offers no services to the outside world and performs no routing or nat-ing.

[edit] Policies

Code: Policy 
OUTPUT  ACCEPT
INPUT   DROP
FORWARD DROP

it tends to be a huge hassle to have desktops have the OUTPUT chain policy of DROP, the additional security is not worth the hassle.

Do not set the INPUT policy to DROP without having other rules here first or you will lose your network connection. however this is the best policy to have.

It really doesn't matter what you have in FORWARD for a policy because you shouldn't have forwarding turned on in the kernel anyway. I just say better safe than sorry.

[edit] rules

Code: Desktop Rules 
iptables -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -i lo -j ACCEPT
that's all you should need on a desktop, that it... you don't have to read on at all. Note: having lo set to accept is important as several local applications may use it for communication. If you want to be able to have other machines "ping" your desktop, please see the icmp section.
Note: if for some reason you decided to have you OUTPUT policy as DROP review the client sections to get everything on your system working and don't forget to have a -A OUTPUT -o lo -j ACCEPT RULE

[edit] Servers

A server is a system which provides services hosted on it's hardware to external machines. these can range from an print server, to web server, to terminal server; even just allowing remote access via ssh turns you machine into a server as this will allow remote machines to connect to you.

[edit] Policies

Code: Server Policies 
INPUT   DROP
OUTPUT  DROP
FORWARD DROP

I would like to note that if you aren't running a pure server you may want to set the OUTPUT policy to accept. example woult be if say the only server service you're running is ssh. However if this is a production server VERY FEW outbound requests IF ANY should be made from the machine.

[edit] Rules

Code: Server Default Rules 
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

The INVALID state checks for packets that have become corrupted we don't need to process these further. With a dedicated server the lo option may or may not be important as you may not be communicating on localhost, this really depends on the server you're running and how you are running it.

With this set of rules you should be set for the OUTPUT and FORWARD chains (unless your server can broadcast as opposed to requiring a request, example: some cupsd setups.), however you will need to refer to the INPUT rules of the reference for you server. You will probably want to put these rules between the ESTABLISHED,RELATED and lo rules.

[edit] Routers

For full definitions of what a router is and can be used for please view http://www.answers.com/topic/router it has very good examples definitions and articles.

but for the policies and rules I'm assuming you want a simplistic router that has a firewall and opens certain ports.

[edit] Policies

Code: Router Policies 
INPUT   DROP
OUTPUT  DROP
FORWARD DROP

with these policies and no more rules your router very effectively will refuse to route.

[edit] Rules

Code: Router Policies 
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j DROP

I can't suggest any more default rules for a router because I don't know what you are trying to filter and route. however I do know you will need to admin this router. so I suggest setting up an INPUT rule for ssh or some other administrative interface like webmin and only allowing this on your internal subnet possibly even just one ip and mac address.

for the home network you will probably need http, https, and dns traffic allowed.

for a router with no firewall set FORWARD to ACCEPT.

Warning: for your router to actually work you will have to turn forwarding on in the kernel and set up some nat table rules. nat rules are especially important if you are trying to access a server that is on a subnet behind the router

[edit] WWW Services

The base of what most people believe is the "internet".

[edit] Clients

Here I will list services that are critical for everyday "web surfing".

[edit] dns

to allow you to resolve domain names. e.g. www.google.com vs 64.233.167.99. tcp is used for queries larger than 512 bytes although this is rare it does happen.

Code: domain

iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT


Warning: emerge --sync seems to need DNS over TCP to work properly

[edit] http

To view most web pages

Code: http
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT

[edit] https

for secure / encrypted web pages

Code: https
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT

[edit] servers

If you wish to add to the "internet"

[edit] dns

run a domain server for clients to query. tcp is used for queries larger than 512 bytes although this is rare it does happen for servers you really should have this enabled to meet the IANA standards.

Code: domain
iptables -A INPUT -p udp --dport 53 -j ACCEPT iptables -A INPUT -p tcp --dport 53 -j ACCEPT

[edit] http

to host a standard content only web page. this web page would not allow logins.

Code: http
iptables -A INPUT -p tcp --dport 80 -j ACCEPT

[edit] https

for secure / encrypted web pages, any web page that someone can login on.

Code: https
iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT


[edit] routers

routers make the internet work, lets keep it working.

[edit] dns

tcp is used for queries larger than 512 bytes although this is rare it does happen for routers you really should have this enabled to meet the IANA standards.

Code: dns
iptables -A FORWARD -p udp --dport 53 -j ACCEPT iptables -A FORWARD -p tcp --dport 53 -j ACCEPT

[edit] http

to allow web browsing

Code: http
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT

[edit] https

for secure / encrypted web pages.

Code: https
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT

[edit] File Transfer Protocols

Note: ftp is not the only protocol listed here because it's not the only way to do file transfers, and some methods like scp and http require ports listed elsewhere.

[edit] clients

[edit] rsync

allow you to rsync or emerge --sync

Code: rsync
iptables -A OUTPUT -p tcp --dport 873 -j ACCEPT

[edit] git

Code: git
iptables -A OUTPUT -p tcp --dport 9418 -j ACCEPT

[edit] servers

[edit] rsync

allows you to host an rsync mirror

Code: rsync
iptables -A INPUT -p tcp --dport 873 -j ACCEPT

[edit] routers

[edit] rsync

allows rsync traffic to pass through the firewall

Code: rsync
iptables -A INPUT -p tcp --dport 873 -j ACCEPT

[edit] Databases

[edit] clients

[edit] MySQL

for Client

Code: mysql
iptables -A OUTPUT -p tcp --dport 3306 -j ACCEPT

[edit] server

[edit] MySQL

For Server. is only required if people or another server is going to be connecting remotely to this service. If you are, for example, running a single LAMP server which has Apache and MySQL on the same machine you don't need this becaus all communications will be on lo.

Code: mysql
iptables -A INPUT -p tcp --dport 3306 -j ACCEPT

[edit] router

[edit] MySQL

Code: mysql
iptables -A FORWARD -p tcp --dport 3306 -j ACCEPT

[edit] Instant Messengers and Chat

[edit] clients

[edit] MSN Messenger

allow access to MSN's messenger service

Code:
iptables -A OUTPUT -p tcp --dport 1863 -j ACCEPT

[edit] Yahoo Messenger

allow access to Yahoo's messenger service

Code:
iptables -A OUTPUT -p tcp --dport 5050 -j ACCEPT

[edit] AIM

allow access to AOL's messenger service

Code: aol
iptables -A OUTPUT -p tcp --dport 5190 -j ACCEPT

[edit] Jabber Client

allow access to a jabber server

Code: xmpp-client
iptables -A OUTPUT -p tcp --dport 5222 -j ACCEPT

or using encrypted connection

Code: xmpps-client
iptables -A OUTPUT -p tcp --dport 5223 -j ACCEPT

[edit] IRC client

to allow you to connect to an IRC server

Code: ircd
iptables -A OUTPUT -p tcp --dport 6667 -j ACCEPT

[edit] routers

[edit] AIM

allow access to AOL's messenger service

Code: aol
iptables -A FORWARD -p tcp --dport 5190 -j ACCEPT

[edit] IRC

allow IRC traffic

Code: ircd
iptables -A OUTPUT -p tcp --dport 6667 -j ACCEPT

[edit] Remote Administration Services

[edit] clients

[edit] ssh

to allow access to connect to another machine.

Code: ssh
iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT

[edit] webmin

Code:
iptables -A OUTPUT -p tcp --dport 10000 -j ACCEPT

[edit] servers

Warning: please remember that you may want to secure these using additional security, like only allowing certain domains, ip addresses, subnets, or to allow a broader access please investigate knock daemons. I do not recommend using any of these rules "as is" because doing so may allow someone to pwn your machine. damages could range from rebooting your machine on you, erasing the hard drive, or turning your machine into a bot
for more information on port knocking HOWTO Port Knocking& Port Knocking.

[edit] ssh

to allow remote access to your machine

Code: ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT

a web interface for remotely administering you machine.

[edit] webmin

Code:
iptables -A INPUT -p tcp --dport 10000 -j ACCEPT

[edit] routers

[edit] ssh

to allow access through the router.

Code: ssh
iptables -A FORWARD -p tcp --dport 22 -j ACCEPT

[edit] webmin

Code:
iptables -A FORWARD -p tcp --dport 10000 -j ACCEPT

[edit] Games

[edit] GameSpy

A popular gaming network.

UDP 6500 TCP 6667 UDP 27900 UDP 27901 TCP 28910 TCP 29900 TCP 29901 UDP 29910 TCP 29920

[edit] WarHammer 40K, Dawn of War

UDP 6112

Retrieved from "http://www.gentoo-wiki.com/Iptables_port_reference"
Personal tools