omar-yassin/gist:7776278

## gistfile1.txt
ADD RULE with PORT and IPADDRESS
	sudo iptables -A INPUT -p tcp -m tcp --dport port_number -s ip_address -j ACCEPT

ADD RULE for PORT on all addresses
	sudo iptables -A INPUT -p tcp -m tcp --dport port_number --sport 1024:65535 -j ACCEPT

DROP IPADRESS
	sudo iptables -I INPUT -s x.x.x.x -j DROP

VIEW IPTABLES with rule numbers
	sudo iptables -L INPUT -n --line-numbers

REMOVE A RULE
	#Use above command and note rule_number
	sudo iptables -D INPUT rule_number


#DEFAULT POLICY

	-P INPUT   DROP
	-P OUTPUT  DROP
	-P FORWARD DROP
	-A INPUT  -i lo -j ACCEPT #allow lo input
	-A OUTPUT -o lo -j ACCEPT #allow lo output
	-A INPUT  -m limit --limit 5/min -j LOG --log-prefix "iptables-INPUT denied: "  --log-level 7 #log INPUT  Denied
	-A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables-OUTPUT denied: " --log-level 7 #log OUTPUT Denied

	#ALLOW OUTPUT PING/MTR (or traceroute -I, traceroute by default uses UDP - force with ICMP)
	-A OUTPUT -p icmp --icmp-type 8  -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
	-A INPUT  -p icmp --icmp-type 0  -m state --state ESTABLISHED,RELATED     -j ACCEPT
	-A INPUT  -p icmp --icmp-type 11 -m state --state ESTABLISHED,RELATED     -j ACCEPT

	#ALLOW INPUT PING/MTR
 	-A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
	-A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT

	#ALLOW OUTPUT
	-A OUTPUT -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
	-A INPUT  -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED     -j ACCEPT

	-A OUTPUT -p udp -m multiport --dports 53,123 -m state --state NEW,ESTABLISHED -j ACCEPT
	-A INPUT  -p udp -m multiport --sports 53,123 -m state --state ESTABLISHED     -j ACCEPT
	ADD RULE with PORT and IPADDRESS
	sudo iptables -A INPUT -p tcp -m tcp --dport port_number -s ip_address -j ACCEPT

	ADD RULE for PORT on all addresses
	sudo iptables -A INPUT -p tcp -m tcp --dport port_number --sport 1024:65535 -j ACCEPT

	DROP IPADRESS
	sudo iptables -I INPUT -s x.x.x.x -j DROP

	VIEW IPTABLES with rule numbers
	sudo iptables -L INPUT -n --line-numbers

	REMOVE A RULE
	#Use above command and note rule_number
	sudo iptables -D INPUT rule_number


	#DEFAULT POLICY

	-P INPUT DROP
	-P OUTPUT DROP
	-P FORWARD DROP
	-A INPUT -i lo -j ACCEPT #allow lo input
	-A OUTPUT -o lo -j ACCEPT #allow lo output
	-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables-INPUT denied: " --log-level 7 #log INPUT Denied
	-A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables-OUTPUT denied: " --log-level 7 #log OUTPUT Denied

	#ALLOW OUTPUT PING/MTR (or traceroute -I, traceroute by default uses UDP - force with ICMP)
	-A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
	-A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
	-A INPUT -p icmp --icmp-type 11 -m state --state ESTABLISHED,RELATED -j ACCEPT

	#ALLOW INPUT PING/MTR
	-A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
	-A OUTPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT

	#ALLOW OUTPUT
	-A OUTPUT -p tcp -m multiport --dports 80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
	-A INPUT -p tcp -m multiport --sports 80,443 -m state --state ESTABLISHED -j ACCEPT

	-A OUTPUT -p udp -m multiport --dports 53,123 -m state --state NEW,ESTABLISHED -j ACCEPT
	-A INPUT -p udp -m multiport --sports 53,123 -m state --state ESTABLISHED -j ACCEPT