IPTables Rules for BGP

I will give an example of IPTables rules for BGP.

Assume the default policies are as follows (as well as open ports for ssh and other necessary):

iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Since BGP uses port 179/tcp, it must be opened for the neighbors with whom the connection is established, for example:

iptables -A INPUT -p tcp -s 192.168.5.5 --dport 179 -i eth1 -j ACCEPT

Telnet zebra usually runs on port 2601, and telenet quagga/bgpd on port 2605, so let’s open them for localhost:

iptables -A INPUT -s 127.0.0.1 -p tcp --dport 2601 -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -p tcp --dport 2605 -j ACCEPT

Or open all the ports for localhost:

iptables -A INPUT -i lo -j ACCEPT

If the rule below is added to iptables, then port 179 can not be opened since the session will rise during an outgoing connection (but in this case conntrack will be used, which is usually not needed on the border):

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

See also my articles:
How to configure IPTables
Setting up BGP in Quagga
BGP. Channel Balancing on Quagga

Leave a comment

Leave a Reply