Iptables: Difference between revisions
Jump to navigation
Jump to search
Created page with "==quick 'n dirty guide to iptables as a firewall== list rules: iptables --list save rules: (they will not stay when your interface goes down) iptables-save > /etc/iptalbes.conf ..." |
No edit summary |
||
| (3 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
==TL;DR base desktop rules== | |||
<pre>iptables -P INPUT DROP | |||
iptables -P FORWARD DROP | |||
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |||
iptables -A INPUT -i lo -j ACCEPT | |||
iptables -A OUTPUT -o lo -j ACCEPT</pre> | |||
==quick 'n dirty guide to iptables as a firewall== | ==quick 'n dirty guide to iptables as a firewall== | ||
list rules: | list rules: | ||
iptables --list | <pre>iptables --list</pre> | ||
save rules: (they will not stay when your interface goes down) | save rules: (they will not stay when your interface goes down) | ||
iptables-save > /etc/iptalbes.conf | <pre>iptables-save > /etc/iptalbes.conf</pre> | ||
restore rules: | restore rules: | ||
iptables-restore < /etc/iptables.conf | <pre>iptables-restore < /etc/iptables.conf</pre> | ||
auto appy rules: | auto appy rules: | ||
echo "iptables-restore < /etc/iptables" > /etc/network/if-up.d/iptables | <pre>echo "iptables-restore < /etc/iptables" > /etc/network/if-up.d/iptables | ||
chmod +x /etc/network/if-up.d/iptables | chmod +x /etc/network/if-up.d/iptables</pre> | ||
after you make changes do not forget to save them with | after you make changes do not forget to save them with | ||
iptables-save > /etc/iptalbes.conf | <pre>iptables-save > /etc/iptalbes.conf</pre> | ||
set default policy: | set default policy: | ||
iptables -P INPUT DROP | <pre>iptables -P INPUT DROP | ||
iptables -P OUTPUT ACCEPT | iptables -P OUTPUT ACCEPT</pre> | ||
accept established connections: (let what goes out come back in) | accept established connections: (let what goes out come back in) | ||
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | <pre>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</pre> | ||
-A adds a rule to the end of a chain | * -A adds a rule to the end of a chain | ||
replace with a -I to add a rule at the begenning of a chain | * replace with a -I to add a rule at the begenning of a chain | ||
allow communication through loopback or localhost: | allow communication through loopback or localhost: | ||
iptables -A INPUT -i lo -j ACCEPT | <pre>iptables -A INPUT -i lo -j ACCEPT | ||
iptables -A OUTPUT -o lo -j ACCEPT | iptables -A OUTPUT -o lo -j ACCEPT</pre> | ||
the interface will not show in iptables --list so this will look broken. | * the interface will not show in iptables --list so this will look broken. | ||
iptables -S will tell the true story | * iptables -S will tell the true story | ||
allow ssh in: | allow ssh in: | ||
iptables -A INPUT -p tcp --dport 22 -j ACCEPT | <pre>iptables -A INPUT -p tcp --dport 22 -j ACCEPT</pre> | ||
allow ssh from a specific network: | allow ssh from a specific network: | ||
iptables -A INPUT -p tcp -s 192.168.100.0/24 --dport 22 -j ACCEPT | <pre>iptables -A INPUT -p tcp -s 192.168.100.0/24 --dport 22 -j ACCEPT</pre> | ||
allow ping from outside to inside: | allow ping from outside to inside: | ||
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | <pre>iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | ||
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT | iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT</pre> | ||
allow ping from inside to outside: | allow ping from inside to outside: | ||
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT | <pre>iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT | ||
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT | iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT</pre> | ||
find more filters: | find more filters: | ||
man iptables | <pre>man iptables</pre> | ||
many options starting with a -- require a module to be called ahead of it | many options starting with a -- require a module to be called ahead of it. Ex: | ||
<pre>iptables -I OUTPUT --uid-owner 1000 -j ACCEPT</pre> | |||
iptables -I OUTPUT --uid-owner 1000 -j ACCEPT | will fail with an "unknown option --uid-owner". If you load the correct moudle first, | ||
will fail with an unknown option | <pre>iptables -I OUTPUT -m owner --uid-owner 1000 -j ACCEPT</pre> | ||
it will work. | |||
iptables -I OUTPUT -m owner --uid-owner 1000 -j ACCEPT | |||
it will work. | |||
log dropped packets: | log dropped packets: | ||
iptables -A OUTPUT -m conntrack --ctstate NEW -j LOG --log-prefix "OUTPUT_DROP: " --log-level 7 --log-ip-options | <pre>iptables -A OUTPUT -m conntrack --ctstate NEW -j LOG --log-prefix "OUTPUT_DROP: " --log-level 7 --log-ip-options</pre> | ||
* the order of rules matters | |||
* rules are processed from top down | |||
* when an ACCEPT or DROP is hit processing of a packet will stop | |||
watch logs: | |||
<pre>tail -f /var/log/debug | grep DROP</pre> | |||
misc blocks for common attacks: | misc blocks for common attacks: | ||
iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP | <pre>iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP | ||
iptables -I INPUT -f -j DROP | iptables -I INPUT -f -j DROP | ||
iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP | iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP | ||
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP | iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP</pre> | ||
block DoS attacks: | block DoS attacks: | ||
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT | <pre>iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT</pre> | ||
other cool stuff: | other cool stuff: | ||
load balance web traffic: | load balance web traffic: | ||
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443 | <pre>iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443 | ||
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443 | iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443 | ||
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443 | iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443</pre> | ||
allow a specific user access through a port: | allow a specific user access through a port: | ||
iptables -I OUTPUT -p tcp --dport 80 -m owner --uid-owner 1000 -j ACCEPT | <pre>iptables -I OUTPUT -p tcp --dport 80 -m owner --uid-owner 1000 -j ACCEPT</pre> | ||
allow a specific process access through a port: | allow a specific process access through a port: | ||
iptables -I OUTPUT -p tcp --dport 23 -m owner --pid-owner 23945 -j ACCEPT | <pre>iptables -I OUTPUT -p tcp --dport 23 -m owner --pid-owner 23945 -j ACCEPT</pre> | ||
allow a specific command access through a port: | allow a specific command access through a port: | ||
iptables -I OUTPUT -p tcp --dport 110 -m owner --cmd-owner claws-mail -j ACCEPT | <pre>iptables -I OUTPUT -p tcp --dport 110 -m owner --cmd-owner claws-mail -j ACCEPT</pre> | ||
sources: | sources: | ||
http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html | * http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html | ||
http://www.cyberciti.biz/tips/linux-iptables-10-how-to-block-common-attack.html | * http://www.cyberciti.biz/tips/linux-iptables-10-how-to-block-common-attack.html | ||
http://www.thegeekstuff.com/2011/06/iptables-rules-examples/ | * http://www.thegeekstuff.com/2011/06/iptables-rules-examples/ | ||
Linux iptables Pocke Reference - O'Reilly | * Linux iptables Pocke Reference - O'Reilly | ||
Latest revision as of 11:18, 13 June 2012
TL;DR base desktop rules
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
quick 'n dirty guide to iptables as a firewall
list rules:
iptables --list
save rules: (they will not stay when your interface goes down)
iptables-save > /etc/iptalbes.conf
restore rules:
iptables-restore < /etc/iptables.conf
auto appy rules:
echo "iptables-restore < /etc/iptables" > /etc/network/if-up.d/iptables chmod +x /etc/network/if-up.d/iptables
after you make changes do not forget to save them with
iptables-save > /etc/iptalbes.conf
set default policy:
iptables -P INPUT DROP iptables -P OUTPUT ACCEPT
accept established connections: (let what goes out come back in)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- -A adds a rule to the end of a chain
- replace with a -I to add a rule at the begenning of a chain
allow communication through loopback or localhost:
iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
- the interface will not show in iptables --list so this will look broken.
- iptables -S will tell the true story
allow ssh in:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
allow ssh from a specific network:
iptables -A INPUT -p tcp -s 192.168.100.0/24 --dport 22 -j ACCEPT
allow ping from outside to inside:
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
allow ping from inside to outside:
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
find more filters:
man iptables
many options starting with a -- require a module to be called ahead of it. Ex:
iptables -I OUTPUT --uid-owner 1000 -j ACCEPT
will fail with an "unknown option --uid-owner". If you load the correct moudle first,
iptables -I OUTPUT -m owner --uid-owner 1000 -j ACCEPT
it will work.
log dropped packets:
iptables -A OUTPUT -m conntrack --ctstate NEW -j LOG --log-prefix "OUTPUT_DROP: " --log-level 7 --log-ip-options
- the order of rules matters
- rules are processed from top down
- when an ACCEPT or DROP is hit processing of a packet will stop
watch logs:
tail -f /var/log/debug | grep DROP
misc blocks for common attacks:
iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -I INPUT -f -j DROP iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP
block DoS attacks:
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
other cool stuff:
load balance web traffic:
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443 iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443 iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443
allow a specific user access through a port:
iptables -I OUTPUT -p tcp --dport 80 -m owner --uid-owner 1000 -j ACCEPT
allow a specific process access through a port:
iptables -I OUTPUT -p tcp --dport 23 -m owner --pid-owner 23945 -j ACCEPT
allow a specific command access through a port:
iptables -I OUTPUT -p tcp --dport 110 -m owner --cmd-owner claws-mail -j ACCEPT
sources: