Iptables: Difference between revisions

From LVL1
Jump to navigation Jump to search
← Older edit
RedWagon (talk | contribs)
289 edits
No edit summary
RedWagon (talk | contribs)
289 edits
No edit summary
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
==TL;DR base desktop rules==
<pre>iptables -P INPUT  DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT</pre>
==quick 'n dirty guide to iptables as a firewall==
==quick 'n dirty guide to iptables as a firewall==
list rules:
list rules:
Line 23: Line 31:
<pre>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</pre>
<pre>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</pre>


-A adds a rule to the end of a chain
* -A adds a rule to the end of a chain
replace with a -I to add a rule at the begenning of a chain
* replace with a -I to add a rule at the begenning of a chain


allow communication through loopback or localhost:
allow communication through loopback or localhost:
Line 30: Line 38:
iptables -A OUTPUT -o lo -j ACCEPT</pre>
iptables -A OUTPUT -o lo -j ACCEPT</pre>


the interface will not show in iptables --list so this will look broken.
* the interface will not show in iptables --list so this will look broken.
iptables -S will tell the true story
* iptables -S will tell the true story


allow ssh in:
allow ssh in:
Line 49: Line 57:
find more filters:
find more filters:
<pre>man iptables</pre>
<pre>man iptables</pre>
many options starting with a -- require a module to be called ahead of it
many options starting with a -- require a module to be called ahead of it. Ex:
ex:
<pre>iptables -I OUTPUT --uid-owner 1000 -j ACCEPT</pre>
<pre>iptables -I OUTPUT --uid-owner 1000 -j ACCEPT</pre>
will fail with an unknown option "--uid-owner"
will fail with an "unknown option --uid-owner".  If you load the correct moudle first,
if you load the correct moudle first,
<pre>iptables -I OUTPUT -m owner --uid-owner 1000 -j ACCEPT</pre>
<pre>iptables -I OUTPUT -m owner --uid-owner 1000 -j ACCEPT</pre>
it will work.  
it will work.  
Line 60: Line 66:
<pre>iptables -A OUTPUT -m conntrack --ctstate NEW -j LOG --log-prefix "OUTPUT_DROP: " --log-level 7 --log-ip-options</pre>
<pre>iptables -A OUTPUT -m conntrack --ctstate NEW -j LOG --log-prefix "OUTPUT_DROP: " --log-level 7 --log-ip-options</pre>


the order of rules matters
* the order of rules matters
rules are processed from top down
* rules are processed from top down
when an ACCEPT or DROP is hit processing of a packet will stop
* when an ACCEPT or DROP is hit processing of a packet will stop
 
watch logs:
<pre>tail -f /var/log/debug | grep DROP</pre>


misc blocks for common attacks:
misc blocks for common attacks:
Line 90: Line 99:


sources:
sources:
http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html
* http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html
http://www.cyberciti.biz/tips/linux-iptables-10-how-to-block-common-attack.html
* http://www.cyberciti.biz/tips/linux-iptables-10-how-to-block-common-attack.html
http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
* http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
Linux iptables Pocke Reference - O'Reilly
* Linux iptables Pocke Reference - O'Reilly
 
sources:
http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html
http://www.cyberciti.biz/tips/linux-iptables-10-how-to-block-common-attack.html
http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
Linux iptables Pocke Reference - O'Reilly

Latest revision as of 11:18, 13 June 2012

TL;DR base desktop rules

iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


quick 'n dirty guide to iptables as a firewall

list rules: 

iptables --list

save rules: (they will not stay when your interface goes down) 

iptables-save > /etc/iptalbes.conf

restore rules: 

iptables-restore < /etc/iptables.conf

auto appy rules: 

echo "iptables-restore < /etc/iptables" > /etc/network/if-up.d/iptables
chmod +x /etc/network/if-up.d/iptables

after you make changes do not forget to save them with 

iptables-save > /etc/iptalbes.conf

set default policy: 

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

accept established connections: (let what goes out come back in) 

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  • -A adds a rule to the end of a chain
  • replace with a -I to add a rule at the begenning of a chain

allow communication through loopback or localhost: 

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
  • the interface will not show in iptables --list so this will look broken.
  • iptables -S will tell the true story

allow ssh in: 

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

allow ssh from a specific network: 

iptables -A INPUT -p tcp -s 192.168.100.0/24 --dport 22 -j ACCEPT

allow ping from outside to inside: 

iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

allow ping from inside to outside: 

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

find more filters: 

man iptables

many options starting with a -- require a module to be called ahead of it. Ex: 

iptables -I OUTPUT --uid-owner 1000 -j ACCEPT

will fail with an "unknown option --uid-owner". If you load the correct moudle first, 

iptables -I OUTPUT -m owner --uid-owner 1000 -j ACCEPT

it will work.

log dropped packets: 

iptables -A OUTPUT -m conntrack --ctstate NEW -j LOG --log-prefix "OUTPUT_DROP: " --log-level 7 --log-ip-options
  • the order of rules matters
  • rules are processed from top down
  • when an ACCEPT or DROP is hit processing of a packet will stop

watch logs: 

tail -f /var/log/debug | grep DROP

misc blocks for common attacks: 

iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -I INPUT -f -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP

block DoS attacks: 

iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT

other cool stuff:

load balance web traffic: 

iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443

allow a specific user access through a port: 

iptables -I OUTPUT -p tcp --dport 80 -m owner --uid-owner 1000 -j ACCEPT

allow a specific process access through a port: 

iptables -I OUTPUT -p tcp --dport 23 -m owner --pid-owner 23945 -j ACCEPT

allow a specific command access through a port: 

iptables -I OUTPUT -p tcp --dport 110 -m owner --cmd-owner claws-mail -j ACCEPT

sources:

Retrieved from "http://wiki.lvl1.org/index.php?title=Iptables&oldid=4233"