Iptables: Difference between revisions
Jump to navigation
Jump to search
Created page with "==quick 'n dirty guide to iptables as a firewall== list rules: iptables --list save rules: (they will not stay when your interface goes down) iptables-save > /etc/iptalbes.conf ..." |
No edit summary |
||
| Line 1: | Line 1: | ||
==quick 'n dirty guide to iptables as a firewall== | ==quick 'n dirty guide to iptables as a firewall== | ||
list rules: | list rules: | ||
iptables --list | <pre>iptables --list</pre> | ||
save rules: (they will not stay when your interface goes down) | save rules: (they will not stay when your interface goes down) | ||
iptables-save > /etc/iptalbes.conf | <pre>iptables-save > /etc/iptalbes.conf</pre> | ||
restore rules: | restore rules: | ||
iptables-restore < /etc/iptables.conf | <pre>iptables-restore < /etc/iptables.conf</pre> | ||
auto appy rules: | auto appy rules: | ||
echo "iptables-restore < /etc/iptables" > /etc/network/if-up.d/iptables | <pre>echo "iptables-restore < /etc/iptables" > /etc/network/if-up.d/iptables | ||
chmod +x /etc/network/if-up.d/iptables | chmod +x /etc/network/if-up.d/iptables</pre> | ||
after you make changes do not forget to save them with | after you make changes do not forget to save them with | ||
iptables-save > /etc/iptalbes.conf | <pre>iptables-save > /etc/iptalbes.conf</pre> | ||
set default policy: | set default policy: | ||
iptables -P INPUT DROP | <pre>iptables -P INPUT DROP | ||
iptables -P OUTPUT ACCEPT | iptables -P OUTPUT ACCEPT</pre> | ||
accept established connections: (let what goes out come back in) | accept established connections: (let what goes out come back in) | ||
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | <pre>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT</pre> | ||
-A adds a rule to the end of a chain | -A adds a rule to the end of a chain | ||
| Line 27: | Line 27: | ||
allow communication through loopback or localhost: | allow communication through loopback or localhost: | ||
iptables -A INPUT -i lo -j ACCEPT | <pre>iptables -A INPUT -i lo -j ACCEPT | ||
iptables -A OUTPUT -o lo -j ACCEPT | iptables -A OUTPUT -o lo -j ACCEPT</pre> | ||
the interface will not show in iptables --list so this will look broken. | the interface will not show in iptables --list so this will look broken. | ||
| Line 34: | Line 34: | ||
allow ssh in: | allow ssh in: | ||
iptables -A INPUT -p tcp --dport 22 -j ACCEPT | <pre>iptables -A INPUT -p tcp --dport 22 -j ACCEPT</pre> | ||
allow ssh from a specific network: | allow ssh from a specific network: | ||
iptables -A INPUT -p tcp -s 192.168.100.0/24 --dport 22 -j ACCEPT | <pre>iptables -A INPUT -p tcp -s 192.168.100.0/24 --dport 22 -j ACCEPT</pre> | ||
allow ping from outside to inside: | allow ping from outside to inside: | ||
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | <pre>iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | ||
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT | iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT</pre> | ||
allow ping from inside to outside: | allow ping from inside to outside: | ||
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT | <pre>iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT | ||
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT | iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT</pre> | ||
find more filters: | find more filters: | ||
man iptables | <pre>man iptables</pre> | ||
many options starting with a -- require a module to be called ahead of it | many options starting with a -- require a module to be called ahead of it | ||
ex: | ex: | ||
iptables -I OUTPUT --uid-owner 1000 -j ACCEPT | <pre>iptables -I OUTPUT --uid-owner 1000 -j ACCEPT</pre> | ||
will fail with an unknown option "--uid-owner" | will fail with an unknown option "--uid-owner" | ||
if you load the correct moudle first, | if you load the correct moudle first, | ||
iptables -I OUTPUT -m owner --uid-owner 1000 -j ACCEPT | <pre>iptables -I OUTPUT -m owner --uid-owner 1000 -j ACCEPT</pre> | ||
it will work. | it will work. | ||
log dropped packets: | log dropped packets: | ||
iptables -A OUTPUT -m conntrack --ctstate NEW -j LOG --log-prefix "OUTPUT_DROP: " --log-level 7 --log-ip-options | <pre>iptables -A OUTPUT -m conntrack --ctstate NEW -j LOG --log-prefix "OUTPUT_DROP: " --log-level 7 --log-ip-options</pre> | ||
the order of rules matters | the order of rules matters | ||
| Line 66: | Line 65: | ||
misc blocks for common attacks: | misc blocks for common attacks: | ||
iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP | <pre>iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP | ||
iptables -I INPUT -f -j DROP | iptables -I INPUT -f -j DROP | ||
iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP | iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP | ||
iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP | iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP</pre> | ||
block DoS attacks: | block DoS attacks: | ||
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT | <pre>iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT</pre> | ||
other cool stuff: | other cool stuff: | ||
load balance web traffic: | load balance web traffic: | ||
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443 | <pre>iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443 | ||
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443 | iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443 | ||
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443 | iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443</pre> | ||
allow a specific user access through a port: | allow a specific user access through a port: | ||
iptables -I OUTPUT -p tcp --dport 80 -m owner --uid-owner 1000 -j ACCEPT | <pre>iptables -I OUTPUT -p tcp --dport 80 -m owner --uid-owner 1000 -j ACCEPT</pre> | ||
allow a specific process access through a port: | allow a specific process access through a port: | ||
iptables -I OUTPUT -p tcp --dport 23 -m owner --pid-owner 23945 -j ACCEPT | <pre>iptables -I OUTPUT -p tcp --dport 23 -m owner --pid-owner 23945 -j ACCEPT</pre> | ||
allow a specific command access through a port: | allow a specific command access through a port: | ||
iptables -I OUTPUT -p tcp --dport 110 -m owner --cmd-owner claws-mail -j ACCEPT | <pre>iptables -I OUTPUT -p tcp --dport 110 -m owner --cmd-owner claws-mail -j ACCEPT</pre> | ||
sources: | sources: | ||
Revision as of 11:06, 13 June 2012
quick 'n dirty guide to iptables as a firewall
list rules:
iptables --list
save rules: (they will not stay when your interface goes down)
iptables-save > /etc/iptalbes.conf
restore rules:
iptables-restore < /etc/iptables.conf
auto appy rules:
echo "iptables-restore < /etc/iptables" > /etc/network/if-up.d/iptables chmod +x /etc/network/if-up.d/iptables
after you make changes do not forget to save them with
iptables-save > /etc/iptalbes.conf
set default policy:
iptables -P INPUT DROP iptables -P OUTPUT ACCEPT
accept established connections: (let what goes out come back in)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A adds a rule to the end of a chain replace with a -I to add a rule at the begenning of a chain
allow communication through loopback or localhost:
iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT
the interface will not show in iptables --list so this will look broken. iptables -S will tell the true story
allow ssh in:
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
allow ssh from a specific network:
iptables -A INPUT -p tcp -s 192.168.100.0/24 --dport 22 -j ACCEPT
allow ping from outside to inside:
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
allow ping from inside to outside:
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
find more filters:
man iptables
many options starting with a -- require a module to be called ahead of it ex:
iptables -I OUTPUT --uid-owner 1000 -j ACCEPT
will fail with an unknown option "--uid-owner" if you load the correct moudle first,
iptables -I OUTPUT -m owner --uid-owner 1000 -j ACCEPT
it will work.
log dropped packets:
iptables -A OUTPUT -m conntrack --ctstate NEW -j LOG --log-prefix "OUTPUT_DROP: " --log-level 7 --log-ip-options
the order of rules matters rules are processed from top down when an ACCEPT or DROP is hit processing of a packet will stop
misc blocks for common attacks:
iptables -I INPUT -p tcp ! --syn -m state --state NEW -j DROP iptables -I INPUT -f -j DROP iptables -I INPUT -p tcp --tcp-flags ALL ALL -j DROP iptables -I INPUT -p tcp --tcp-flags ALL NONE -j DROP
block DoS attacks:
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
other cool stuff:
load balance web traffic:
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443 iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443 iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443
allow a specific user access through a port:
iptables -I OUTPUT -p tcp --dport 80 -m owner --uid-owner 1000 -j ACCEPT
allow a specific process access through a port:
iptables -I OUTPUT -p tcp --dport 23 -m owner --pid-owner 23945 -j ACCEPT
allow a specific command access through a port:
iptables -I OUTPUT -p tcp --dport 110 -m owner --cmd-owner claws-mail -j ACCEPT
sources: http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html http://www.cyberciti.biz/tips/linux-iptables-10-how-to-block-common-attack.html http://www.thegeekstuff.com/2011/06/iptables-rules-examples/ Linux iptables Pocke Reference - O'Reilly
sources: http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html http://www.cyberciti.biz/tips/linux-iptables-10-how-to-block-common-attack.html http://www.thegeekstuff.com/2011/06/iptables-rules-examples/ Linux iptables Pocke Reference - O'Reilly