Differences
This shows you the differences between two versions of the page.
linux_wiki:firewall_iptables [2015/12/18 15:53] billdozor [IPTables] |
linux_wiki:firewall_iptables [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Firewall: IPTables ====== | ||
- | **General Information** | ||
- | |||
- | Build a basic IPTables firewall config with no defined rules. | ||
- | |||
- | **Checklist** | ||
- | * Distros: All | ||
- | |||
- | ---- | ||
- | |||
- | ===== Quick Firewall; Copy and Paste ===== | ||
- | <code bash> | ||
- | iptables -F INPUT | ||
- | iptables -A INPUT -i lo -m comment --comment " | ||
- | iptables -A INPUT -m conntrack --ctstate RELATED, | ||
- | iptables -A INPUT -p icmp -m comment --comment "ICMP Requests" | ||
- | iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m comment --comment "SSH Access" | ||
- | iptables -A INPUT -m comment --comment "Drop All Else" -j DROP | ||
- | iptables -P INPUT DROP | ||
- | </ | ||
- | |||
- | At any point: List all rules, with line numbers, verbose, numeric output: | ||
- | <code bash> | ||
- | iptables -L --line-numbers -vn | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== The Rules, Explained ===== | ||
- | |||
- | 1) Allow loopback operations | ||
- | <code bash> | ||
- | iptables -A INPUT -i lo -m comment --comment " | ||
- | </ | ||
- | |||
- | 2) Accept any related/ | ||
- | <code bash> | ||
- | iptables -A INPUT -m conntrack --ctstate RELATED, | ||
- | </ | ||
- | |||
- | >if the above doesn' | ||
- | <code bash> | ||
- | iptables -A INPUT -m state --state RELATED, | ||
- | </ | ||
- | |||
- | 3) Accept icmp (ping) requests | ||
- | <code bash> | ||
- | iptables -A INPUT -p icmp -m comment --comment "ICMP Requests" | ||
- | </ | ||
- | |||
- | 4) Allow ssh to server | ||
- | <code bash> | ||
- | iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m comment --comment "SSH Access" | ||
- | </ | ||
- | |||
- | 5) Drop all other traffic | ||
- | <code bash> | ||
- | iptables -A INPUT -m comment --comment "Drop All Else" -j DROP | ||
- | </ | ||
- | |||
- | 6) Policy set to drop (in case the last drop rule is deleted) | ||
- | <code bash> | ||
- | iptables -P INPUT DROP | ||
- | </ | ||
- | |||
- | 7) Save the rules | ||
- | * Ubuntu: Install iptables-persistant | ||
- | <code bash> | ||
- | apt-get install iptables-persistant | ||
- | </ | ||
- | |||
- | * CentOS: Run the iptables save service command | ||
- | <code bash> | ||
- | / | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== Other Examples ===== | ||
- | |||
- | ==== Insert ==== | ||
- | Insert at rule# 5, with Comment (192.168.1.200 = Monitoring Server) | ||
- | <code bash> | ||
- | iptables --insert INPUT 5 --source 192.168.1.200/ | ||
- | </ | ||
- | |||
- | ==== Redirect ==== | ||
- | Redirect Outside Traffic to a Different Port (Server is 192.168.1.101) | ||
- | <code bash> | ||
- | iptables -t nat -A PREROUTING -d 192.168.1.101 -p udp -m udp --dport 514 -m comment --comment " | ||
- | </ | ||
- | |||
- | ==== Connection Tracking ==== | ||
- | Guard against brute force SSH attempts | ||
- | |||
- | 1) Add sources connecting to destination port 22 to the list " | ||
- | <code bash> | ||
- | iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name sshlist --rsource -m comment --comment "Track SSH Connections" | ||
- | </ | ||
- | |||
- | 2) If the remote source has not attempted to connect 3+ times within 60 seconds, accept | ||
- | <code bash> | ||
- | iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent ! --rcheck --seconds 60 --hitcount 3 --name sshlist --rsource -m comment --comment " | ||
- | </ |