linux_wiki:firewall_iptables

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

linux_wiki:firewall_iptables [2015/12/18 15:53]
billdozor [IPTables] 		linux_wiki:firewall_iptables [2019/05/25 23:50]
Line 1: Line 1:
-====== Firewall: IPTables ====== 
  
-**General Information** 
- 
-Build a basic IPTables firewall config with no defined rules. 
- 
-**Checklist** 
-  * Distros: All 
- 
----- 
- 
-===== Quick Firewall; Copy and Paste ===== 
-<code bash> 
-iptables -F INPUT 
-iptables -A INPUT -i lo -m comment --comment "Loopback Operations" -j ACCEPT 
-iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Related,Established Conn" -j ACCEPT 
-iptables -A INPUT -p icmp -m comment --comment "ICMP Requests" -j ACCEPT 
-iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m comment --comment "SSH Access" -j ACCEPT 
-iptables -A INPUT -m comment --comment "Drop All Else" -j DROP 
-iptables -P INPUT DROP 
-</code> 
- 
-At any point: List all rules, with line numbers, verbose, numeric output: 
-<code bash> 
-iptables -L --line-numbers -vn 
-</code> 
- 
----- 
- 
-===== The Rules, Explained ===== 
- 
-1) Allow loopback operations 
-<code bash> 
-iptables -A INPUT -i lo -m comment --comment "Loopback Operations" -j ACCEPT 
-</code> 
- 
-2) Accept any related/established connections (ctstate is the successor to the state module) 
-<code bash> 
-iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Related,Established Conn" -j ACCEPT 
-</code> 
- 
->if the above doesn't work, that module is not available, do this: 
-<code bash> 
-iptables -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "Related,Established Conn" -j ACCEPT 
-</code> 
- 
-3) Accept icmp (ping) requests 
-<code bash> 
-iptables -A INPUT -p icmp -m comment --comment "ICMP Requests" -j ACCEPT 
-</code> 
- 
-4) Allow ssh to server 
-<code bash> 
-iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m comment --comment "SSH Access" -j ACCEPT 
-</code> 
- 
-5) Drop all other traffic 
-<code bash> 
-iptables -A INPUT -m comment --comment "Drop All Else" -j DROP 
-</code> 
- 
-6) Policy set to drop (in case the last drop rule is deleted) 
-<code bash> 
-iptables -P INPUT DROP 
-</code> 
- 
-7) Save the rules 
-  * Ubuntu: Install iptables-persistant 
-<code bash> 
-apt-get install iptables-persistant 
-</code> 
- 
-  * CentOS: Run the iptables save service command 
-<code bash> 
-/sbin/service iptables save 
-</code> 
- 
----- 
- 
-===== Other Examples ===== 
- 
-==== Insert ==== 
-Insert at rule# 5, with Comment (192.168.1.200 = Monitoring Server) 
-<code bash> 
-iptables --insert INPUT 5 --source 192.168.1.200/32 --protocol tcp --dport 161 --in-interface eth0 -m comment --comment "Nagios SNMP" --jump ACCEPT 
-</code> 
- 
-==== Redirect ==== 
-Redirect Outside Traffic to a Different Port (Server is 192.168.1.101) 
-<code bash> 
-iptables -t nat -A PREROUTING -d 192.168.1.101 -p udp -m udp --dport 514 -m comment --comment "Redirect Syslogs(514) to Splunk Syslog port 1028" -j DNAT --to-destination 192.168.1.101:1028 
-</code> 
- 
-==== Connection Tracking ==== 
-Guard against brute force SSH attempts 
- 
-1) Add sources connecting to destination port 22 to the list "sshlist" 
-<code bash> 
-iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name sshlist --rsource -m comment --comment "Track SSH Connections" 
-</code> 
- 
-2) If the remote source has not attempted to connect 3+ times within 60 seconds, accept 
-<code bash> 
-iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent ! --rcheck --seconds 60 --hitcount 3 --name sshlist --rsource -m comment --comment "Accept < 3 ssh attempts in 60 secs" -j ACCEPT 
-</code> 
  • linux_wiki/firewall_iptables.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)