Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== Firewall: IPTables ====== **General Information** Build a basic IPTables firewall config with no defined rules. **Checklist** * Distro(s): Any ---- ===== Quick Firewall; Copy and Paste ===== <code bash> iptables -F INPUT iptables -A INPUT -i lo -m comment --comment "Loopback Operations" -j ACCEPT iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Related,Established Conn" -j ACCEPT iptables -A INPUT -p icmp -m comment --comment "ICMP Requests" -j ACCEPT iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m comment --comment "SSH Access" -j ACCEPT iptables -A INPUT -m comment --comment "Drop All Else" -j DROP iptables -P INPUT DROP </code> At any point: List all rules, with line numbers, verbose, numeric output: <code bash> iptables -L --line-numbers -vn </code> ---- ===== The Rules, Explained ===== 1) Allow loopback operations <code bash> iptables -A INPUT -i lo -m comment --comment "Loopback Operations" -j ACCEPT </code> 2) Accept any related/established connections (ctstate is the successor to the state module) <code bash> iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Related,Established Conn" -j ACCEPT </code> >if the above doesn't work, that module is not available, do this: <code bash> iptables -A INPUT -m state --state RELATED,ESTABLISHED -m comment --comment "Related,Established Conn" -j ACCEPT </code> 3) Accept icmp (ping) requests <code bash> iptables -A INPUT -p icmp -m comment --comment "ICMP Requests" -j ACCEPT </code> 4) Allow ssh to server <code bash> iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m comment --comment "SSH Access" -j ACCEPT </code> 5) Drop all other traffic <code bash> iptables -A INPUT -m comment --comment "Drop All Else" -j DROP </code> 6) Policy set to drop (in case the last drop rule is deleted) <code bash> iptables -P INPUT DROP </code> 7) Save the rules * Ubuntu: Install iptables-persistant <code bash> apt-get install iptables-persistant </code> * CentOS: Run the iptables save service command <code bash> /sbin/service iptables save </code> ---- ===== Other Examples ===== ==== Insert ==== Insert at rule# 5, with Comment (192.168.1.200 = Monitoring Server) <code bash> iptables --insert INPUT 5 --source 192.168.1.200/32 --protocol tcp --dport 161 --in-interface eth0 -m comment --comment "Nagios SNMP" --jump ACCEPT </code> ==== Redirect ==== Redirect Outside Traffic to a Different Port (Server is 192.168.1.101) <code bash> iptables -t nat -A PREROUTING -d 192.168.1.101 -p udp -m udp --dport 514 -m comment --comment "Redirect Syslogs(514) to Splunk Syslog port 1028" -j DNAT --to-destination 192.168.1.101:1028 </code> ==== Connection Tracking ==== Guard against brute force SSH attempts 1) Add sources connecting to destination port 22 to the list "sshlist" <code bash> iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent --set --name sshlist --rsource -m comment --comment "Track SSH Connections" </code> 2) If the remote source has not attempted to connect 3+ times within 60 seconds, accept <code bash> iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -m recent ! --rcheck --seconds 60 --hitcount 3 --name sshlist --rsource -m comment --comment "Accept < 3 ssh attempts in 60 secs" -j ACCEPT </code> linux_wiki/firewall_iptables.txt Last modified: 2019/05/25 23:50(external edit)