Difference between revisions of "Iptables"

From wiki
Jump to: navigation, search
m
m
 
Line 1: Line 1:
 
[[category:networking]]
 
[[category:networking]]
 +
[[category:Linux/Unix]]
 
Manage firewall rules.
 
Manage firewall rules.
  

Latest revision as of 20:49, 8 June 2019

Manage firewall rules.

In Debian rules are in:

/etc/iptables/rules.v4
/etc/iptables/rules.v6

Pretty strict rules for a IPv4 webserver are configured like this:

cat /etc/iptables/rules.v4
*filter
:INPUT DROP -4 [0:0]
:FORWARD DROP -4 [0:0]
:OUTPUT ACCEPT -4 [0:0]
-A INPUT -4 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -4 -p icmp -j ACCEPT
-A INPUT -4 -i lo -j ACCEPT
-A INPUT -4 -p tcp -m conntrack --ctstate NEW -m tcp -s 192.168.2.0/24 --dport 22 -j ACCEPT
-A INPUT -4 -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -4 -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT
COMMIT
 
cat /etc/iptables/rules.v6
*filter
:INPUT DROP -6 [0:0]
:FORWARD DROP -6 [0:0]
:OUTPUT DROP -6 [0:0]
-A INPUT -6 -i lo -j ACCEPT
-A OUTPUT -6 -o lo -j ACCEPT
COMMIT

And result in:

iptables -nvL
Chain INPUT (policy DROP 100 packets, 27924 bytes)
 pkts bytes target     prot opt in     out     source               destination         
19748 1436K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
   25  1800 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
   84  5040 ACCEPT     tcp  --  *      *       192.168.2.0/24       0.0.0.0/0            ctstate NEW tcp dpt:22
    2    92 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:80
    9   540 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:443
 
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 
Chain OUTPUT (policy ACCEPT 35665 packets, 49M bytes)
 pkts bytes target     prot opt in     out     source               destination        
 
ip6tables -nvL
Chain INPUT (policy DROP 14 packets, 2902 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   13  2476 ACCEPT     all      lo     *       ::/0                 ::/0                
 
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 
Chain OUTPUT (policy DROP 16 packets, 2134 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   13  2476 ACCEPT     all      *      lo      ::/0                 ::/0