Difference between revisions of "Iptables"
Jump to navigation
Jump to search
Line 51: | Line 51: | ||
Chain OUTPUT (policy ACCEPT 35665 packets, 49M bytes) | Chain OUTPUT (policy ACCEPT 35665 packets, 49M bytes) | ||
pkts bytes target prot opt in out source destination | pkts bytes target prot opt in out source destination | ||
+ | </syntaxhighlight> | ||
+ | For IPv6 | ||
+ | <syntaxhighlight lang=bash> | ||
+ | ip6tables-restore < /etc/iptables/rules.v6 | ||
ip6tables -nvL | ip6tables -nvL |
Revision as of 20:36, 5 April 2020
Manage firewall rules.
In Debian rules are in:
/etc/iptables/rules.v4
/etc/iptables/rules.v6
Pretty strict rules for an IPv4 webserver can be configured like this:
cat /etc/iptables/rules.v4
*filter
:INPUT DROP -4 [0:0]
:FORWARD DROP -4 [0:0]
:OUTPUT ACCEPT -4 [0:0]
-A INPUT -4 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -4 -p icmp -j ACCEPT
-A INPUT -4 -i lo -j ACCEPT
-A INPUT -4 -p tcp -m conntrack --ctstate NEW -m tcp -s 192.168.2.0/24 --dport 22 -j ACCEPT
-A INPUT -4 -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -4 -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT
COMMIT
cat /etc/iptables/rules.v6
*filter
:INPUT DROP -6 [0:0]
:FORWARD DROP -6 [0:0]
:OUTPUT DROP -6 [0:0]
-A INPUT -6 -i lo -j ACCEPT
-A OUTPUT -6 -o lo -j ACCEPT
COMMIT
Activated by iptables-restore < /etc/iptables/rules.v4
this results in:
iptables -nvL
Chain INPUT (policy DROP 100 packets, 27924 bytes)
pkts bytes target prot opt in out source destination
19748 1436K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
25 1800 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
84 5040 ACCEPT tcp -- * * 192.168.2.0/24 0.0.0.0/0 ctstate NEW tcp dpt:22
2 92 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80
9 540 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:443
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 35665 packets, 49M bytes)
pkts bytes target prot opt in out source destination
For IPv6
ip6tables-restore < /etc/iptables/rules.v6
ip6tables -nvL
Chain INPUT (policy DROP 14 packets, 2902 bytes)
pkts bytes target prot opt in out source destination
13 2476 ACCEPT all lo * ::/0 ::/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 16 packets, 2134 bytes)
pkts bytes target prot opt in out source destination
13 2476 ACCEPT all * lo ::/0 ::/0
ufw
(Uncomplicated FireWall) is a frontend to iptables that creates a pretty complicated set of firewall rules.
Configuration files are stored in /etc/ufw/
By default the INPUT and FORWARD chain drop all, OUTPUT allow all.
- ufw enable/disable
- Enable/Disable the firewall rules
- ufw allow proto tcp from 192.168.1.0/24 to any port 22
- Add firewall rule to allow port 22 (ssh) from a local subnet to the current set and to the ufw configuration files.
- ufw delete allow proto tcp from 192.168.1.0/24 to any port 22
- Remove firewall rule to allow port 22 (ssh) from a local subnet from current set and from the ufw configuration files.