Difference between revisions of "Iptables"

From wiki
Jump to navigation Jump to search
(Created page with "Manage firewall rules. In Debian rules are in: <code>/etc/iptables/rules.v4</code><br> <code>/etc/iptables/rules.v6</code> Pretty strict rules for a IPv4 webserver are conf...")
 
 
(8 intermediate revisions by the same user not shown)
Line 1: Line 1:
 +
[[category:networking]]
 +
[[category:Linux/Unix]]
 
Manage firewall rules.
 
Manage firewall rules.
  
Line 6: Line 8:
 
<code>/etc/iptables/rules.v6</code>
 
<code>/etc/iptables/rules.v6</code>
  
Pretty strict rules for a IPv4 webserver are configured like this:
+
Pretty strict rules for an IPv4 webserver can be configured like this:
 
<syntaxhighlight lang=bash>
 
<syntaxhighlight lang=bash>
 
cat /etc/iptables/rules.v4
 
cat /etc/iptables/rules.v4
Line 31: Line 33:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
And result in:
+
Activated by <code>iptables-restore < /etc/iptables/rules.v4</code> this results in:
  
 
<syntaxhighlight lang=bash>
 
<syntaxhighlight lang=bash>
Line 49: Line 51:
 
Chain OUTPUT (policy ACCEPT 35665 packets, 49M bytes)
 
Chain OUTPUT (policy ACCEPT 35665 packets, 49M bytes)
 
  pkts bytes target    prot opt in    out    source              destination         
 
  pkts bytes target    prot opt in    out    source              destination         
 +
</syntaxhighlight>
 +
For IPv6
 +
<syntaxhighlight lang=bash>
 +
ip6tables-restore < /etc/iptables/rules.v6
  
 
ip6tables -nvL
 
ip6tables -nvL
Line 63: Line 69:
  
 
</syntaxhighlight>
 
</syntaxhighlight>
 +
 +
=ufw=
 +
(Uncomplicated FireWall) is a frontend to iptables that creates a pretty complicated set of firewall rules.
 +
 +
Configuration files are stored in /etc/ufw/
 +
 +
By default the INPUT and FORWARD chain drop all, OUTPUT allow all.
 +
 +
;ufw enable/disable
 +
:Enable/Disable the firewall rules
 +
 +
;ufw allow proto tcp from 192.168.1.0/24 to any port 22;
 +
:ufw allow proto tcp from fd8e:xxx:xxx:xxx::/64 to any port 22
 +
:Add firewall rule to allow port 22 (ssh) from a local subnet to the current set and to the ufw configuration files. Works for IPv6 addresses too
 +
 +
;ufw delete allow proto tcp from 192.168.1.0/24 to any port 22
 +
:Remove firewall rule to allow port 22 (ssh) from a local subnet from current set and from the ufw configuration files.
 +
 +
;ufw delete <rulenumber>
 +
:Delete the rule with number <rulenumber> (see below)
 +
 +
;ufw status numbered
 +
:Show rule summary with rule numbers

Latest revision as of 22:03, 5 March 2023

Manage firewall rules.

In Debian rules are in:

/etc/iptables/rules.v4
/etc/iptables/rules.v6

Pretty strict rules for an IPv4 webserver can be configured like this: 

cat /etc/iptables/rules.v4
*filter
:INPUT DROP -4 [0:0]
:FORWARD DROP -4 [0:0]
:OUTPUT ACCEPT -4 [0:0]
-A INPUT -4 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -4 -p icmp -j ACCEPT
-A INPUT -4 -i lo -j ACCEPT
-A INPUT -4 -p tcp -m conntrack --ctstate NEW -m tcp -s 192.168.2.0/24 --dport 22 -j ACCEPT
-A INPUT -4 -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -4 -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT
COMMIT

cat /etc/iptables/rules.v6
*filter
:INPUT DROP -6 [0:0]
:FORWARD DROP -6 [0:0]
:OUTPUT DROP -6 [0:0]
-A INPUT -6 -i lo -j ACCEPT
-A OUTPUT -6 -o lo -j ACCEPT
COMMIT

Activated by iptables-restore < /etc/iptables/rules.v4 this results in: 

iptables -nvL
Chain INPUT (policy DROP 100 packets, 27924 bytes)
 pkts bytes target     prot opt in     out     source               destination         
19748 1436K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
   25  1800 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
   84  5040 ACCEPT     tcp  --  *      *       192.168.2.0/24       0.0.0.0/0            ctstate NEW tcp dpt:22
    2    92 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:80
    9   540 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:443

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 35665 packets, 49M bytes)
 pkts bytes target     prot opt in     out     source               destination

For IPv6 

ip6tables-restore < /etc/iptables/rules.v6

ip6tables -nvL
Chain INPUT (policy DROP 14 packets, 2902 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   13  2476 ACCEPT     all      lo     *       ::/0                 ::/0                

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 16 packets, 2134 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   13  2476 ACCEPT     all      *      lo      ::/0                 ::/0

ufw

(Uncomplicated FireWall) is a frontend to iptables that creates a pretty complicated set of firewall rules.

Configuration files are stored in /etc/ufw/

By default the INPUT and FORWARD chain drop all, OUTPUT allow all.

ufw enable/disable
Enable/Disable the firewall rules
ufw allow proto tcp from 192.168.1.0/24 to any port 22;
ufw allow proto tcp from fd8e:xxx:xxx:xxx::/64 to any port 22
Add firewall rule to allow port 22 (ssh) from a local subnet to the current set and to the ufw configuration files. Works for IPv6 addresses too
ufw delete allow proto tcp from 192.168.1.0/24 to any port 22
Remove firewall rule to allow port 22 (ssh) from a local subnet from current set and from the ufw configuration files.
ufw delete <rulenumber>
Delete the rule with number <rulenumber> (see below)
ufw status numbered
Show rule summary with rule numbers
Retrieved from "https://wiki.antiperfect.org/index.php?title=Iptables&oldid=1382"