Difference between revisions of "Iptables"

From wiki
Jump to navigation Jump to search
Line 65: Line 65:
(Uncomplicated FireWall) is a frontend to iptables that creates a pretty complicated set of firewall rules.
Configuration files are stored in /etc/ufw/
By default the INPUT and FORWARD chain drop all, OUTPUT allow all.
;ufw enable/disable
:Enable/Disable the firewall rules
;ufw allow proto tcp from to any port 22
:Add firewall rule to allow port 22 (ssh) from a local subnet to the current set and to the ufw configuration files.
;ufw delete allow proto tcp from to any port 22
:Remove firewall rule to allow port 22 (ssh) from a local subnet from current set and from the ufw configuration files.

Revision as of 17:05, 9 February 2020

Manage firewall rules.

In Debian rules are in:


Pretty strict rules for an IPv4 webserver can be configured like this:

cat /etc/iptables/rules.v4
:INPUT DROP -4 [0:0]
:FORWARD DROP -4 [0:0]
-A INPUT -4 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -4 -p icmp -j ACCEPT
-A INPUT -4 -i lo -j ACCEPT
-A INPUT -4 -p tcp -m conntrack --ctstate NEW -m tcp -s --dport 22 -j ACCEPT
-A INPUT -4 -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -4 -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT

cat /etc/iptables/rules.v6
:INPUT DROP -6 [0:0]
:FORWARD DROP -6 [0:0]
:OUTPUT DROP -6 [0:0]
-A INPUT -6 -i lo -j ACCEPT
-A OUTPUT -6 -o lo -j ACCEPT

Activated by iptables-restore < /etc/iptables/rules.v4 this results in:

iptables -nvL
Chain INPUT (policy DROP 100 packets, 27924 bytes)
 pkts bytes target     prot opt in     out     source               destination         
19748 1436K ACCEPT     all  --  *      *              ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *             
   25  1800 ACCEPT     all  --  lo     *             
   84  5040 ACCEPT     tcp  --  *      *            ctstate NEW tcp dpt:22
    2    92 ACCEPT     tcp  --  *      *              ctstate NEW tcp dpt:80
    9   540 ACCEPT     tcp  --  *      *              ctstate NEW tcp dpt:443

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 35665 packets, 49M bytes)
 pkts bytes target     prot opt in     out     source               destination        

ip6tables -nvL
Chain INPUT (policy DROP 14 packets, 2902 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   13  2476 ACCEPT     all      lo     *       ::/0                 ::/0                

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 16 packets, 2134 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   13  2476 ACCEPT     all      *      lo      ::/0                 ::/0


(Uncomplicated FireWall) is a frontend to iptables that creates a pretty complicated set of firewall rules.

Configuration files are stored in /etc/ufw/

By default the INPUT and FORWARD chain drop all, OUTPUT allow all.

ufw enable/disable
Enable/Disable the firewall rules
ufw allow proto tcp from to any port 22
Add firewall rule to allow port 22 (ssh) from a local subnet to the current set and to the ufw configuration files.
ufw delete allow proto tcp from to any port 22
Remove firewall rule to allow port 22 (ssh) from a local subnet from current set and from the ufw configuration files.