Difference between revisions of "Iptables"

From wiki
Jump to navigation Jump to search
Line 51: Line 51:
 
Chain OUTPUT (policy ACCEPT 35665 packets, 49M bytes)
 
Chain OUTPUT (policy ACCEPT 35665 packets, 49M bytes)
 
  pkts bytes target    prot opt in    out    source              destination         
 
  pkts bytes target    prot opt in    out    source              destination         
 +
</syntaxhighlight>
 +
For IPv6
 +
<syntaxhighlight lang=bash>
 +
ip6tables-restore < /etc/iptables/rules.v6
  
 
ip6tables -nvL
 
ip6tables -nvL

Revision as of 20:36, 5 April 2020

Manage firewall rules.

In Debian rules are in:

/etc/iptables/rules.v4
/etc/iptables/rules.v6

Pretty strict rules for an IPv4 webserver can be configured like this: 

cat /etc/iptables/rules.v4
*filter
:INPUT DROP -4 [0:0]
:FORWARD DROP -4 [0:0]
:OUTPUT ACCEPT -4 [0:0]
-A INPUT -4 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -4 -p icmp -j ACCEPT
-A INPUT -4 -i lo -j ACCEPT
-A INPUT -4 -p tcp -m conntrack --ctstate NEW -m tcp -s 192.168.2.0/24 --dport 22 -j ACCEPT
-A INPUT -4 -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -4 -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT
COMMIT

cat /etc/iptables/rules.v6
*filter
:INPUT DROP -6 [0:0]
:FORWARD DROP -6 [0:0]
:OUTPUT DROP -6 [0:0]
-A INPUT -6 -i lo -j ACCEPT
-A OUTPUT -6 -o lo -j ACCEPT
COMMIT

Activated by iptables-restore < /etc/iptables/rules.v4 this results in: 

iptables -nvL
Chain INPUT (policy DROP 100 packets, 27924 bytes)
 pkts bytes target     prot opt in     out     source               destination         
19748 1436K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
   25  1800 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
   84  5040 ACCEPT     tcp  --  *      *       192.168.2.0/24       0.0.0.0/0            ctstate NEW tcp dpt:22
    2    92 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:80
    9   540 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp dpt:443

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 35665 packets, 49M bytes)
 pkts bytes target     prot opt in     out     source               destination

For IPv6 

ip6tables-restore < /etc/iptables/rules.v6

ip6tables -nvL
Chain INPUT (policy DROP 14 packets, 2902 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   13  2476 ACCEPT     all      lo     *       ::/0                 ::/0                

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 16 packets, 2134 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   13  2476 ACCEPT     all      *      lo      ::/0                 ::/0

ufw

(Uncomplicated FireWall) is a frontend to iptables that creates a pretty complicated set of firewall rules.

Configuration files are stored in /etc/ufw/

By default the INPUT and FORWARD chain drop all, OUTPUT allow all.

ufw enable/disable
Enable/Disable the firewall rules
ufw allow proto tcp from 192.168.1.0/24 to any port 22
Add firewall rule to allow port 22 (ssh) from a local subnet to the current set and to the ufw configuration files.
ufw delete allow proto tcp from 192.168.1.0/24 to any port 22
Remove firewall rule to allow port 22 (ssh) from a local subnet from current set and from the ufw configuration files.
Retrieved from "https://wiki.antiperfect.org/index.php?title=Iptables&oldid=764"