Difference between revisions of "Iptables"
Jump to navigation
Jump to search
(Created page with "Manage firewall rules. In Debian rules are in: <code>/etc/iptables/rules.v4</code><br> <code>/etc/iptables/rules.v6</code> Pretty strict rules for a IPv4 webserver are conf...") |
m |
||
Line 1: | Line 1: | ||
+ | [[category:networking]] | ||
Manage firewall rules. | Manage firewall rules. | ||
Revision as of 17:42, 22 September 2018
Manage firewall rules.
In Debian rules are in:
/etc/iptables/rules.v4
/etc/iptables/rules.v6
Pretty strict rules for a IPv4 webserver are configured like this:
cat /etc/iptables/rules.v4
*filter
:INPUT DROP -4 [0:0]
:FORWARD DROP -4 [0:0]
:OUTPUT ACCEPT -4 [0:0]
-A INPUT -4 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -4 -p icmp -j ACCEPT
-A INPUT -4 -i lo -j ACCEPT
-A INPUT -4 -p tcp -m conntrack --ctstate NEW -m tcp -s 192.168.2.0/24 --dport 22 -j ACCEPT
-A INPUT -4 -p tcp -m conntrack --ctstate NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -4 -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT
COMMIT
cat /etc/iptables/rules.v6
*filter
:INPUT DROP -6 [0:0]
:FORWARD DROP -6 [0:0]
:OUTPUT DROP -6 [0:0]
-A INPUT -6 -i lo -j ACCEPT
-A OUTPUT -6 -o lo -j ACCEPT
COMMIT
And result in:
iptables -nvL
Chain INPUT (policy DROP 100 packets, 27924 bytes)
pkts bytes target prot opt in out source destination
19748 1436K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
25 1800 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
84 5040 ACCEPT tcp -- * * 192.168.2.0/24 0.0.0.0/0 ctstate NEW tcp dpt:22
2 92 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:80
9 540 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:443
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 35665 packets, 49M bytes)
pkts bytes target prot opt in out source destination
ip6tables -nvL
Chain INPUT (policy DROP 14 packets, 2902 bytes)
pkts bytes target prot opt in out source destination
13 2476 ACCEPT all lo * ::/0 ::/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 16 packets, 2134 bytes)
pkts bytes target prot opt in out source destination
13 2476 ACCEPT all * lo ::/0 ::/0