Iptables

Yet another post

[[Wiki]]

h1. Iptables

  • https://help.ubuntu.com/community/IptablesHowTo

h2. Configuration

  • http://www.microhowto.info/howto/make_the_configuration_of_iptables_persistent_on_debian.html
# Make it easy to perist iptables, answer no on saving current iptables
sudo apt-get install iptables-persistent

# Save current rules, just to see the result
iptables-save > /etc/iptables/rules.current

cat /etc/iptables/rules.current

Some rules to start with:

sudo nano  /etc/iptables/rules.v4

# Generated by iptables-save v1.4.10 on Sat Apr 28 07:39:31 2012
*nat
:PREROUTING ACCEPT [87:11378]
:INPUT ACCEPT [85:11258]
:OUTPUT ACCEPT [89:6908]
:POSTROUTING ACCEPT [89:6908]
COMMIT
# Completed on Sat Apr 28 07:39:31 2012
# Generated by iptables-save v1.4.10 on Sat Apr 28 07:39:31 2012
*mangle
:PREROUTING ACCEPT [1471:616907]
:INPUT ACCEPT [1471:616907]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1070:217295]
:POSTROUTING ACCEPT [1070:217295]
COMMIT
# Completed on Sat Apr 28 07:39:31 2012
# Generated by iptables-save v1.4.10 on Sat Apr 28 07:39:31 2012
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [40:4725]
-A INPUT -i lo -j ACCEPT 
-A INPUT -p udp -m udp --dport 8014 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 8013 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 8012 -j ACCEPT 
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 
-A INPUT -p udp -m udp --dport 8014 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 8013 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 8012 -j ACCEPT 
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT 
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT 
-A INPUT -j DROP 
COMMIT
# Completed on Sat Apr 28 07:39:31 2012


reboot

# Check that the rule have been loaded

iptables -L -v

h2. Create rules from scratch

# List current rules
iptables -L -v

# Allow established connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow SSH traffic
sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT

# Allow web traffic
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

# Drop everything else
sudo iptables -A INPUT -j DROP

# Insert a rule first that allows connections to loopback
sudo iptables -I INPUT 1 -i lo -j ACCEPT

# Log traffic that has been dropped
sudo iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

Save the tables for boot:

iptables-save > /etc/iptables/rules.v4

cat /etc/iptables/rules.v4

# Check that is has been saved
reboot

h2. Example for CentOs

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 81 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 389 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 8000 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 10000 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Generated by webmin
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed
# Generated by webmin
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed