IPTables: Difference between revisions
Content added Content deleted
m (br-toc) |
|||
| (15 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
<br /> |
<br /> |
||
=Internet Connection Sharing using UFW= |
|||
sudo apt-get install ufw |
|||
sudo ufw enable |
|||
sudo ufw allow from 192.168.1.0/29 |
|||
= IPTables = |
|||
sudo nano /etc/default/ufw |
|||
DEFAULT_FORWARD_POLICY="ACCEPT" |
|||
== Adding Rules == |
|||
sudo nano /etc/ufw/sysctl.conf |
|||
net/ipv4/ip_forward=1 |
|||
net/ipv6/conf/default/forwarding=1 |
|||
Allow SSH |
|||
sudo nano /etc/ufw/before.rules |
|||
iptables -A INPUT -p tcp --dport ssh -j ACCEPT |
|||
Allow incoming web traffic |
|||
Add rules for nat table |
|||
iptables -A INPUT -p tcp --dport 80 -j ACCEPT |
|||
*nat |
|||
:POSTROUTING ACCEPT [0:0] |
|||
Forward traffic from eth0 through ppp0 |
|||
-A POSTROUTING -s 192.168.1.0/29 -o ppp0 -j MASQUERADE |
|||
Commit preceding nat table rules |
|||
COMMIT |
|||
Blocking Traffic |
|||
sudo service ufw restart |
|||
iptables -A INPUT -j DROP |
|||
iptables -A INPUT -i ens160 -s 10.140.198.7 -j DROP |
|||
Allow loopback |
|||
iptables -I INPUT 1 -i lo -j ACCEPT |
|||
== Reporting == |
|||
List rules |
|||
iptables -L |
|||
iptables -L --line-numbers |
|||
Logging |
|||
iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 |
|||
Check Stats |
|||
iptables -nvL |
|||
Reset Packet Counts and Aggregate Size: |
|||
iptables -Z |
|||
== Deleting Rules == |
|||
Delete a Rule |
|||
iptables -D INPUT -p tcp --dport 80 -j ACCEPT |
|||
iptables -D INPUT -i ens160 -s 10.140.198.7 -j DROP |
|||
Delete by Rule Number |
|||
iptables -D INPUT 3 # Chain name = INPUT |
|||
Flush Chain |
|||
iptables --flush MYCHAIN |
|||
Flush Iptables |
|||
iptables -F |
|||
Delete Empty Chain |
|||
iptables -X MYCHAIN |
|||
== Saving Rules == |
|||
Export rules |
|||
iptables-save > /etc/iptables.conf |
|||
Restore them on every reboot |
|||
sudo nano /etc/rc.local |
|||
iptables-restore < /etc/iptables.conf |
|||
= UFW = |
|||
== Basic Usage == |
|||
=UFW/GUFW= |
|||
Installation |
Installation |
||
sudo apt-get install ufw |
|||
sudo apt-get install gufw |
sudo apt-get install gufw |
||
sudo ufw enable |
|||
gufw |
gufw |
||
| Line 40: | Line 79: | ||
To add firewall rules: |
To add firewall rules: |
||
sudo ufw deny 5353/udp |
|||
sudo ufw deny 5900/tcp |
|||
sudo ufw deny 22 |
sudo ufw deny 22 |
||
sudo ufw deny 25/tcp |
sudo ufw deny 25/tcp |
||
sudo ufw deny 5353/udp |
|||
sudo ufw deny 135,139,445/tcp |
sudo ufw deny 135,139,445/tcp |
||
sudo ufw deny 137,138/udp |
sudo ufw deny 137,138/udp |
||
sudo ufw deny from 192.168.1.5 to any # Block specific IP address |
|||
sudo ufw deny 110 |
|||
sudo ufw deny from 202.54.1.5 to any port 80 # Block specific IP and port number i.e Block Spammers |
|||
sudo ufw deny 2049 |
|||
sudo ufw deny proto tcp from 202.54.1.1 to any port 22 # Deny specific IP, port number, and protocol |
|||
sudo ufw deny 143 |
|||
sudo ufw deny |
sudo ufw deny proto tcp from 202.54.1.0/24 to any port 22 # Block Subnet |
||
Add a Rule to the Top of the List: |
|||
Re-check your changes: |
|||
sudo ufw insert 1 deny from 202.54.1.0/24 comment 'Block DoS attack subnet' |
|||
Delete Specific Rules: |
|||
sudo ufw status numbered |
|||
sudo ufw delete 4 |
|||
Confirm your changes: |
|||
sudo ufw status verbose |
sudo ufw status verbose |
||
sudo ufw status numbered |
|||
sudo ufw show added |
|||
sudo ufw show listening |
|||
sudo ufw show builtins |
|||
sudo ufw show before-rules |
|||
sudo ufw show user-rules |
|||
sudo ufw show after-rules |
|||
sudo ufw show logging-rules |
|||
Manage Application Traffic: |
|||
sudo ufw app list |
|||
sudo ufw app info Samba |
|||
sudo ufw allow from 192.168.1.0/24 to any app Samba |
|||
Rate Limiting: |
|||
sudo ufw limit 53/udp |
|||
sudo iptables -L | grep domain |
|||
Check Stats: |
|||
sudo ufw show raw |
|||
Re-check enable (required): |
Re-check enable (required): |
||
sudo ufw enable |
sudo ufw enable |
||
Reset UFW: |
|||
<br /> |
|||
sudo ufw reset |
|||
= Receive the UDP multicast traffic= |
|||
== Receive the UDP multicast traffic == |
|||
sudo ufw allow in proto udp to 224.0.0.0/4 |
sudo ufw allow in proto udp to 224.0.0.0/4 |
||
sudo ufw allow in proto udp from 224.0.0.0/4 |
sudo ufw allow in proto udp from 224.0.0.0/4 |
||
| Line 72: | Line 139: | ||
<br /> |
<br /> |
||
=One-Liners= |
|||
== Internet Connection Sharing using UFW == |
|||
{| class="wikitable" |
|||
sudo ufw allow from 192.168.1.0/29 |
|||
|- |
|||
! Task !! Command |
|||
sudo nano /etc/default/ufw |
|||
|- |
|||
DEFAULT_FORWARD_POLICY="ACCEPT" |
|||
| List rules || iptables -L |
|||
|- |
|||
sudo nano /etc/ufw/sysctl.conf |
|||
| Allow SSH || iptables -A INPUT -p tcp --dport ssh -j ACCEPT |
|||
net/ipv4/ip_forward=1 |
|||
|- |
|||
net/ipv6/conf/default/forwarding=1 |
|||
| Allow incoming web traffic || iptables -A INPUT -p tcp --dport 80 -j ACCEPT |
|||
|- |
|||
sudo nano /etc/ufw/before.rules |
|||
| Blocking Traffic || iptables -A INPUT -j DROP |
|||
|- |
|||
Add rules for nat table |
|||
| Allow loopback || iptables -I INPUT 1 -i lo -j ACCEPT |
|||
*nat |
|||
|- |
|||
:POSTROUTING ACCEPT [0:0] |
|||
| Logging || iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 |
|||
|- |
|||
Forward traffic from eth0 through ppp0 |
|||
| Saving rules || iptables-save<br />iptables-restore |
|||
-A POSTROUTING -s 192.168.1.0/29 -o ppp0 -j MASQUERADE |
|||
|- |
|||
| Stop iptables || iptables -F |
|||
Commit preceding nat table rules |
|||
|} |
|||
COMMIT |
|||
<br /> |
|||
sudo service ufw restart |
|||
Latest revision as of 16:48, 18 November 2020
IPTables
Adding Rules
Allow SSH
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
Allow incoming web traffic
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Blocking Traffic
iptables -A INPUT -j DROP iptables -A INPUT -i ens160 -s 10.140.198.7 -j DROP
Allow loopback
iptables -I INPUT 1 -i lo -j ACCEPT
Reporting
List rules
iptables -L iptables -L --line-numbers
Logging
iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
Check Stats
iptables -nvL
Reset Packet Counts and Aggregate Size:
iptables -Z
Deleting Rules
Delete a Rule
iptables -D INPUT -p tcp --dport 80 -j ACCEPT iptables -D INPUT -i ens160 -s 10.140.198.7 -j DROP
Delete by Rule Number
iptables -D INPUT 3 # Chain name = INPUT
Flush Chain
iptables --flush MYCHAIN
Flush Iptables
iptables -F
Delete Empty Chain
iptables -X MYCHAIN
Saving Rules
Export rules
iptables-save > /etc/iptables.conf
Restore them on every reboot
sudo nano /etc/rc.local iptables-restore < /etc/iptables.conf
UFW
Basic Usage
Installation
sudo apt-get install ufw sudo apt-get install gufw sudo ufw enable gufw
To check your current settings:
sudo ufw status verbose
To add firewall rules:
sudo ufw deny 22 sudo ufw deny 25/tcp sudo ufw deny 5353/udp sudo ufw deny 135,139,445/tcp sudo ufw deny 137,138/udp sudo ufw deny from 192.168.1.5 to any # Block specific IP address sudo ufw deny from 202.54.1.5 to any port 80 # Block specific IP and port number i.e Block Spammers sudo ufw deny proto tcp from 202.54.1.1 to any port 22 # Deny specific IP, port number, and protocol sudo ufw deny proto tcp from 202.54.1.0/24 to any port 22 # Block Subnet
Add a Rule to the Top of the List:
sudo ufw insert 1 deny from 202.54.1.0/24 comment 'Block DoS attack subnet'
Delete Specific Rules:
sudo ufw status numbered sudo ufw delete 4
Confirm your changes:
sudo ufw status verbose sudo ufw status numbered sudo ufw show added sudo ufw show listening sudo ufw show builtins sudo ufw show before-rules sudo ufw show user-rules sudo ufw show after-rules sudo ufw show logging-rules
Manage Application Traffic:
sudo ufw app list sudo ufw app info Samba sudo ufw allow from 192.168.1.0/24 to any app Samba
Rate Limiting:
sudo ufw limit 53/udp sudo iptables -L | grep domain
Check Stats:
sudo ufw show raw
Re-check enable (required):
sudo ufw enable
Reset UFW:
sudo ufw reset
Receive the UDP multicast traffic
sudo ufw allow in proto udp to 224.0.0.0/4 sudo ufw allow in proto udp from 224.0.0.0/4
This will take care of the coming and going UDP packets, but you also need to allow IGMP packets through:
sudo nano /etc/ufw/before.rules
and add the following lines somewhere before the COMMIT line:
# allow IGMP -A ufw-before-input -p igmp -d 224.0.0.0/4 -j ACCEPT -A ufw-before-output -p igmp -d 224.0.0.0/4 -j ACCEPT
Internet Connection Sharing using UFW
sudo ufw allow from 192.168.1.0/29
sudo nano /etc/default/ufw DEFAULT_FORWARD_POLICY="ACCEPT"
sudo nano /etc/ufw/sysctl.conf net/ipv4/ip_forward=1 net/ipv6/conf/default/forwarding=1
sudo nano /etc/ufw/before.rules
Add rules for nat table
*nat :POSTROUTING ACCEPT [0:0]
Forward traffic from eth0 through ppp0
-A POSTROUTING -s 192.168.1.0/29 -o ppp0 -j MASQUERADE
Commit preceding nat table rules
COMMIT
sudo service ufw restart
{{#widget:DISQUS |id=networkm |uniqid=IPTables |url=https://aman.awiki.org/wiki/IPTables }}