IPTables: Difference between revisions

← Older edit

IPTables (view source)

Revision as of 16:48, 18 November 2020

1,475 bytes added , 3 years ago

→‎Basic Usage

Amanjosan2008

Bureaucrats, Administrators

4,400

edits

Revision as of 19:16, 25 August 2016 (view source) Amanjosan2008 (talk \| contribs) m (Protected "IPTables" ([Edit=Allow only logged in users] (indefinite) [Move=Allow only logged in users] (indefinite) [Delete=Allow only logged in users] (indefinite))) ← Older edit		Latest revision as of 16:48, 18 November 2020 (view source) Amanjosan2008 (talk \| contribs) (→‎Basic Usage)
(13 intermediate revisions by the same user not shown)
Line 5: <br /> ~~=Internet Connection Sharing using UFW=~~ ~~sudo apt-get install ufw~~ ~~sudo ufw enable~~ ~~sudo ufw allow from 192.168.1.0/29~~ = IPTables = ~~sudo nano /etc/default/ufw~~ ~~DEFAULT_FORWARD_POLICY="ACCEPT"~~ == Adding Rules == ~~sudo nano /etc/ufw/sysctl.conf~~ ~~net/ipv4/ip_forward=1~~ ~~net/ipv6/conf/default/forwarding=1~~ Allow SSH ~~sudo nano /etc/ufw/before.rules~~ iptables -A INPUT -p tcp --dport ssh -j ACCEPT Allow incoming web traffic ~~Add rules for nat table~~ iptables -A INPUT -p tcp --dport 80 -j ACCEPT nat ~~:POSTROUTING ACCEPT [0:0]~~ ~~Forward traffic from eth0 through ppp0~~ ~~-A POSTROUTING -s 192.168.1.0/29 -o ppp0 -j MASQUERADE~~ ~~Commit preceding nat table rules~~ ~~COMMIT~~ Blocking Traffic ~~sudo service ufw restart~~ iptables -A INPUT -j DROP iptables -A INPUT -i ens160 -s 10.140.198.7 -j DROP Allow loopback iptables -I INPUT 1 -i lo -j ACCEPT == Reporting == List rules iptables -L iptables -L --line-numbers Logging iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 Check Stats iptables -nvL Reset Packet Counts and Aggregate Size: iptables -Z == Deleting Rules == Delete a Rule iptables -D INPUT -p tcp --dport 80 -j ACCEPT iptables -D INPUT -i ens160 -s 10.140.198.7 -j DROP Delete by Rule Number iptables -D INPUT 3 # Chain name = INPUT Flush Chain iptables --flush MYCHAIN Flush Iptables iptables -F Delete Empty Chain iptables -X MYCHAIN == Saving Rules == Export rules iptables-save > /etc/iptables.conf Restore them on every reboot sudo nano /etc/rc.local iptables-restore < /etc/iptables.conf = UFW = == Basic Usage == ~~=UFW/GUFW=~~ Installation sudo apt-get install ufw sudo apt-get install gufw sudo ufw enable gufw Line 40 ⟶ 79: To add firewall rules: ~~sudo ufw deny 5353/udp~~ ~~sudo ufw deny 5900/tcp~~ sudo ufw deny 22 sudo ufw deny 25/tcp sudo ufw deny 5353/udp sudo ufw deny 135,139,445/tcp sudo ufw deny 137,138/udp sudo ufw deny from 192.168.1.5 to any # Block specific IP address ~~sudo ufw deny 110~~ sudo ufw deny from 202.54.1.5 to any port 80 # Block specific IP and port number i.e Block Spammers ~~sudo ufw deny 2049~~ sudo ufw deny proto tcp from 202.54.1.1 to any port 22 # Deny specific IP, port number, and protocol ~~sudo ufw deny 143~~ sudo ufw deny ~~21/~~proto tcp from 202.54.1.0/24 to any port 22 # Block Subnet Add a Rule to the Top of the List: ~~Re-check your changes:~~ sudo ufw insert 1 deny from 202.54.1.0/24 comment 'Block DoS attack subnet' Delete Specific Rules: sudo ufw status numbered sudo ufw delete 4 Confirm your changes: sudo ufw status verbose sudo ufw status numbered sudo ufw show added sudo ufw show listening sudo ufw show builtins sudo ufw show before-rules sudo ufw show user-rules sudo ufw show after-rules sudo ufw show logging-rules Manage Application Traffic: sudo ufw app list sudo ufw app info Samba sudo ufw allow from 192.168.1.0/24 to any app Samba Rate Limiting: sudo ufw limit 53/udp sudo iptables -L \| grep domain Check Stats: sudo ufw show raw Re-check enable (required): sudo ufw enable Reset UFW: ~~<br />~~ sudo ufw reset ~~= Receive the UDP multicast traffic=~~ == Receive the UDP multicast traffic == sudo ufw allow in proto udp to 224.0.0.0/4 sudo ufw allow in proto udp from 224.0.0.0/4 Line 72 ⟶ 139: <br /> ~~=One-Liners=~~ == Internet Connection Sharing using UFW == ~~{\| class="wikitable"~~ sudo ufw allow from 192.168.1.0/29 \|- ~~! Task !! Command~~ sudo nano /etc/default/ufw \|- DEFAULT_FORWARD_POLICY="ACCEPT" ~~\| List rules \|\| iptables -L~~ \|- sudo nano /etc/ufw/sysctl.conf ~~\| Allow SSH \|\| iptables -A INPUT -p tcp --dport ssh -j ACCEPT~~ net/ipv4/ip_forward=1 \|- net/ipv6/conf/default/forwarding=1 ~~\| Allow incoming web traffic \|\| iptables -A INPUT -p tcp --dport 80 -j ACCEPT~~ \|- sudo nano /etc/ufw/before.rules ~~\| Blocking Traffic \|\| iptables -A INPUT -j DROP~~ \|- Add rules for nat table ~~\| Allow loopback \|\| iptables -I INPUT 1 -i lo -j ACCEPT~~ nat \|- :POSTROUTING ACCEPT [0:0] ~~\| Logging \|\| iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7~~ \|- Forward traffic from eth0 through ppp0 ~~\| Saving rules \|\| iptables-save<br />iptables-restore~~ -A POSTROUTING -s 192.168.1.0/29 -o ppp0 -j MASQUERADE \|- ~~\| Stop iptables \|\| iptables -F~~ Commit preceding nat table rules \|} COMMIT ~~<br />~~ sudo service ufw restart