IPTables: Difference between revisions
(→UFW) |
|||
(11 intermediate revisions by the same user not shown) | |||
Line 8: | Line 8: | ||
= IPTables = |
= IPTables = |
||
== Adding Rules == |
|||
⚫ | |||
⚫ | |||
Allow SSH |
Allow SSH |
||
Line 23: | Line 22: | ||
Allow loopback |
Allow loopback |
||
iptables -I INPUT 1 -i lo -j ACCEPT |
iptables -I INPUT 1 -i lo -j ACCEPT |
||
== Reporting == |
|||
⚫ | |||
⚫ | |||
iptables -L --line-numbers |
|||
Logging |
Logging |
||
iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 |
iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 |
||
Check Stats |
|||
⚫ | |||
iptables- |
iptables -nvL |
||
⚫ | |||
Reset Packet Counts and Aggregate Size: |
|||
Stop iptables |
|||
⚫ | |||
== Deleting Rules == |
|||
Delete a Rule |
|||
iptables -D INPUT -p tcp --dport 80 -j ACCEPT |
|||
iptables -D INPUT -i ens160 -s 10.140.198.7 -j DROP |
|||
Delete by Rule Number |
|||
iptables -D INPUT 3 # Chain name = INPUT |
|||
Flush Chain |
|||
iptables --flush MYCHAIN |
|||
Flush Iptables |
|||
iptables -F |
iptables -F |
||
Delete Empty Chain |
|||
iptables -X MYCHAIN |
|||
== Saving Rules == |
|||
⚫ | |||
iptables-save > /etc/iptables.conf |
|||
Restore them on every reboot |
|||
sudo nano /etc/rc.local |
|||
iptables-restore < /etc/iptables.conf |
|||
= UFW = |
= UFW = |
||
== Basic Usage == |
|||
Installation |
Installation |
||
Line 56: | Line 88: | ||
sudo ufw deny proto tcp from 202.54.1.1 to any port 22 # Deny specific IP, port number, and protocol |
sudo ufw deny proto tcp from 202.54.1.1 to any port 22 # Deny specific IP, port number, and protocol |
||
sudo ufw deny proto tcp from 202.54.1.0/24 to any port 22 # Block Subnet |
sudo ufw deny proto tcp from 202.54.1.0/24 to any port 22 # Block Subnet |
||
Add a Rule to the Top of the List: |
|||
sudo ufw insert 1 deny from 202.54.1.0/24 comment 'Block DoS attack subnet' |
|||
Delete Specific Rules: |
Delete Specific Rules: |
||
Line 64: | Line 99: | ||
sudo ufw status verbose |
sudo ufw status verbose |
||
sudo ufw status numbered |
sudo ufw status numbered |
||
sudo ufw show added |
|||
sudo ufw show listening |
|||
sudo ufw show builtins |
|||
sudo ufw show before-rules |
|||
sudo ufw show user-rules |
|||
sudo ufw show after-rules |
|||
sudo ufw show logging-rules |
|||
Manage Application Traffic: |
|||
sudo ufw app list |
|||
sudo ufw app info Samba |
|||
sudo ufw allow from 192.168.1.0/24 to any app Samba |
|||
Rate Limiting: |
|||
sudo ufw limit 53/udp |
|||
sudo iptables -L | grep domain |
|||
Check Stats: |
|||
sudo ufw show raw |
|||
Re-check enable (required): |
Re-check enable (required): |
||
sudo ufw enable |
sudo ufw enable |
||
Reset UFW: |
|||
sudo ufw reset |
|||
== Receive the UDP multicast traffic == |
== Receive the UDP multicast traffic == |
Latest revision as of 16:48, 18 November 2020
IPTables
Adding Rules
Allow SSH
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
Allow incoming web traffic
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Blocking Traffic
iptables -A INPUT -j DROP iptables -A INPUT -i ens160 -s 10.140.198.7 -j DROP
Allow loopback
iptables -I INPUT 1 -i lo -j ACCEPT
Reporting
List rules
iptables -L iptables -L --line-numbers
Logging
iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
Check Stats
iptables -nvL
Reset Packet Counts and Aggregate Size:
iptables -Z
Deleting Rules
Delete a Rule
iptables -D INPUT -p tcp --dport 80 -j ACCEPT iptables -D INPUT -i ens160 -s 10.140.198.7 -j DROP
Delete by Rule Number
iptables -D INPUT 3 # Chain name = INPUT
Flush Chain
iptables --flush MYCHAIN
Flush Iptables
iptables -F
Delete Empty Chain
iptables -X MYCHAIN
Saving Rules
Export rules
iptables-save > /etc/iptables.conf
Restore them on every reboot
sudo nano /etc/rc.local iptables-restore < /etc/iptables.conf
UFW
Basic Usage
Installation
sudo apt-get install ufw sudo apt-get install gufw sudo ufw enable gufw
To check your current settings:
sudo ufw status verbose
To add firewall rules:
sudo ufw deny 22 sudo ufw deny 25/tcp sudo ufw deny 5353/udp sudo ufw deny 135,139,445/tcp sudo ufw deny 137,138/udp sudo ufw deny from 192.168.1.5 to any # Block specific IP address sudo ufw deny from 202.54.1.5 to any port 80 # Block specific IP and port number i.e Block Spammers sudo ufw deny proto tcp from 202.54.1.1 to any port 22 # Deny specific IP, port number, and protocol sudo ufw deny proto tcp from 202.54.1.0/24 to any port 22 # Block Subnet
Add a Rule to the Top of the List:
sudo ufw insert 1 deny from 202.54.1.0/24 comment 'Block DoS attack subnet'
Delete Specific Rules:
sudo ufw status numbered sudo ufw delete 4
Confirm your changes:
sudo ufw status verbose sudo ufw status numbered sudo ufw show added sudo ufw show listening sudo ufw show builtins sudo ufw show before-rules sudo ufw show user-rules sudo ufw show after-rules sudo ufw show logging-rules
Manage Application Traffic:
sudo ufw app list sudo ufw app info Samba sudo ufw allow from 192.168.1.0/24 to any app Samba
Rate Limiting:
sudo ufw limit 53/udp sudo iptables -L | grep domain
Check Stats:
sudo ufw show raw
Re-check enable (required):
sudo ufw enable
Reset UFW:
sudo ufw reset
Receive the UDP multicast traffic
sudo ufw allow in proto udp to 224.0.0.0/4 sudo ufw allow in proto udp from 224.0.0.0/4
This will take care of the coming and going UDP packets, but you also need to allow IGMP packets through:
sudo nano /etc/ufw/before.rules
and add the following lines somewhere before the COMMIT line:
# allow IGMP -A ufw-before-input -p igmp -d 224.0.0.0/4 -j ACCEPT -A ufw-before-output -p igmp -d 224.0.0.0/4 -j ACCEPT
Internet Connection Sharing using UFW
sudo ufw allow from 192.168.1.0/29
sudo nano /etc/default/ufw DEFAULT_FORWARD_POLICY="ACCEPT"
sudo nano /etc/ufw/sysctl.conf net/ipv4/ip_forward=1 net/ipv6/conf/default/forwarding=1
sudo nano /etc/ufw/before.rules
Add rules for nat table
*nat :POSTROUTING ACCEPT [0:0]
Forward traffic from eth0 through ppp0
-A POSTROUTING -s 192.168.1.0/29 -o ppp0 -j MASQUERADE
Commit preceding nat table rules
COMMIT
sudo service ufw restart
{{#widget:DISQUS |id=networkm |uniqid=IPTables |url=https://aman.awiki.org/wiki/IPTables }}