IPTables: Difference between revisions
Content added Content deleted
No edit summary |
(→UFW) |
||
Line 36: | Line 36: | ||
= UFW = |
= UFW = |
||
Installation |
Installation |
||
sudo apt-get install ufw |
sudo apt-get install ufw |
||
Line 46: | Line 47: | ||
To add firewall rules: |
To add firewall rules: |
||
⚫ | |||
⚫ | |||
sudo ufw deny 22 |
sudo ufw deny 22 |
||
sudo ufw deny 25/tcp |
sudo ufw deny 25/tcp |
||
⚫ | |||
sudo ufw deny 135,139,445/tcp |
sudo ufw deny 135,139,445/tcp |
||
sudo ufw deny 137,138/udp |
sudo ufw deny 137,138/udp |
||
sudo ufw deny from 192.168.1.5 to any # Block specific IP address |
|||
⚫ | |||
sudo ufw deny from 202.54.1.5 to any port 80 # Block specific IP and port number i.e Block Spammers |
|||
⚫ | |||
sudo ufw deny proto tcp from 202.54.1.1 to any port 22 # Deny specific IP, port number, and protocol |
|||
sudo ufw deny 143 |
|||
sudo ufw deny |
sudo ufw deny proto tcp from 202.54.1.0/24 to any port 22 # Block Subnet |
||
Delete Specific Rules: |
|||
⚫ | |||
⚫ | |||
Confirm your changes: |
|||
sudo ufw status verbose |
sudo ufw status verbose |
||
⚫ | |||
Re-check enable (required): |
Re-check enable (required): |
Revision as of 16:59, 26 July 2018
IPTables
List rules
iptables -L
Allow SSH
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
Allow incoming web traffic
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
Blocking Traffic
iptables -A INPUT -j DROP iptables -A INPUT -i ens160 -s 10.140.198.7 -j DROP
Allow loopback
iptables -I INPUT 1 -i lo -j ACCEPT
Logging
iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
Saving rules
iptables-save iptables-restore
Stop iptables
iptables -F
UFW
Installation
sudo apt-get install ufw sudo apt-get install gufw sudo ufw enable gufw
To check your current settings:
sudo ufw status verbose
To add firewall rules:
sudo ufw deny 22 sudo ufw deny 25/tcp sudo ufw deny 5353/udp sudo ufw deny 135,139,445/tcp sudo ufw deny 137,138/udp sudo ufw deny from 192.168.1.5 to any # Block specific IP address sudo ufw deny from 202.54.1.5 to any port 80 # Block specific IP and port number i.e Block Spammers sudo ufw deny proto tcp from 202.54.1.1 to any port 22 # Deny specific IP, port number, and protocol sudo ufw deny proto tcp from 202.54.1.0/24 to any port 22 # Block Subnet
Delete Specific Rules:
sudo ufw status numbered sudo ufw delete 4
Confirm your changes:
sudo ufw status verbose sudo ufw status numbered
Re-check enable (required):
sudo ufw enable
Receive the UDP multicast traffic
sudo ufw allow in proto udp to 224.0.0.0/4 sudo ufw allow in proto udp from 224.0.0.0/4
This will take care of the coming and going UDP packets, but you also need to allow IGMP packets through:
sudo nano /etc/ufw/before.rules
and add the following lines somewhere before the COMMIT line:
# allow IGMP -A ufw-before-input -p igmp -d 224.0.0.0/4 -j ACCEPT -A ufw-before-output -p igmp -d 224.0.0.0/4 -j ACCEPT
Internet Connection Sharing using UFW
sudo ufw allow from 192.168.1.0/29
sudo nano /etc/default/ufw DEFAULT_FORWARD_POLICY="ACCEPT"
sudo nano /etc/ufw/sysctl.conf net/ipv4/ip_forward=1 net/ipv6/conf/default/forwarding=1
sudo nano /etc/ufw/before.rules
Add rules for nat table
*nat :POSTROUTING ACCEPT [0:0]
Forward traffic from eth0 through ppp0
-A POSTROUTING -s 192.168.1.0/29 -o ppp0 -j MASQUERADE
Commit preceding nat table rules
COMMIT
sudo service ufw restart
{{#widget:DISQUS |id=networkm |uniqid=IPTables |url=https://aman.awiki.org/wiki/IPTables }}