Difference between revisions of "Firewall (iptables)"
From Alessandro's Wiki
(→UFW) |
Porcelinux (talk | contribs) (→UFW) |
||
Line 48: | Line 48: | ||
''The Ubuntu Firewall'' | ''The Ubuntu Firewall'' | ||
* status | |||
ufw status | |||
* ...with line numbers | |||
ufw status numbered | |||
ufw deny from 10.0.0.42 | ufw deny from 10.0.0.42 | ||
ufw deny in on eth0 from 10.0.0.42 | ufw deny in on eth0 from 10.0.0.42 | ||
* allow ssh's | |||
ufw allow ssh | ufw allow ssh | ||
ufw allow 22 | ufw allow 22 | ||
ufw allow from 10.0.0.0/24 | ufw allow from 10.0.0.0/24 to any port 22 | ||
ufw allow from 10.0.0.20 to 10.0.0.10 port 22 | |||
ufw allow from 10.0.0.0 | * web ports | ||
ufw allow http | ufw allow http | ||
ufw allow 80 | ufw allow 80 | ||
Line 62: | Line 68: | ||
ufw allow 443 | ufw allow 443 | ||
ufw allow proto tcp from any to any port 80,443 | ufw allow proto tcp from any to any port 80,443 | ||
* some dbs | |||
Allow MySQL from Specific IP Address or Subnet | Allow MySQL from Specific IP Address or Subnet | ||
ufw allow from 10.0.0.0/24 to any port 3306 | ufw allow from 10.0.0.0/24 to any port 3306 | ||
Line 68: | Line 75: | ||
PostgreSQL from Specific IP Address or Subnet | PostgreSQL from Specific IP Address or Subnet | ||
ufw allow from 10.0.0.0/24 to any port 5432 | ufw allow from 10.0.0.0/24 to any port 5432 | ||
* routing from ''eth1'' to ''eth2'' | |||
ufw route allow in on eth1 out on eth2 |
Revision as of 13:55, 11 June 2021
NAT
Network Address Translation NAT
linux powerful firewall
- print out the configuration running:
iptables -L
- or better (this will print all tables and chains)
iptables-save
- some rules:
target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:46590 ACCEPT udp -- anywhere anywhere state NEW udp dpt:46720 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
- add a rule to accept connections on port 5901 (vncserver)
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
saving configuration in a file
iptables-save > backup_iptables
restore conf from a file
iptables-restore < backup_iptables
- this will only enable the configuration while iptables process is restarted, to avoid this, we need to save the configuration:
/etc/init.d/iptables save
- now we can restart/reboot
redirecting connections
from a specified port to an host
iptables -A PREROUTING -d HOSTONE -p tcp -m tcp --dport 80 -j DNAT --to-destination HOSTWO:80 iptables -A POSTROUTING -d HOSTWO -j SNAT --to-source HOSTONE
UFW
The Ubuntu Firewall
- status
ufw status
- ...with line numbers
ufw status numbered
ufw deny from 10.0.0.42 ufw deny in on eth0 from 10.0.0.42
- allow ssh's
ufw allow ssh ufw allow 22 ufw allow from 10.0.0.0/24 to any port 22 ufw allow from 10.0.0.20 to 10.0.0.10 port 22
- web ports
ufw allow http ufw allow 80 ufw allow https ufw allow 443 ufw allow proto tcp from any to any port 80,443
- some dbs
Allow MySQL from Specific IP Address or Subnet
ufw allow from 10.0.0.0/24 to any port 3306
Allow MySQL to Specific Network Interface
ufw allow in on eth1 to any port 3306
PostgreSQL from Specific IP Address or Subnet
ufw allow from 10.0.0.0/24 to any port 5432
- routing from eth1 to eth2
ufw route allow in on eth1 out on eth2