Firewall (iptables)
From Alessandro's Wiki
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
NAT
Network Address Translation NAT
linux powerful firewall
- print out the configuration running:
iptables -L
- or better this will print all input table rules
iptables-save
- some rules:
target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:46590 ACCEPT udp -- anywhere anywhere state NEW udp dpt:46720 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
- apend a rule (to the end of the table) to accept connections on port 5901 (vncserver)
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
- show NAT table
iptables -t nat -L iptables -t nat -L -n -v | grep 'IP or anything' iptables -t nat -L -n -v
- netstat-nat, software to display nat connections
netstat-nat -n
- show SNAT connections, run:
netstat-nat -S
- show DNAT connections, type:
netstat-nat -D
saving configuration in a file
iptables-save > backup_iptables
restore conf from a file
iptables-restore < backup_iptables
- this will only enable the configuration while iptables process is restarted, to avoid this, we need to save the configuration:
/etc/init.d/iptables save
- now we can restart/reboot
redirecting connections
from a specified port to an host
iptables -A PREROUTING -d HOSTONE -p tcp -m tcp --dport 80 -j DNAT --to-destination HOSTWO:80 iptables -A POSTROUTING -d HOSTWO -j SNAT --to-source HOSTONE
Firewalld
firewall-cmd --get-active-zones FedoraServer interfaces: em1
firewall-cmd --get-default-zone FedoraServer
- change zone of an interface
firewall-cmd --zone=home --change-interface=eth0
- add port
firewall-cmd --zone=FedoraServer --add-port=80/tcp --permanent
- remove port
firewall-cmd --zone=FedoraServer --remove-port=80/tcp --permanent
firewall-cmd --reload
firewall-cmd --get-zones FedoraServer FedoraWorkstation block dmz drop external home internal public trusted work
UFW
The Ubuntu Firewall
- status
ufw status
- ...with line numbers
ufw status numbered
- numbers
ufw insert <number> allow from ... ufw delete <number>
ufw allow from <target> to <destination> port <port number> proto <protocol name>
- allow all traffic on the forward chain (don't do this)
ufw default allow FORWARD
set DEFAULT_FORWARD_POLICY to ACCEPT
/etc/default/ufw DEFAULT_FORWARD_POLICY="ACCEPT"
- denials
ufw deny from 10.0.0.42 ufw deny in on eth0 from 10.0.0.42
- allow ssh's
ufw allow ssh ufw allow 22 ufw allow from 10.0.0.0/24 to any port 22 ufw allow from 10.0.0.20 to 10.0.0.10 port 22
- web ports
ufw allow http ufw allow 80 ufw allow https ufw allow 443 ufw allow proto tcp from any to any port 80,443
- some dbs
Allow MySQL from Specific IP Address or Subnet
ufw allow from 10.0.0.0/24 to any port 3306
Allow MySQL to Specific Network Interface
ufw allow in on eth1 to any port 3306
PostgreSQL from Specific IP Address or Subnet
ufw allow from 10.0.0.0/24 to any port 5432
- routing from eth1 to eth2
ufw route allow in on eth1 out on eth2
- a UDP port on any interface from specific IP
ufw allow proto udp from 107.172.59.23 to any port 8288