Difference between revisions of "Firewall (iptables)"

From Alessandro's Wiki
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
== Impostare un firewall su una macchina linux ==
== NAT ==
* vedere la configurazione attuale:
 
Network Address Translation [[NAT]]
 
== linux powerful firewall ==
* print out the configuration running:
  iptables -L
  iptables -L
* or better (this will print all tables and chains)
iptables-save
----
----
* Configurazione mia:
* some rules:
  target    prot opt source              destination
  target    prot opt source              destination
  ACCEPT    all  --  anywhere            anywhere
  ACCEPT    all  --  anywhere            anywhere
Line 19: Line 26:
  REJECT    all  --  anywhere            anywhere            reject-with icmp-host-prohibited
  REJECT    all  --  anywhere            anywhere            reject-with icmp-host-prohibited
----
----
* Aggiungere una regola per accettare connessioni su l porta 5901 (vncserver)
* add a rule to accept connections on port 5901 (vncserver)
  iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
  iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
* Salvare la configurazione in un File:
 
== saving configuration in a file ==
  iptables-save > backup_iptables
  iptables-save > backup_iptables
* Recuperare una configurazione salvata in un file:
 
== restore conf from a file ==
  iptables-restore < backup_iptables
  iptables-restore < backup_iptables
* this will only enable the configuration while iptables process is restarted, to avoid this, we need to save the configuration:
/etc/init.d/iptables save
* now we can restart/reboot
== redirecting connections ==
=== from a specified port to an host ===
iptables -A PREROUTING -d HOSTONE -p tcp -m tcp --dport 80 -j DNAT --to-destination HOSTWO:80
iptables -A POSTROUTING -d HOSTWO -j SNAT --to-source HOSTONE
== UFW ==
''The Ubuntu Firewall''
ufw deny from 10.0.0.42
ufw deny in on eth0 from 10.0.0.42
ufw allow ssh
ufw allow 22
ufw allow from 10.0.0.0/24  to any port 22
ufw allow from 10.0.0.0/24 to any port 873
ufw allow http
ufw allow 80
ufw allow https
ufw allow 443
ufw allow proto tcp from any to any port 80,443
Allow MySQL from Specific IP Address or Subnet
ufw allow from 10.0.0.0/24 to any port 3306
Allow MySQL to Specific Network Interface
ufw allow in on eth1 to any port 3306
PostgreSQL from Specific IP Address or Subnet
ufw allow from 10.0.0.0/24 to any port 5432

Revision as of 15:07, 21 January 2018

NAT

Network Address Translation NAT

linux powerful firewall

  • print out the configuration running:
iptables -L
  • or better (this will print all tables and chains)
iptables-save
  • some rules:
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:46590
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:46720
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
  • add a rule to accept connections on port 5901 (vncserver)
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT

saving configuration in a file

iptables-save > backup_iptables

restore conf from a file

iptables-restore < backup_iptables
  • this will only enable the configuration while iptables process is restarted, to avoid this, we need to save the configuration:
/etc/init.d/iptables save
  • now we can restart/reboot

redirecting connections

from a specified port to an host

iptables -A PREROUTING -d HOSTONE -p tcp -m tcp --dport 80 -j DNAT --to-destination HOSTWO:80
iptables -A POSTROUTING -d HOSTWO -j SNAT --to-source HOSTONE

UFW

The Ubuntu Firewall 

ufw deny from 10.0.0.42
ufw deny in on eth0 from 10.0.0.42

ufw allow ssh
ufw allow 22
ufw allow from 10.0.0.0/24  to any port 22

ufw allow from 10.0.0.0/24 to any port 873

ufw allow http
ufw allow 80
ufw allow https
ufw allow 443
ufw allow proto tcp from any to any port 80,443

Allow MySQL from Specific IP Address or Subnet 

ufw allow from 10.0.0.0/24 to any port 3306

Allow MySQL to Specific Network Interface 

ufw allow in on eth1 to any port 3306

PostgreSQL from Specific IP Address or Subnet 

ufw allow from 10.0.0.0/24 to any port 5432
Retrieved from "https://wiki.alessandro.delgallo.net//index.php?title=Firewall_(iptables)&oldid=6249"