Difference between revisions of "Firewall (iptables)"
From Alessandro's Wiki
Porcelinux (talk | contribs) |
(→UFW) |
||
(6 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
== | == NAT == | ||
* | |||
Network Address Translation [[NAT]] | |||
== linux powerful firewall == | |||
* print out the configuration running: | |||
iptables -L | iptables -L | ||
* or better (this will print all tables and chains) | |||
iptables-save | |||
---- | ---- | ||
* | * some rules: | ||
target prot opt source destination | target prot opt source destination | ||
ACCEPT all -- anywhere anywhere | ACCEPT all -- anywhere anywhere | ||
Line 19: | Line 26: | ||
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited | REJECT all -- anywhere anywhere reject-with icmp-host-prohibited | ||
---- | ---- | ||
* | * add a rule to accept connections on port 5901 (vncserver) | ||
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT | iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT | ||
== saving configuration in a file == | |||
iptables-save > backup_iptables | iptables-save > backup_iptables | ||
== restore conf from a file == | |||
iptables-restore < backup_iptables | iptables-restore < backup_iptables | ||
* this will only enable the configuration while iptables process is restarted, to avoid this, we need to save the configuration: | |||
/etc/init.d/iptables save | |||
* now we can restart/reboot | |||
== redirecting connections == | |||
=== from a specified port to an host === | |||
iptables -A PREROUTING -d HOSTONE -p tcp -m tcp --dport 80 -j DNAT --to-destination HOSTWO:80 | |||
iptables -A POSTROUTING -d HOSTWO -j SNAT --to-source HOSTONE | |||
== UFW == | |||
''The Ubuntu Firewall'' | |||
ufw deny from 10.0.0.42 | |||
ufw deny in on eth0 from 10.0.0.42 | |||
ufw allow ssh | |||
ufw allow 22 | |||
ufw allow from 10.0.0.0/24 to any port 22 | |||
ufw allow from 10.0.0.0/24 to any port 873 | |||
ufw allow http | |||
ufw allow 80 | |||
ufw allow https | |||
ufw allow 443 | |||
ufw allow proto tcp from any to any port 80,443 | |||
Allow MySQL from Specific IP Address or Subnet | |||
ufw allow from 10.0.0.0/24 to any port 3306 | |||
Allow MySQL to Specific Network Interface | |||
ufw allow in on eth1 to any port 3306 | |||
PostgreSQL from Specific IP Address or Subnet | |||
ufw allow from 10.0.0.0/24 to any port 5432 |
Revision as of 15:07, 21 January 2018
NAT
Network Address Translation NAT
linux powerful firewall
- print out the configuration running:
iptables -L
- or better (this will print all tables and chains)
iptables-save
- some rules:
target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:46590 ACCEPT udp -- anywhere anywhere state NEW udp dpt:46720 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
- add a rule to accept connections on port 5901 (vncserver)
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
saving configuration in a file
iptables-save > backup_iptables
restore conf from a file
iptables-restore < backup_iptables
- this will only enable the configuration while iptables process is restarted, to avoid this, we need to save the configuration:
/etc/init.d/iptables save
- now we can restart/reboot
redirecting connections
from a specified port to an host
iptables -A PREROUTING -d HOSTONE -p tcp -m tcp --dport 80 -j DNAT --to-destination HOSTWO:80 iptables -A POSTROUTING -d HOSTWO -j SNAT --to-source HOSTONE
UFW
The Ubuntu Firewall
ufw deny from 10.0.0.42 ufw deny in on eth0 from 10.0.0.42
ufw allow ssh ufw allow 22 ufw allow from 10.0.0.0/24 to any port 22
ufw allow from 10.0.0.0/24 to any port 873
ufw allow http ufw allow 80 ufw allow https ufw allow 443 ufw allow proto tcp from any to any port 80,443
Allow MySQL from Specific IP Address or Subnet
ufw allow from 10.0.0.0/24 to any port 3306
Allow MySQL to Specific Network Interface
ufw allow in on eth1 to any port 3306
PostgreSQL from Specific IP Address or Subnet
ufw allow from 10.0.0.0/24 to any port 5432