Difference between revisions of "Firewall (iptables)"

From Alessandro's Wiki
 
(5 intermediate revisions by the same user not shown)
Line 6: Line 6:
* print out the configuration running:
* print out the configuration running:
  iptables -L
  iptables -L
* or better (this will print all tables and chains)
* or better this will print all input table rules
  iptables-save
  iptables-save


Line 26: Line 26:
  REJECT    all  --  anywhere            anywhere            reject-with icmp-host-prohibited
  REJECT    all  --  anywhere            anywhere            reject-with icmp-host-prohibited
----
----
* add a rule to accept connections on port 5901 (vncserver)
* apend a rule (to the end of the table) to accept connections on port 5901 (vncserver)
  iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
  iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
* show NAT table
iptables -t nat -L
iptables -t nat -L -n -v | grep 'IP or anything'
iptables -t nat -L -n -v
*: netstat-nat, software to display nat connections
netstat-nat -n
* show SNAT connections, run:
netstat-nat -S
* show DNAT connections, type:
netstat-nat -D


== saving configuration in a file ==
== saving configuration in a file ==
Line 44: Line 58:
  iptables -A PREROUTING -d HOSTONE -p tcp -m tcp --dport 80 -j DNAT --to-destination HOSTWO:80
  iptables -A PREROUTING -d HOSTONE -p tcp -m tcp --dport 80 -j DNAT --to-destination HOSTWO:80
  iptables -A POSTROUTING -d HOSTWO -j SNAT --to-source HOSTONE
  iptables -A POSTROUTING -d HOSTWO -j SNAT --to-source HOSTONE
== Firewalld==
firewall-cmd --get-active-zones
FedoraServer
  interfaces: em1
firewall-cmd --get-default-zone
FedoraServer
* change zone of an interface
firewall-cmd --zone=home --change-interface=eth0
* add port
firewall-cmd --zone=FedoraServer --add-port=80/tcp --permanent
* remove port
firewall-cmd --zone=FedoraServer --remove-port=80/tcp --permanent
firewall-cmd --reload
firewall-cmd --get-zones
FedoraServer FedoraWorkstation block dmz drop external home internal public trusted work


== UFW ==  
== UFW ==  


''The Ubuntu Firewall''
''The Ubuntu Firewall''
* status
ufw status
* ...with line numbers
ufw status numbered
* numbers
ufw insert <number> allow from ...
ufw delete <number>
'''ufw allow from <target> to <destination> port <port number> proto <protocol name>'''
* allow all traffic on the forward chain (don't do this)
ufw default allow FORWARD
set DEFAULT_FORWARD_POLICY to ACCEPT
/etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"
* denials
  ufw deny from 10.0.0.42
  ufw deny from 10.0.0.42
  ufw deny in on eth0 from 10.0.0.42
  ufw deny in on eth0 from 10.0.0.42


* allow ssh's
  ufw allow ssh
  ufw allow ssh
  ufw allow 22
  ufw allow 22
  ufw allow from 10.0.0.0/24 to any port 22
  ufw allow from 10.0.0.0/24 to any port 22
 
  ufw allow from 10.0.0.20 to 10.0.0.10 port 22
  ufw allow from 10.0.0.0/24 to any port 873
* web ports
 
  ufw allow http
  ufw allow http
  ufw allow 80
  ufw allow 80
Line 62: Line 121:
  ufw allow 443
  ufw allow 443
  ufw allow proto tcp from any to any port 80,443
  ufw allow proto tcp from any to any port 80,443
* some dbs
Allow MySQL from Specific IP Address or Subnet
Allow MySQL from Specific IP Address or Subnet
  ufw allow from 10.0.0.0/24 to any port 3306
  ufw allow from 10.0.0.0/24 to any port 3306
Line 68: Line 128:
PostgreSQL from Specific IP Address or Subnet
PostgreSQL from Specific IP Address or Subnet
  ufw allow from 10.0.0.0/24 to any port 5432
  ufw allow from 10.0.0.0/24 to any port 5432
* routing from ''eth1'' to ''eth2''
    ufw route allow in on eth1 out on eth2
* a UDP port on any interface from specific IP
ufw allow proto udp from 107.172.59.23 to any port 8288

Latest revision as of 20:47, 20 September 2022

NAT

Network Address Translation NAT

linux powerful firewall

  • print out the configuration running:
iptables -L
  • or better this will print all input table rules
iptables-save
  • some rules:
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:46590
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:46720
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
  • apend a rule (to the end of the table) to accept connections on port 5901 (vncserver)
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
  • show NAT table
iptables -t nat -L
iptables -t nat -L -n -v | grep 'IP or anything'
iptables -t nat -L -n -v
  • netstat-nat, software to display nat connections
netstat-nat -n
  • show SNAT connections, run:
netstat-nat -S
  • show DNAT connections, type:
netstat-nat -D

saving configuration in a file

iptables-save > backup_iptables

restore conf from a file

iptables-restore < backup_iptables
  • this will only enable the configuration while iptables process is restarted, to avoid this, we need to save the configuration:
/etc/init.d/iptables save
  • now we can restart/reboot

redirecting connections

from a specified port to an host

iptables -A PREROUTING -d HOSTONE -p tcp -m tcp --dport 80 -j DNAT --to-destination HOSTWO:80
iptables -A POSTROUTING -d HOSTWO -j SNAT --to-source HOSTONE

Firewalld

firewall-cmd --get-active-zones 
FedoraServer
 interfaces: em1

firewall-cmd --get-default-zone 
FedoraServer
  • change zone of an interface
firewall-cmd --zone=home --change-interface=eth0
  • add port
firewall-cmd --zone=FedoraServer --add-port=80/tcp --permanent
  • remove port
firewall-cmd --zone=FedoraServer --remove-port=80/tcp --permanent

firewall-cmd --reload

firewall-cmd --get-zones
FedoraServer FedoraWorkstation block dmz drop external home internal public trusted work

UFW

The Ubuntu Firewall

  • status
ufw status
  • ...with line numbers
ufw status numbered
  • numbers
ufw insert <number> allow from ...
ufw delete <number>

ufw allow from <target> to <destination> port <port number> proto <protocol name>

  • allow all traffic on the forward chain (don't do this)
ufw default allow FORWARD

set DEFAULT_FORWARD_POLICY to ACCEPT 

/etc/default/ufw
DEFAULT_FORWARD_POLICY="ACCEPT"


  • denials
ufw deny from 10.0.0.42
ufw deny in on eth0 from 10.0.0.42
  • allow ssh's
ufw allow ssh
ufw allow 22
ufw allow from 10.0.0.0/24 to any port 22
ufw allow from 10.0.0.20 to 10.0.0.10 port 22
  • web ports
ufw allow http
ufw allow 80
ufw allow https
ufw allow 443
ufw allow proto tcp from any to any port 80,443
  • some dbs

Allow MySQL from Specific IP Address or Subnet 

ufw allow from 10.0.0.0/24 to any port 3306

Allow MySQL to Specific Network Interface 

ufw allow in on eth1 to any port 3306

PostgreSQL from Specific IP Address or Subnet 

ufw allow from 10.0.0.0/24 to any port 5432
  • routing from eth1 to eth2
    ufw route allow in on eth1 out on eth2
  • a UDP port on any interface from specific IP
ufw allow proto udp from 107.172.59.23 to any port 8288
Retrieved from "https://wiki.alessandro.delgallo.net//index.php?title=Firewall_(iptables)&oldid=6416"