Difference between revisions of "Firewall (iptables)"
From Alessandro's Wiki
Porcelinux (talk | contribs) |
Porcelinux (talk | contribs) |
||
(12 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
== | == NAT == | ||
* | |||
Network Address Translation [[NAT]] | |||
== linux powerful firewall == | |||
* print out the configuration running: | |||
iptables -L | iptables -L | ||
* or better this will print all input table rules | |||
iptables-save | |||
---- | ---- | ||
* | * some rules: | ||
target prot opt source destination | target prot opt source destination | ||
ACCEPT all -- anywhere anywhere | ACCEPT all -- anywhere anywhere | ||
Line 19: | Line 26: | ||
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited | REJECT all -- anywhere anywhere reject-with icmp-host-prohibited | ||
---- | ---- | ||
* | * apend a rule (to the end of the table) to accept connections on port 5901 (vncserver) | ||
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT | iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT | ||
* | |||
* show NAT table | |||
iptables -t nat -L | |||
iptables -t nat -L -n -v | grep 'IP or anything' | |||
iptables -t nat -L -n -v | |||
*: netstat-nat, software to display nat connections | |||
netstat-nat -n | |||
* show SNAT connections, run: | |||
netstat-nat -S | |||
* show DNAT connections, type: | |||
netstat-nat -D | |||
== saving configuration in a file == | |||
iptables-save > backup_iptables | iptables-save > backup_iptables | ||
== restore conf from a file == | |||
iptables-restore < backup_iptables | iptables-restore < backup_iptables | ||
* this will only enable the configuration while iptables process is restarted, to avoid this, we need to save the configuration: | |||
/etc/init.d/iptables save | |||
* now we can restart/reboot | |||
== redirecting connections == | |||
=== from a specified port to an host === | |||
iptables -A PREROUTING -d HOSTONE -p tcp -m tcp --dport 80 -j DNAT --to-destination HOSTWO:80 | |||
iptables -A POSTROUTING -d HOSTWO -j SNAT --to-source HOSTONE | |||
== Firewalld== | |||
firewall-cmd --get-active-zones | |||
FedoraServer | |||
interfaces: em1 | |||
firewall-cmd --get-default-zone | |||
FedoraServer | |||
* change zone of an interface | |||
firewall-cmd --zone=home --change-interface=eth0 | |||
* add port | |||
firewall-cmd --zone=FedoraServer --add-port=80/tcp --permanent | |||
* remove port | |||
firewall-cmd --zone=FedoraServer --remove-port=80/tcp --permanent | |||
firewall-cmd --reload | |||
firewall-cmd --get-zones | |||
FedoraServer FedoraWorkstation block dmz drop external home internal public trusted work | |||
== UFW == | |||
''The Ubuntu Firewall'' | |||
* status | |||
ufw status | |||
* ...with line numbers | |||
ufw status numbered | |||
* numbers | |||
ufw insert <number> allow from ... | |||
ufw delete <number> | |||
'''ufw allow from <target> to <destination> port <port number> proto <protocol name>''' | |||
* allow all traffic on the forward chain (don't do this) | |||
ufw default allow FORWARD | |||
set DEFAULT_FORWARD_POLICY to ACCEPT | |||
/etc/default/ufw | |||
DEFAULT_FORWARD_POLICY="ACCEPT" | |||
* denials | |||
ufw deny from 10.0.0.42 | |||
ufw deny in on eth0 from 10.0.0.42 | |||
* allow ssh's | |||
ufw allow ssh | |||
ufw allow 22 | |||
ufw allow from 10.0.0.0/24 to any port 22 | |||
ufw allow from 10.0.0.20 to 10.0.0.10 port 22 | |||
* web ports | |||
ufw allow http | |||
ufw allow 80 | |||
ufw allow https | |||
ufw allow 443 | |||
ufw allow proto tcp from any to any port 80,443 | |||
* some dbs | |||
Allow MySQL from Specific IP Address or Subnet | |||
ufw allow from 10.0.0.0/24 to any port 3306 | |||
Allow MySQL to Specific Network Interface | |||
ufw allow in on eth1 to any port 3306 | |||
PostgreSQL from Specific IP Address or Subnet | |||
ufw allow from 10.0.0.0/24 to any port 5432 | |||
* routing from ''eth1'' to ''eth2'' | |||
ufw route allow in on eth1 out on eth2 | |||
* a UDP port on any interface from specific IP | |||
ufw allow proto udp from 107.172.59.23 to any port 8288 |
Latest revision as of 20:47, 20 September 2022
NAT
Network Address Translation NAT
linux powerful firewall
- print out the configuration running:
iptables -L
- or better this will print all input table rules
iptables-save
- some rules:
target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:46590 ACCEPT udp -- anywhere anywhere state NEW udp dpt:46720 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
- apend a rule (to the end of the table) to accept connections on port 5901 (vncserver)
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
- show NAT table
iptables -t nat -L iptables -t nat -L -n -v | grep 'IP or anything' iptables -t nat -L -n -v
- netstat-nat, software to display nat connections
netstat-nat -n
- show SNAT connections, run:
netstat-nat -S
- show DNAT connections, type:
netstat-nat -D
saving configuration in a file
iptables-save > backup_iptables
restore conf from a file
iptables-restore < backup_iptables
- this will only enable the configuration while iptables process is restarted, to avoid this, we need to save the configuration:
/etc/init.d/iptables save
- now we can restart/reboot
redirecting connections
from a specified port to an host
iptables -A PREROUTING -d HOSTONE -p tcp -m tcp --dport 80 -j DNAT --to-destination HOSTWO:80 iptables -A POSTROUTING -d HOSTWO -j SNAT --to-source HOSTONE
Firewalld
firewall-cmd --get-active-zones FedoraServer interfaces: em1
firewall-cmd --get-default-zone FedoraServer
- change zone of an interface
firewall-cmd --zone=home --change-interface=eth0
- add port
firewall-cmd --zone=FedoraServer --add-port=80/tcp --permanent
- remove port
firewall-cmd --zone=FedoraServer --remove-port=80/tcp --permanent
firewall-cmd --reload
firewall-cmd --get-zones FedoraServer FedoraWorkstation block dmz drop external home internal public trusted work
UFW
The Ubuntu Firewall
- status
ufw status
- ...with line numbers
ufw status numbered
- numbers
ufw insert <number> allow from ... ufw delete <number>
ufw allow from <target> to <destination> port <port number> proto <protocol name>
- allow all traffic on the forward chain (don't do this)
ufw default allow FORWARD
set DEFAULT_FORWARD_POLICY to ACCEPT
/etc/default/ufw DEFAULT_FORWARD_POLICY="ACCEPT"
- denials
ufw deny from 10.0.0.42 ufw deny in on eth0 from 10.0.0.42
- allow ssh's
ufw allow ssh ufw allow 22 ufw allow from 10.0.0.0/24 to any port 22 ufw allow from 10.0.0.20 to 10.0.0.10 port 22
- web ports
ufw allow http ufw allow 80 ufw allow https ufw allow 443 ufw allow proto tcp from any to any port 80,443
- some dbs
Allow MySQL from Specific IP Address or Subnet
ufw allow from 10.0.0.0/24 to any port 3306
Allow MySQL to Specific Network Interface
ufw allow in on eth1 to any port 3306
PostgreSQL from Specific IP Address or Subnet
ufw allow from 10.0.0.0/24 to any port 5432
- routing from eth1 to eth2
ufw route allow in on eth1 out on eth2
- a UDP port on any interface from specific IP
ufw allow proto udp from 107.172.59.23 to any port 8288