Difference between revisions of "Firewall (iptables)"
From Alessandro's Wiki
Porcelinux (talk | contribs) |
Porcelinux (talk | contribs) |
||
Line 1: | Line 1: | ||
== | == linux powerfull firewall == | ||
* | * see the configuration running: | ||
iptables -L | iptables -L | ||
* or | |||
iptables-save | |||
---- | ---- | ||
* | * some rules: | ||
target prot opt source destination | target prot opt source destination | ||
ACCEPT all -- anywhere anywhere | ACCEPT all -- anywhere anywhere | ||
Line 19: | Line 22: | ||
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited | REJECT all -- anywhere anywhere reject-with icmp-host-prohibited | ||
---- | ---- | ||
* | * add a rule to accept connections on port 5901 (vncserver) | ||
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT | iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT | ||
== saving configuration in a file == | |||
iptables-save > backup_iptables | iptables-save > backup_iptables | ||
== restore conf from a file: | |||
iptables-restore < backup_iptables | iptables-restore < backup_iptables | ||
* this will only enable the configuration while iptables process is restarted, to avoid this, we need to save the configuration: | |||
/etc/init.d/iptables save | |||
* now we can restart/reboot | |||
== redirecting connections == | |||
=== from a specified port to an host === | |||
iptables -A PREROUTING -d HOSTONE -p tcp -m tcp --dport 80 -j DNAT --to-destination HOSTWO:80 | |||
iptables -A POSTROUTING -d HOSTWO -j SNAT --to-source HOSTONE |
Revision as of 14:24, 12 March 2010
linux powerfull firewall
- see the configuration running:
iptables -L
- or
iptables-save
- some rules:
target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:46590 ACCEPT udp -- anywhere anywhere state NEW udp dpt:46720 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
- add a rule to accept connections on port 5901 (vncserver)
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
saving configuration in a file
iptables-save > backup_iptables
== restore conf from a file:
iptables-restore < backup_iptables
- this will only enable the configuration while iptables process is restarted, to avoid this, we need to save the configuration:
/etc/init.d/iptables save
- now we can restart/reboot
redirecting connections
from a specified port to an host
iptables -A PREROUTING -d HOSTONE -p tcp -m tcp --dport 80 -j DNAT --to-destination HOSTWO:80 iptables -A POSTROUTING -d HOSTWO -j SNAT --to-source HOSTONE