Difference between revisions of "Firewall (iptables)"

From Alessandro's Wiki
 
Line 1: Line 1:
== Impostare un firewall su una macchina linux ==
== linux powerfull firewall ==
* vedere la configurazione attuale:
* see the configuration running:
  iptables -L
  iptables -L
* or
iptables-save
----
----
* Configurazione mia:
* some rules:
  target    prot opt source              destination
  target    prot opt source              destination
  ACCEPT    all  --  anywhere            anywhere
  ACCEPT    all  --  anywhere            anywhere
Line 19: Line 22:
  REJECT    all  --  anywhere            anywhere            reject-with icmp-host-prohibited
  REJECT    all  --  anywhere            anywhere            reject-with icmp-host-prohibited
----
----
* Aggiungere una regola per accettare connessioni su l porta 5901 (vncserver)
* add a rule to accept connections on port 5901 (vncserver)
  iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
  iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
* Salvare la configurazione in un File:
 
== saving configuration in a file ==
  iptables-save > backup_iptables
  iptables-save > backup_iptables
* Recuperare una configurazione salvata in un file:
 
== restore conf from a file:
  iptables-restore < backup_iptables
  iptables-restore < backup_iptables
* this will only enable the configuration while iptables process is restarted, to avoid this, we need to save the configuration:
/etc/init.d/iptables save
* now we can restart/reboot
== redirecting connections ==
=== from a specified port to an host ===
iptables -A PREROUTING -d HOSTONE -p tcp -m tcp --dport 80 -j DNAT --to-destination HOSTWO:80
iptables -A POSTROUTING -d HOSTWO -j SNAT --to-source HOSTONE

Revision as of 14:24, 12 March 2010

linux powerfull firewall

  • see the configuration running:
iptables -L
  • or
iptables-save
  • some rules:
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp any
ACCEPT     ipv6-crypt--  anywhere             anywhere
ACCEPT     ipv6-auth--  anywhere             anywhere
ACCEPT     udp  --  anywhere             224.0.0.251         udp dpt:mdns
ACCEPT     udp  --  anywhere             anywhere            udp dpt:ipp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ipp
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere            state NEW tcp dpt:46590
ACCEPT     udp  --  anywhere             anywhere            state NEW udp dpt:46720
REJECT     all  --  anywhere             anywhere            reject-with icmp-host-prohibited
  • add a rule to accept connections on port 5901 (vncserver)
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT

saving configuration in a file

iptables-save > backup_iptables

== restore conf from a file: 

iptables-restore < backup_iptables
  • this will only enable the configuration while iptables process is restarted, to avoid this, we need to save the configuration:
/etc/init.d/iptables save
  • now we can restart/reboot


redirecting connections

from a specified port to an host

iptables -A PREROUTING -d HOSTONE -p tcp -m tcp --dport 80 -j DNAT --to-destination HOSTWO:80
iptables -A POSTROUTING -d HOSTWO -j SNAT --to-source HOSTONE
Retrieved from "https://wiki.alessandro.delgallo.net//index.php?title=Firewall_(iptables)&oldid=3687"