Difference between revisions of "Firewall (iptables)"
From Alessandro's Wiki
(→UFW) |
|||
Line 48: | Line 48: | ||
''The Ubuntu Firewall'' | ''The Ubuntu Firewall'' | ||
ufw deny from 10.0.0.42 | |||
ufw deny from | ufw deny in on eth0 from 10.0.0.42 | ||
ufw deny in on eth0 from | |||
ufw allow ssh | ufw allow ssh | ||
ufw allow 22 | ufw allow 22 | ||
ufw allow from | ufw allow from 10.0.0.0/24 to any port 22 | ||
ufw allow from | ufw allow from 10.0.0.0/24 to any port 873 | ||
ufw allow http | ufw allow http | ||
Line 64: | Line 63: | ||
ufw allow proto tcp from any to any port 80,443 | ufw allow proto tcp from any to any port 80,443 | ||
Allow MySQL from Specific IP Address or Subnet | Allow MySQL from Specific IP Address or Subnet | ||
ufw allow from | ufw allow from 10.0.0.0/24 to any port 3306 | ||
Allow MySQL to Specific Network Interface | Allow MySQL to Specific Network Interface | ||
ufw allow in on eth1 to any port 3306 | ufw allow in on eth1 to any port 3306 | ||
PostgreSQL from Specific IP Address or Subnet | PostgreSQL from Specific IP Address or Subnet | ||
ufw allow from | ufw allow from 10.0.0.0/24 to any port 5432 |
Revision as of 15:07, 21 January 2018
NAT
Network Address Translation NAT
linux powerful firewall
- print out the configuration running:
iptables -L
- or better (this will print all tables and chains)
iptables-save
- some rules:
target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT ipv6-crypt-- anywhere anywhere ACCEPT ipv6-auth-- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:46590 ACCEPT udp -- anywhere anywhere state NEW udp dpt:46720 REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
- add a rule to accept connections on port 5901 (vncserver)
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPT
saving configuration in a file
iptables-save > backup_iptables
restore conf from a file
iptables-restore < backup_iptables
- this will only enable the configuration while iptables process is restarted, to avoid this, we need to save the configuration:
/etc/init.d/iptables save
- now we can restart/reboot
redirecting connections
from a specified port to an host
iptables -A PREROUTING -d HOSTONE -p tcp -m tcp --dport 80 -j DNAT --to-destination HOSTWO:80 iptables -A POSTROUTING -d HOSTWO -j SNAT --to-source HOSTONE
UFW
The Ubuntu Firewall
ufw deny from 10.0.0.42 ufw deny in on eth0 from 10.0.0.42
ufw allow ssh ufw allow 22 ufw allow from 10.0.0.0/24 to any port 22
ufw allow from 10.0.0.0/24 to any port 873
ufw allow http ufw allow 80 ufw allow https ufw allow 443 ufw allow proto tcp from any to any port 80,443
Allow MySQL from Specific IP Address or Subnet
ufw allow from 10.0.0.0/24 to any port 3306
Allow MySQL to Specific Network Interface
ufw allow in on eth1 to any port 3306
PostgreSQL from Specific IP Address or Subnet
ufw allow from 10.0.0.0/24 to any port 5432