Iptables: Difference between revisions

From KlavoWiki
Jump to navigationJump to search
← Older edit
 
(17 intermediate revisions by the same user not shown)
Line 4: Line 4:
OUTPUT
OUTPUT
FORWARD
FORWARD
</pre>
= Parameters =
<pre>
-I Insert
-A Append
-s Source
-d Destination
-p protocol
--dport destination port number
-j target
</pre>
</pre>


Line 17: Line 30:
<pre>
<pre>
iptables -P INPUT ACCEPT
iptables -P INPUT ACCEPT
</pre>
= Accept =
Accept from Source
<pre>
iptables -A INPUT -s 172.16.28.0/22 -j ACCEPT
</pre>
Accept from Source on specific interface
<pre>
iptables -A INPUT -i eth0 -s 23.253.232.189 -j ACCEPT
</pre>
Accept all TCP 22 packets<br>
Insert at line 2
<pre>
iptables -I INPUT 2 -p tcp --dport 22 -j ACCEPT
</pre>
Accepts all packets from an ipset.
<pre>
iptables -A INPUT -m set --match-set geoblock src -j ACCEPT
</pre>
</pre>


Line 22: Line 60:
Drop from Source
Drop from Source
<pre>
<pre>
iptables -I INPUT -s 23.253.232.189 -j DROP
iptables -A INPUT -s 23.253.232.189 -j DROP
</pre>
</pre>
Drop from Source on specific interface
<pre>
<pre>
-I Insert
iptables -A INPUT -i eth0 -s 23.253.232.189 -j DROP
-A Append
</pre>
 
Drop all TCP 22 packets<br>
Insert rule at line 3
<pre>
iptables -I INPUT 3 -p tcp --dport 22 -j DROP
</pre>
 
Drop all source addresses based on ipset.
<pre>
iptables -A INPUT -m set --match-set geoblock src -j DROP
</pre>


-s Source
= Drop & Accept =
-d Destination
<pre>
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 159.17.28.25 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -m set --match-set geoblock src -j ACCEPT
iptables -A INPUT -j DROP
</pre>
</pre>


= Comments =
<pre>
-A INPUT -p tcp -m tcp --dport 80 -j DROP -m comment --comment "Drop All HTTP Traffic"
</pre>


= List =
= List =
== Current tables ==
== Current tables ==
<pre>
<pre>
iptables -L -v
iptables -L -vn
</pre>
</pre>
or
<pre>
iptables -vnL
</pre>
<pre>
<pre>
-L List
-L List
-v verbose
-v verbose
-n no reverse lookup
</pre>
</pre>


Line 68: Line 137:
<pre>
<pre>
iptables --flush
iptables --flush
</pre>
<pre>
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
</pre>
</pre>


Line 81: Line 159:
</pre>
</pre>


== Automatic Load on Restart ==
 
= IPSET (geographic set) =
The following script will create an ipset called geoblock that contains the AU and NZ, IP address list.<br>
Make sure the /opt/iptables folder exists or change to an appropriate path.
<pre>
#!/bin/bash
mkdir /tmp/geoblocking
cd /tmp/geoblocking
ipset destroy geoblock
ipset -N geoblock nethash
for i in au nz; do
echo $i
wget -q http://www.ipdeny.com/ipblocks/data/countries/$i.zone
for k in `cat $i.zone`; do
ipset -A geoblock $k
done
done
cd /tmp
rm -rf /tmp/geoblocking
ipset save geoblock > /opt/iptables/ipset-geoblock
</pre>
 
 
= Automatic Load on Restart =
== Debian ==
 
Based on Debian, once your tables are operating as required
Based on Debian, once your tables are operating as required
<pre>
<pre>
Line 99: Line 202:
<pre>
<pre>
chmod +x /etc/network/if-up.d/iptables
chmod +x /etc/network/if-up.d/iptables
</pre>
== CentOS 7.x ==
Tables are save on reboot or stopping service.
<pre>
yum -y install iptables iptables-services
systemctl start iptables
systemctl enable iptables
</pre>
<pre>
service iptables save
</pre>
</pre>


Line 106: Line 221:
iptables -A OUTPUT -t mangle -p udp --dport 5060 -j DSCP --set-dscp-class EF
iptables -A OUTPUT -t mangle -p udp --dport 5060 -j DSCP --set-dscp-class EF
iptables -A OUTPUT -t mangle -p udp --dport 4569 -j DSCP --set-dscp-class EF
iptables -A OUTPUT -t mangle -p udp --dport 4569 -j DSCP --set-dscp-class EF
iptables -A OUTPUT -t mangle -p udp --dport 4520 -j DSCP --set-dscp-class EF
</pre>
* 5060 SIP
* 4569 IAX
* 4520 DUNDI
= nat =
This accepts all traffic from wlan0 and passes it to eth0 as if the traffic originated from eth0.  Traffic to wlan0 is not allowed unless related or established from wlan0.
<pre>
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT
</pre>
</pre>


== View Defined Classes ==
= View Defined Classes =
== mangle ==
<pre>
<pre>
iptables -t mangle -nvL
iptables -t mangle -nvL
</pre>
</pre>


[[Category : Linux]] [[Category : IPtables]]
== nat ==
<pre>
iptables -t nat -nvL
</pre>
 
[[Category : Linux]]

Latest revision as of 02:07, 15 June 2021

Chains

INPUT
OUTPUT
FORWARD

Parameters

-I Insert
-A Append

-s Source
-d Destination

-p protocol
--dport destination port number
-j target

Default Behaviour

Drop

Drop all packets by default 

iptables -P INPUT DROP

Accept

Accepts all packets by default 

iptables -P INPUT ACCEPT


Accept

Accept from Source 

iptables -A INPUT -s 172.16.28.0/22 -j ACCEPT


Accept from Source on specific interface 

iptables -A INPUT -i eth0 -s 23.253.232.189 -j ACCEPT

Accept all TCP 22 packets
Insert at line 2 

iptables -I INPUT 2 -p tcp --dport 22 -j ACCEPT

Accepts all packets from an ipset. 

iptables -A INPUT -m set --match-set geoblock src -j ACCEPT

Drop

Drop from Source 

iptables -A INPUT -s 23.253.232.189 -j DROP


Drop from Source on specific interface 

iptables -A INPUT -i eth0 -s 23.253.232.189 -j DROP

Drop all TCP 22 packets
Insert rule at line 3 

iptables -I INPUT 3 -p tcp --dport 22 -j DROP

Drop all source addresses based on ipset. 

iptables -A INPUT -m set --match-set geoblock src -j DROP

Drop & Accept

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 159.17.28.25 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -m set --match-set geoblock src -j ACCEPT
iptables -A INPUT -j DROP

Comments

-A INPUT -p tcp -m tcp --dport 80 -j DROP -m comment --comment "Drop All HTTP Traffic"

List

Current tables

iptables -L -vn

or 

iptables -vnL

-L List
-v verbose
-n no reverse lookup

with Line Numbers

iptables -L -n --line-numbers

List Chain

iptables -L INPUT -n --line-numbers

Delete

by Rule Number

iptables -D INPUT 3

by Rule Name

iptables -D INPUT -s 23.253.232.189 -j DROP

Delete All

Delete all rules 

iptables --flush

iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

Rules

Saving

iptables-save > /opt/firewall.conf

Restoring

iptables-restore < /opt/firewall.conf


IPSET (geographic set)

The following script will create an ipset called geoblock that contains the AU and NZ, IP address list.
Make sure the /opt/iptables folder exists or change to an appropriate path. 

#!/bin/bash
mkdir /tmp/geoblocking
cd /tmp/geoblocking
ipset destroy geoblock
ipset -N geoblock nethash
for i in au nz; do
echo $i
wget -q http://www.ipdeny.com/ipblocks/data/countries/$i.zone
for k in `cat $i.zone`; do
ipset -A geoblock $k
done
done
cd /tmp
rm -rf /tmp/geoblocking
ipset save geoblock > /opt/iptables/ipset-geoblock


Automatic Load on Restart

Debian

Based on Debian, once your tables are operating as required 

iptables-save > /etc/iptables.up.rules

vi /etc/network/if-up.d/iptables

add the following lines 

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules

chmod +x /etc/network/if-up.d/iptables

CentOS 7.x

Tables are save on reboot or stopping service. 

yum -y install iptables iptables-services
systemctl start iptables
systemctl enable iptables

service iptables save

dscp class

Set Class EF

iptables -A OUTPUT -t mangle -p udp --dport 5060 -j DSCP --set-dscp-class EF
iptables -A OUTPUT -t mangle -p udp --dport 4569 -j DSCP --set-dscp-class EF
iptables -A OUTPUT -t mangle -p udp --dport 4520 -j DSCP --set-dscp-class EF
  • 5060 SIP
  • 4569 IAX
  • 4520 DUNDI

nat

This accepts all traffic from wlan0 and passes it to eth0 as if the traffic originated from eth0. Traffic to wlan0 is not allowed unless related or established from wlan0. 

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

View Defined Classes

mangle

iptables -t mangle -nvL

nat

iptables -t nat -nvL
Retrieved from ‘https://klaverstyn.com.au/david/wiki/index.php?title=Iptables&oldid=2503