Iptables: Difference between revisions

From KlavoWiki
Jump to navigationJump to search
 
(15 intermediate revisions by the same user not shown)
Line 4: Line 4:
OUTPUT
OUTPUT
FORWARD
FORWARD
</pre>
= Parameters =
<pre>
-I Insert
-A Append
-s Source
-d Destination
-p protocol
--dport destination port number
-j target
</pre>
</pre>


Line 17: Line 30:
<pre>
<pre>
iptables -P INPUT ACCEPT
iptables -P INPUT ACCEPT
</pre>
= Accept =
Accept from Source
<pre>
iptables -A INPUT -s 172.16.28.0/22 -j ACCEPT
</pre>
Accept from Source on specific interface
<pre>
iptables -A INPUT -i eth0 -s 23.253.232.189 -j ACCEPT
</pre>
Accept all TCP 22 packets<br>
Insert at line 2
<pre>
iptables -I INPUT 2 -p tcp --dport 22 -j ACCEPT
</pre>
Accepts all packets from an ipset.
<pre>
iptables -A INPUT -m set --match-set geoblock src -j ACCEPT
</pre>
</pre>


Line 22: Line 60:
Drop from Source
Drop from Source
<pre>
<pre>
iptables -I INPUT -s 23.253.232.189 -j DROP
iptables -A INPUT -s 23.253.232.189 -j DROP
</pre>
</pre>
Drop from Source on specific interface
<pre>
<pre>
-I Insert
iptables -A INPUT -i eth0 -s 23.253.232.189 -j DROP
-A Append
</pre>
 
Drop all TCP 22 packets<br>
Insert rule at line 3
<pre>
iptables -I INPUT 3 -p tcp --dport 22 -j DROP
</pre>
 
Drop all source addresses based on ipset.
<pre>
iptables -A INPUT -m set --match-set geoblock src -j DROP
</pre>


-s Source
= Drop & Accept =
-d Destination
<pre>
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 159.17.28.25 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -m set --match-set geoblock src -j ACCEPT
iptables -A INPUT -j DROP
</pre>
</pre>


= Comments =
<pre>
-A INPUT -p tcp -m tcp --dport 80 -j DROP -m comment --comment "Drop All HTTP Traffic"
</pre>


= List =
= List =
== Current tables ==
== Current tables ==
<pre>
<pre>
iptables -L -v
iptables -L -vn
</pre>
</pre>
or
<pre>
iptables -vnL
</pre>
<pre>
<pre>
-L List
-L List
-v verbose
-v verbose
-n no reverse lookup
</pre>
</pre>


Line 68: Line 137:
<pre>
<pre>
iptables --flush
iptables --flush
</pre>
<pre>
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
</pre>
</pre>


Line 81: Line 159:
</pre>
</pre>


== Automatic Load on Restart ==
 
= IPSET (geographic set) =
The following script will create an ipset called geoblock that contains the AU and NZ, IP address list.<br>
Make sure the /opt/iptables folder exists or change to an appropriate path.
<pre>
#!/bin/bash
mkdir /tmp/geoblocking
cd /tmp/geoblocking
ipset destroy geoblock
ipset -N geoblock nethash
for i in au nz; do
echo $i
wget -q http://www.ipdeny.com/ipblocks/data/countries/$i.zone
for k in `cat $i.zone`; do
ipset -A geoblock $k
done
done
cd /tmp
rm -rf /tmp/geoblocking
ipset save geoblock > /opt/iptables/ipset-geoblock
</pre>
 
 
= Automatic Load on Restart =
== Debian ==
 
Based on Debian, once your tables are operating as required
Based on Debian, once your tables are operating as required
<pre>
<pre>
Line 99: Line 202:
<pre>
<pre>
chmod +x /etc/network/if-up.d/iptables
chmod +x /etc/network/if-up.d/iptables
</pre>
== CentOS 7.x ==
Tables are save on reboot or stopping service.
<pre>
yum -y install iptables iptables-services
systemctl start iptables
systemctl enable iptables
</pre>
<pre>
service iptables save
</pre>
</pre>


Line 106: Line 221:
iptables -A OUTPUT -t mangle -p udp --dport 5060 -j DSCP --set-dscp-class EF
iptables -A OUTPUT -t mangle -p udp --dport 5060 -j DSCP --set-dscp-class EF
iptables -A OUTPUT -t mangle -p udp --dport 4569 -j DSCP --set-dscp-class EF
iptables -A OUTPUT -t mangle -p udp --dport 4569 -j DSCP --set-dscp-class EF
iptables -A OUTPUT -t mangle -p udp --dport 4520 -j DSCP --set-dscp-class EF
</pre>
</pre>
* 5060 SIP
* 4569 IAX
* 4520 DUNDI


= nat =
= nat =
Line 127: Line 247:
</pre>
</pre>


[[Category : Linux]] [[Category : IPtables]]
[[Category : Linux]]

Latest revision as of 02:07, 15 June 2021

Chains

INPUT
OUTPUT
FORWARD

Parameters

-I Insert
-A Append

-s Source
-d Destination

-p protocol
--dport destination port number
-j target

Default Behaviour

Drop

Drop all packets by default

iptables -P INPUT DROP

Accept

Accepts all packets by default

iptables -P INPUT ACCEPT


Accept

Accept from Source

iptables -A INPUT -s 172.16.28.0/22 -j ACCEPT


Accept from Source on specific interface

iptables -A INPUT -i eth0 -s 23.253.232.189 -j ACCEPT

Accept all TCP 22 packets
Insert at line 2

iptables -I INPUT 2 -p tcp --dport 22 -j ACCEPT

Accepts all packets from an ipset.

iptables -A INPUT -m set --match-set geoblock src -j ACCEPT

Drop

Drop from Source

iptables -A INPUT -s 23.253.232.189 -j DROP


Drop from Source on specific interface

iptables -A INPUT -i eth0 -s 23.253.232.189 -j DROP

Drop all TCP 22 packets
Insert rule at line 3

iptables -I INPUT 3 -p tcp --dport 22 -j DROP

Drop all source addresses based on ipset.

iptables -A INPUT -m set --match-set geoblock src -j DROP

Drop & Accept

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 159.17.28.25 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -m set --match-set geoblock src -j ACCEPT
iptables -A INPUT -j DROP

Comments

-A INPUT -p tcp -m tcp --dport 80 -j DROP -m comment --comment "Drop All HTTP Traffic"

List

Current tables

iptables -L -vn

or

iptables -vnL
-L List
-v verbose
-n no reverse lookup

with Line Numbers

iptables -L -n --line-numbers

List Chain

iptables -L INPUT -n --line-numbers

Delete

by Rule Number

iptables -D INPUT 3

by Rule Name

iptables -D INPUT -s 23.253.232.189 -j DROP

Delete All

Delete all rules

iptables --flush
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

Rules

Saving

iptables-save > /opt/firewall.conf

Restoring

iptables-restore < /opt/firewall.conf


IPSET (geographic set)

The following script will create an ipset called geoblock that contains the AU and NZ, IP address list.
Make sure the /opt/iptables folder exists or change to an appropriate path.

#!/bin/bash
mkdir /tmp/geoblocking
cd /tmp/geoblocking
ipset destroy geoblock
ipset -N geoblock nethash
for i in au nz; do
echo $i
wget -q http://www.ipdeny.com/ipblocks/data/countries/$i.zone
for k in `cat $i.zone`; do
ipset -A geoblock $k
done
done
cd /tmp
rm -rf /tmp/geoblocking
ipset save geoblock > /opt/iptables/ipset-geoblock


Automatic Load on Restart

Debian

Based on Debian, once your tables are operating as required

iptables-save > /etc/iptables.up.rules
vi /etc/network/if-up.d/iptables

add the following lines

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules
chmod +x /etc/network/if-up.d/iptables

CentOS 7.x

Tables are save on reboot or stopping service.

yum -y install iptables iptables-services
systemctl start iptables
systemctl enable iptables
service iptables save

dscp class

Set Class EF

iptables -A OUTPUT -t mangle -p udp --dport 5060 -j DSCP --set-dscp-class EF
iptables -A OUTPUT -t mangle -p udp --dport 4569 -j DSCP --set-dscp-class EF
iptables -A OUTPUT -t mangle -p udp --dport 4520 -j DSCP --set-dscp-class EF
  • 5060 SIP
  • 4569 IAX
  • 4520 DUNDI

nat

This accepts all traffic from wlan0 and passes it to eth0 as if the traffic originated from eth0. Traffic to wlan0 is not allowed unless related or established from wlan0.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

View Defined Classes

mangle

iptables -t mangle -nvL

nat

iptables -t nat -nvL