Iptables: Difference between revisions

From KlavoWiki
Jump to navigationJump to search
 
Line 78: Line 78:
<pre>
<pre>
iptables -A INPUT -m set --match-set geoblock src -j DROP
iptables -A INPUT -m set --match-set geoblock src -j DROP
</pre>
= Drop & Accept =
<pre>
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 159.17.28.25 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -m set --match-set geoblock src -j ACCEPT
iptables -A INPUT -j DROP
</pre>
</pre>



Latest revision as of 02:07, 15 June 2021

Chains

INPUT
OUTPUT
FORWARD

Parameters

-I Insert
-A Append

-s Source
-d Destination

-p protocol
--dport destination port number
-j target

Default Behaviour

Drop

Drop all packets by default

iptables -P INPUT DROP

Accept

Accepts all packets by default

iptables -P INPUT ACCEPT


Accept

Accept from Source

iptables -A INPUT -s 172.16.28.0/22 -j ACCEPT


Accept from Source on specific interface

iptables -A INPUT -i eth0 -s 23.253.232.189 -j ACCEPT

Accept all TCP 22 packets
Insert at line 2

iptables -I INPUT 2 -p tcp --dport 22 -j ACCEPT

Accepts all packets from an ipset.

iptables -A INPUT -m set --match-set geoblock src -j ACCEPT

Drop

Drop from Source

iptables -A INPUT -s 23.253.232.189 -j DROP


Drop from Source on specific interface

iptables -A INPUT -i eth0 -s 23.253.232.189 -j DROP

Drop all TCP 22 packets
Insert rule at line 3

iptables -I INPUT 3 -p tcp --dport 22 -j DROP

Drop all source addresses based on ipset.

iptables -A INPUT -m set --match-set geoblock src -j DROP

Drop & Accept

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -s 159.17.28.25 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -m set --match-set geoblock src -j ACCEPT
iptables -A INPUT -j DROP

Comments

-A INPUT -p tcp -m tcp --dport 80 -j DROP -m comment --comment "Drop All HTTP Traffic"

List

Current tables

iptables -L -vn

or

iptables -vnL
-L List
-v verbose
-n no reverse lookup

with Line Numbers

iptables -L -n --line-numbers

List Chain

iptables -L INPUT -n --line-numbers

Delete

by Rule Number

iptables -D INPUT 3

by Rule Name

iptables -D INPUT -s 23.253.232.189 -j DROP

Delete All

Delete all rules

iptables --flush
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

Rules

Saving

iptables-save > /opt/firewall.conf

Restoring

iptables-restore < /opt/firewall.conf


IPSET (geographic set)

The following script will create an ipset called geoblock that contains the AU and NZ, IP address list.
Make sure the /opt/iptables folder exists or change to an appropriate path.

#!/bin/bash
mkdir /tmp/geoblocking
cd /tmp/geoblocking
ipset destroy geoblock
ipset -N geoblock nethash
for i in au nz; do
echo $i
wget -q http://www.ipdeny.com/ipblocks/data/countries/$i.zone
for k in `cat $i.zone`; do
ipset -A geoblock $k
done
done
cd /tmp
rm -rf /tmp/geoblocking
ipset save geoblock > /opt/iptables/ipset-geoblock


Automatic Load on Restart

Debian

Based on Debian, once your tables are operating as required

iptables-save > /etc/iptables.up.rules
vi /etc/network/if-up.d/iptables

add the following lines

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.up.rules
chmod +x /etc/network/if-up.d/iptables

CentOS 7.x

Tables are save on reboot or stopping service.

yum -y install iptables iptables-services
systemctl start iptables
systemctl enable iptables
service iptables save

dscp class

Set Class EF

iptables -A OUTPUT -t mangle -p udp --dport 5060 -j DSCP --set-dscp-class EF
iptables -A OUTPUT -t mangle -p udp --dport 4569 -j DSCP --set-dscp-class EF
iptables -A OUTPUT -t mangle -p udp --dport 4520 -j DSCP --set-dscp-class EF
  • 5060 SIP
  • 4569 IAX
  • 4520 DUNDI

nat

This accepts all traffic from wlan0 and passes it to eth0 as if the traffic originated from eth0. Traffic to wlan0 is not allowed unless related or established from wlan0.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i wlan0 -o eth0 -j ACCEPT

View Defined Classes

mangle

iptables -t mangle -nvL

nat

iptables -t nat -nvL