zeus
/
lab
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Browse Source

iptables

master
test2 5 years ago
parent
a9da7780a3
commit
ad65222b82
1 changed files with 108 additions and 9 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 117
      sec/ex-3_iptables.adoc

117
sec/ex-3_iptables.adoc
View File

@ -380,29 +380,128 @@ First of all, our computer is not a router (unless, of course, it is a router).
=== Examples
We going to use Shorewall as an iptables configuration tool. See Appendix.
We are going to use Shorewall as an iptables configuration tool. See Appendix.
Here some examples of "raw" iptables command lines.
Here are some examples of "raw" iptables command lines.
==== Block Traffic by PortPermalink
You may use a port to block all traffic coming in on a specific interface. For example:
You may use a port to block all traffic coming in on a specific interface.
For example:
[source,bash]
----
iptables -A INPUT -j DROP -p tcp --destination-port 110 -i eth0
----
Let’s examine what each part of this command does:
-A will add or append the rule to the end of the chain.
INPUT will add the rule to the table.
DROP means the packets are discarded.
-p tcp means the rule will only drop TCP packets.
--destination-port 110 filters packets targeted to port 110.
-i eth0 means this rule will impact only packets arriving on the eth0 interface.
- **-A** will add or append the rule to the end of the chain.
**INPUT** will add the rule to the table.
**DROP** means the packets are discarded.
- **-p tcp** means the rule will only drop TCP packets.
- **--destination-port 110** filters packets targeted to port 110.
- **-i eth0** means this rule will impact only packets arriving on the eth0 interface.
==== Drop Traffic
In order to drop all incoming traffic from a specific IP address, use the iptables command with the following options:
[source,bash]
----
iptables -I INPUT -s 198.51.100.0 -j DROP
----
To remove these rules, use the **--delete** or **-D** option:
[source,bash]
----
iptables --delete INPUT -s 198.51.100.0 -j DROP
iptables -D INPUT -s 198.51.100.0 -j DROP
----
==== Block or Allow Traffic by Port Number
One way to create a firewall is to block all traffic to the system and then allow traffic on certain ports.
Below is a sample sequence of commands to illustrate the process:
[source,bash]
----
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -m comment --comment "Allow loopback connections" -j ACCEPT
iptables -A INPUT -p icmp -m comment --comment "Allow Ping to work as expected" -j ACCEPT
iptables -A INPUT -p tcp -m multiport --destination-ports 22,25,53,80,443,465,5222,5269,5280,8999:9003 -j ACCEPT
iptables -A INPUT -p udp -m multiport --destination-ports 53 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
----
Let’s break down the example above.
The **first two** commands add or append rules to the **INPUT chain** in order to allow access on specific ports.
The **-p tcp** and **-p udp** options specify either **UDP** or **TCP** packet types.
The **-m** multiport function matches packets on the basis of their source or destination ports, and can accept the specification of up to 15 ports.
Multiport also accepts **ranges such as 8999:9003** which counts as 2 of the 15 possible ports, but matches ports 8999, 9000, 9001, 9002, and 9003.
The next command **allows all incoming** and **outgoing packets** that are associated with existing connections so that they will not be inadvertently blocked by the firewall.
The final two commands use the **-P** option to describe the **default policy** for these chains. As a result, all packets processed by **INPUT** and **FORWARD** will be dropped by default.
[NOTE]
====
Note that the rules described above only control incoming packets, and do not limit outgoing connections.
====
=== More Examples
[source,bash]
----
# Allow all loopback (lo0) traffic and reject traffic
# to localhost that does not originate from lo0.
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -s 127.0.0.0/8 -j REJECT
# Allow ping.
-A INPUT -p icmp -m state --state NEW --icmp-type 8 -j ACCEPT
# Allow SSH connections.
-A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere
# (the normal ports for web servers).
-A INPUT -p tcp --dport 80 -m state --state NEW -j ACCEPT
-A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT
# Allow inbound traffic from established connections.
# This includes ICMP error returns.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Log what was incoming but denied (optional but useful).
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables_INPUT_denied: " --log-level 7
# Reject all other inbound.
-A INPUT -j REJECT
# Log any traffic that was sent to you
# for forwarding (optional but useful).
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables_FORWARD_denied: " --log-level 7
# Reject all traffic forwarding.
-A FORWARD -j REJECT
----
[appendix]

Write Preview
Loading…
Cancel
Save