Difference between revisions of "Linux command: iptables"
Jump to navigation
Jump to search
Rafahsolis (talk | contribs) |
Rafahsolis (talk | contribs) m (→Save to file) Tag: visualeditor |
||
| (10 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | == List current rules == | + | ==List current rules== |
| − | iptables - | + | iptables -L List firewall rules |
| − | == Delete current rules == | + | |
| + | ==Delete current rules== | ||
iptables -F | iptables -F | ||
iptables --flush | iptables --flush | ||
| + | ==Save to file== | ||
| + | iptables-save > output_iptables_conf_file | ||
| + | |||
| + | == Persistent == | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | sudo apt install iptables-persistent | ||
| + | sudo iptables-save | sudo tee /etc/iptables/rules.v4 | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ==Collection of basic Linux Firewall iptables rules== | ||
| + | |||
| + | ===Redirect connections to service=== | ||
| + | <syntaxhighlight lang="bash"> | ||
| + | #!/bin/bash | ||
| + | # SERVER | ||
| + | sysctl net.ipv4.ip_forward=1 | ||
| + | service networking restart | ||
| + | |||
| + | # iptables -t nat -A PREROUTING -p tcp --dport <puerto receptor> -j DNAT --to-destination <ip final>:<puerto de ip final> | ||
| + | |||
| + | # Binance ETH Pool ethash.poolbinance.com | ||
| + | iptables -t nat -A PREROUTING -p tcp --dport 1081 -j DNAT --to-destination 18.193.226.201:1800 | ||
| + | |||
| + | # MineXMR Pool pool.minexmr.com | ||
| + | iptables -t nat -A PREROUTING -p tcp --dport 1082 -j DNAT --to-destination 51.68.21.186:4444 | ||
| + | iptables -t nat -A PREROUTING -p udp --dport 1082 -j DNAT --to-destination 51.68.21.186:4444 | ||
| − | == | + | # Masquerade real ip |
| − | === Reject all outgoing network connections === | + | iptables -t nat -A POSTROUTING -j MASQUERADE |
| + | |||
| + | # EJ: iptables -t nat -A PREROUTING -p tcp --dport 110 -j DNAT --to-destination 10.10.0.2:110 | ||
| + | |||
| + | # iptables -L -n -t nat | ||
| + | # sudo iptables -L -t nat --line-numbers | ||
| + | sudo iptables -t nat -v -L PREROUTING -n --line-number | ||
| + | |||
| + | # Delete rule | ||
| + | # sudo iptables -t nat -D PREROUTING {rule-number-here} | ||
| + | |||
| + | </syntaxhighlight> | ||
| + | |||
| + | ===Block IP=== | ||
| + | iptables -A INPUT -s IP-ADDRESS -j DROP | ||
| + | ===Reject all outgoing network connections=== | ||
iptables -F OUTPUT | iptables -F OUTPUT | ||
iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT | iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT | ||
iptables -A OUTPUT -j REJECT | iptables -A OUTPUT -j REJECT | ||
| − | === iptables to reject all incoming network connections === | + | ===iptables to reject all incoming network connections=== |
iptables -F INPUT | iptables -F INPUT | ||
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT | iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT | ||
iptables -A INPUT -j REJECT | iptables -A INPUT -j REJECT | ||
| − | === iptables to reject all network connections === | + | ===iptables to reject all network connections=== |
iptables -F | iptables -F | ||
iptables -A INPUT -j REJECT | iptables -A INPUT -j REJECT | ||
| Line 22: | Line 64: | ||
iptables -A FORWARD -j REJECT | iptables -A FORWARD -j REJECT | ||
| − | === iptables to drop incoming ping requests === | + | ===iptables to drop incoming ping requests=== |
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP | iptables -A INPUT -p icmp --icmp-type echo-request -j DROP | ||
| − | === iptables to drop outgoing telnet connections === | + | ===NATing Port redirection=== |
| + | iptables -t nat -A PREROUTING -p udp --destination-port 514 -j REDIRECT --to-ports 1670 | ||
| + | Redirectws udp trafic on port 514 to port 1670 | ||
| + | |||
| + | ===iptables to drop outgoing telnet connections=== | ||
iptables -A OUTPUT -p tcp --dport telnet -j REJECT | iptables -A OUTPUT -p tcp --dport telnet -j REJECT | ||
| − | === iptables to reject incoming telnet connections === | + | ===iptables to reject incoming telnet connections=== |
iptables -A INPUT -p tcp --dport telnet -j REJECT | iptables -A INPUT -p tcp --dport telnet -j REJECT | ||
| − | === iptables to reject outgoing ssh connections === | + | ===iptables to reject outgoing ssh connections=== |
iptables -A OUTPUT -p tcp --dport ssh -j REJECT | iptables -A OUTPUT -p tcp --dport ssh -j REJECT | ||
| − | === iptables to reject incoming ssh connections === | + | ===iptables to reject incoming ssh connections=== |
iptables -A INPUT -p tcp --dport ssh -j REJECT | iptables -A INPUT -p tcp --dport ssh -j REJECT | ||
| − | === iptables to reject all incoming traffic except ssh and local connections === | + | ===iptables to reject all incoming traffic except ssh and local connections=== |
iptables -A INPUT -i lo -j ACCEPT | iptables -A INPUT -i lo -j ACCEPT | ||
iptables -A INPUT -p tcp --dport ssh -j ACCEPT | iptables -A INPUT -p tcp --dport ssh -j ACCEPT | ||
iptables -A INPUT -j REJECT | iptables -A INPUT -j REJECT | ||
| − | === iptables to accept incoming ssh connections from specific IP address === | + | ===iptables to accept incoming ssh connections from specific IP address=== |
iptables -A INPUT -p tcp -s 77.66.55.44 --dport ssh -j ACCEPT | iptables -A INPUT -p tcp -s 77.66.55.44 --dport ssh -j ACCEPT | ||
iptables -A INPUT -p tcp --dport ssh -j REJECT | iptables -A INPUT -p tcp --dport ssh -j REJECT | ||
| − | === | + | ===iptables to accept incoming ssh connections from specific MAC address=== |
iptables -A INPUT -m mac --mac-source 00:e0:4c:f1:41:6b -p tcp --dport ssh -j ACCEPT | iptables -A INPUT -m mac --mac-source 00:e0:4c:f1:41:6b -p tcp --dport ssh -j ACCEPT | ||
iptables -A INPUT -p tcp --dport ssh -j REJECT | iptables -A INPUT -p tcp --dport ssh -j REJECT | ||
| − | === | + | ===iptables to reject incoming connections on a specific TCP port=== |
iptables -A INPUT -p tcp --dport 3333 -j REJECT | iptables -A INPUT -p tcp --dport 3333 -j REJECT | ||
| − | === iptables to drop all incoming connections on a specific network interface === | + | ===iptables to drop all incoming connections on a specific network interface=== |
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP | iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP | ||
| − | === | + | ===iptables to create a simple IP Masquerading=== |
The following rule will create a simple IP Masquerading gateway to allow all host on the same subnet to access the Internet. <br />The below specified eth0 is a external interface connected to the Internet. | The following rule will create a simple IP Masquerading gateway to allow all host on the same subnet to access the Internet. <br />The below specified eth0 is a external interface connected to the Internet. | ||
echo "1" > /proc/sys/net/ipv4/ip_forward | echo "1" > /proc/sys/net/ipv4/ip_forward | ||
iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE | iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE | ||
| − | === Reject all incoming telnet traffic except specified IP address === | + | ===Reject all incoming telnet traffic except specified IP address=== |
iptables -A INPUT -t filter ! -s 222.111.111.222 -p tcp --dport 23 -j REJECT | iptables -A INPUT -t filter ! -s 222.111.111.222 -p tcp --dport 23 -j REJECT | ||
| − | === Reject all incoming ssh traffic except specified IP address range === | + | ===Reject all incoming ssh traffic except specified IP address range=== |
iptables -A INPUT -t filter -m iprange ! --src-range 10.1.1.90-10.1.1.100 -p tcp --dport 22 -j REJECT | iptables -A INPUT -t filter -m iprange ! --src-range 10.1.1.90-10.1.1.100 -p tcp --dport 22 -j REJECT | ||
Removing negator "!" from the below rule reject all ssh traffic originating from IP address range 10.1.1.90 - 10.1.1.100. | Removing negator "!" from the below rule reject all ssh traffic originating from IP address range 10.1.1.90 - 10.1.1.100. | ||
| − | === iptables to reject all outgoing traffic to a specific remote host === | + | ===iptables to reject all outgoing traffic to a specific remote host=== |
iptables -A OUTPUT -d 222.111.111.222 -j REJECT | iptables -A OUTPUT -d 222.111.111.222 -j REJECT | ||
| − | === | + | ===iptables to block an access to a specific website=== |
iptables -A INPUT -s facebook.com -p tcp --sport www -j DROP | iptables -A INPUT -s facebook.com -p tcp --sport www -j DROP | ||
| − | === Prevent DoS Attack === | + | ===Prevent DoS Attack=== |
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT | iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT | ||
| − | === More rules === | + | ===Mongo=== |
| + | ====Allow connections from anywhere==== | ||
| + | iptables -A INPUT -p tcp --dport 27017 -j ACCEPT | ||
| + | ====Allow some sources only==== | ||
| + | iptables -A INPUT -s <ip-address> -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT | ||
| + | iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT | ||
| + | |||
| + | iptables -A INPUT -s 192.168.161.200 -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT | ||
| + | iptables -A OUTPUT -d 192.168.161.200 -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT | ||
| + | |||
| + | ===More rules=== | ||
http://www.thegeekstuff.com/2011/06/iptables-rules-examples/ | http://www.thegeekstuff.com/2011/06/iptables-rules-examples/ | ||
| + | http://gr8idea.info/os/tutorials/security/iptables8.html | ||
Latest revision as of 11:57, 12 April 2021
List current rules
iptables -L List firewall rules
Delete current rules
iptables -F iptables --flush
Save to file
iptables-save > output_iptables_conf_file
Persistent
sudo apt install iptables-persistent
sudo iptables-save | sudo tee /etc/iptables/rules.v4
Collection of basic Linux Firewall iptables rules
Redirect connections to service
#!/bin/bash
# SERVER
sysctl net.ipv4.ip_forward=1
service networking restart
# iptables -t nat -A PREROUTING -p tcp --dport <puerto receptor> -j DNAT --to-destination <ip final>:<puerto de ip final>
# Binance ETH Pool ethash.poolbinance.com
iptables -t nat -A PREROUTING -p tcp --dport 1081 -j DNAT --to-destination 18.193.226.201:1800
# MineXMR Pool pool.minexmr.com
iptables -t nat -A PREROUTING -p tcp --dport 1082 -j DNAT --to-destination 51.68.21.186:4444
iptables -t nat -A PREROUTING -p udp --dport 1082 -j DNAT --to-destination 51.68.21.186:4444
# Masquerade real ip
iptables -t nat -A POSTROUTING -j MASQUERADE
# EJ: iptables -t nat -A PREROUTING -p tcp --dport 110 -j DNAT --to-destination 10.10.0.2:110
# iptables -L -n -t nat
# sudo iptables -L -t nat --line-numbers
sudo iptables -t nat -v -L PREROUTING -n --line-number
# Delete rule
# sudo iptables -t nat -D PREROUTING {rule-number-here}
Block IP
iptables -A INPUT -s IP-ADDRESS -j DROP
Reject all outgoing network connections
iptables -F OUTPUT iptables -A OUTPUT -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -j REJECT
iptables to reject all incoming network connections
iptables -F INPUT iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -j REJECT
iptables to reject all network connections
iptables -F iptables -A INPUT -j REJECT iptables -A OUTPUT -j REJECT iptables -A FORWARD -j REJECT
iptables to drop incoming ping requests
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
NATing Port redirection
iptables -t nat -A PREROUTING -p udp --destination-port 514 -j REDIRECT --to-ports 1670
Redirectws udp trafic on port 514 to port 1670
iptables to drop outgoing telnet connections
iptables -A OUTPUT -p tcp --dport telnet -j REJECT
iptables to reject incoming telnet connections
iptables -A INPUT -p tcp --dport telnet -j REJECT
iptables to reject outgoing ssh connections
iptables -A OUTPUT -p tcp --dport ssh -j REJECT
iptables to reject incoming ssh connections
iptables -A INPUT -p tcp --dport ssh -j REJECT
iptables to reject all incoming traffic except ssh and local connections
iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j ACCEPT iptables -A INPUT -j REJECT
iptables to accept incoming ssh connections from specific IP address
iptables -A INPUT -p tcp -s 77.66.55.44 --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j REJECT
iptables to accept incoming ssh connections from specific MAC address
iptables -A INPUT -m mac --mac-source 00:e0:4c:f1:41:6b -p tcp --dport ssh -j ACCEPT iptables -A INPUT -p tcp --dport ssh -j REJECT
iptables to reject incoming connections on a specific TCP port
iptables -A INPUT -p tcp --dport 3333 -j REJECT
iptables to drop all incoming connections on a specific network interface
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables to create a simple IP Masquerading
The following rule will create a simple IP Masquerading gateway to allow all host on the same subnet to access the Internet.
The below specified eth0 is a external interface connected to the Internet.
echo "1" > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE
Reject all incoming telnet traffic except specified IP address
iptables -A INPUT -t filter ! -s 222.111.111.222 -p tcp --dport 23 -j REJECT
Reject all incoming ssh traffic except specified IP address range
iptables -A INPUT -t filter -m iprange ! --src-range 10.1.1.90-10.1.1.100 -p tcp --dport 22 -j REJECT
Removing negator "!" from the below rule reject all ssh traffic originating from IP address range 10.1.1.90 - 10.1.1.100.
iptables to reject all outgoing traffic to a specific remote host
iptables -A OUTPUT -d 222.111.111.222 -j REJECT
iptables to block an access to a specific website
iptables -A INPUT -s facebook.com -p tcp --sport www -j DROP
Prevent DoS Attack
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
Mongo
Allow connections from anywhere
iptables -A INPUT -p tcp --dport 27017 -j ACCEPT
Allow some sources only
iptables -A INPUT -s <ip-address> -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -d <ip-address> -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 192.168.161.200 -p tcp --destination-port 27017 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -d 192.168.161.200 -p tcp --source-port 27017 -m state --state ESTABLISHED -j ACCEPT
More rules
http://www.thegeekstuff.com/2011/06/iptables-rules-examples/ http://gr8idea.info/os/tutorials/security/iptables8.html