Linux Server Details

User Tools

Site Tools

Trace:
iptables_firewall

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Last revisionBoth sides next revision
iptables_firewall [2022/07/19 21:13] – external edit 127.0.0.1iptables_firewall [2022/07/19 23:30] – Updated formatting admin
Line 1: Line 1:
-====== Iptables_Firewall ======+**Iptables Firewall**
  
 Iptables is tool used to configure firewall rules. There are various firewall programs available in most Linux OSs which sit on top of and use iptable commands. However I prefer to use a simple bash .sh script to set my custom firewall rules. Iptables is tool used to configure firewall rules. There are various firewall programs available in most Linux OSs which sit on top of and use iptable commands. However I prefer to use a simple bash .sh script to set my custom firewall rules.
  
-====== Iptables Setup on Debian Squeeze ======+===== Iptables Setup on Debian Squeeze =====
  apt-get install iptables  apt-get install iptables
  
-====== Iptable command line options/switches: ======+===== Iptable command line options/switches: ===== 
 +<code>
  -A => Append this rule to the WhatEver Chain   -A => Append this rule to the WhatEver Chain 
  -s => Source Address   -s => Source Address 
Line 15: Line 16:
  -I => Insert at position 1 of the ACCEPT Chain  -I => Insert at position 1 of the ACCEPT Chain
  -P => Set Policy e.g. iptables -P INPUT DROP  -P => Set Policy e.g. iptables -P INPUT DROP
- +</code> 
-====== Rules of Iptables: ======+===== Rules of Iptables: =====
 As it is a table of rules, the first rule has precedence. If the first rule dis-allows everything then nothing else afterwards will matter. As it is a table of rules, the first rule has precedence. If the first rule dis-allows everything then nothing else afterwards will matter.
-*INIVIDUAL REJECTS FIRST +  * INIVIDUAL REJECTS FIRST 
-*THEN OPEN IT UP +  * THEN OPEN IT UP 
-*BLOCK ALL +  * BLOCK ALL 
 +<code>
  List iptable rules:  List iptable rules:
  **iptables -n -L** (-n prevents slow reverse DNS lookup)<br>  **iptables -n -L** (-n prevents slow reverse DNS lookup)<br>
Line 33: Line 34:
  Block All:  Block All:
  **iptables -A INPUT -j REJECT**  **iptables -A INPUT -j REJECT**
 +</code>
  
-====== My Firewall Config Script ======+===== My Firewall Config Script ===== 
 +<code>
  vi /root/firewall.sh  vi /root/firewall.sh
  #!/bin/sh  #!/bin/sh
Line 73: Line 76:
  iptables -t nat -A POSTROUTING -d 136.201.146.211 -j MASQUERADE  iptables -t nat -A POSTROUTING -d 136.201.146.211 -j MASQUERADE
  #################################  #################################
- +</code> 
-===== Control / Use Firewall Script =====+==== Control / Use Firewall Script ====
 As its a simple bash file, it just needs to be executed. It is OK to run this at any time. Any existing connections will not be dropped. As its a simple bash file, it just needs to be executed. It is OK to run this at any time. Any existing connections will not be dropped.
 +<code>
  chmod 755 /root/firewall.sh  chmod 755 /root/firewall.sh
  /root/firewall.sh  /root/firewall.sh
 +</code>
  
-===== Update Firewall =====+==== Update Firewall ====
 It's a simple case of editing the firewall.sh script and re-running it. It's a simple case of editing the firewall.sh script and re-running it.
 +<code>
  vi /root/firewall.sh  vi /root/firewall.sh
  /add or adjust as necessary  /add or adjust as necessary
  /root/firewall.sh  /root/firewall.sh
 +</code>
  
 ===== Stop Firewall ===== ===== Stop Firewall =====
 iptables does not run as a daemon, so instead of stopping it, we "flush" any iptable rules: iptables does not run as a daemon, so instead of stopping it, we "flush" any iptable rules:
 +<code>
  iptables -F INPUT  iptables -F INPUT
  iptables -F OUTPUT  iptables -F OUTPUT
Line 92: Line 100:
  iptables -F POSTROUTING -t nat  iptables -F POSTROUTING -t nat
  iptables -F PREROUTING -t nat  iptables -F PREROUTING -t nat
 +</code>
  
-===== Calling the Firewall script on boot =====+==== Calling the Firewall script on boot ====
 When the computer is rebooted, the firewall rules are flushed. As we have all the iptable rules in firewall.sh, all we need to do is to execute this bash script when the computer boots up. There are a number of different ways of doing this. When the computer is rebooted, the firewall rules are flushed. As we have all the iptable rules in firewall.sh, all we need to do is to execute this bash script when the computer boots up. There are a number of different ways of doing this.
  
-==== 1. Simplest Method of Executing Firewall Script on boot ====+=== 1. Simplest Method of Executing Firewall Script on boot === 
 +<code>
  vi /etc/rc.local  vi /etc/rc.local
  #add in:  #add in:
  /root/firewall.sh  /root/firewall.sh
 +</code>
  
-==== 2. Init.d firewall script ====+=== 2. Init.d firewall script ===
 I used just to place the firewall.sh script in /etc/init.d/ and then symlink it into /etc/rcX.d (or use sysv-rc-conf to set runlevels 2,3,4,5). In debian squeeze with dependancy based boot this can cause a lot of errors when installing subsequent packages (see sample below). I used just to place the firewall.sh script in /etc/init.d/ and then symlink it into /etc/rcX.d (or use sysv-rc-conf to set runlevels 2,3,4,5). In debian squeeze with dependancy based boot this can cause a lot of errors when installing subsequent packages (see sample below).
  
-=== Errors recieved with firewall script in /etc/init.d/ ===+== Errors recieved with firewall script in /etc/init.d/ == 
 +<code>
  Error:  Error:
  Setting up postfix (2.7.1-1) ...  Setting up postfix (2.7.1-1) ...
Line 120: Line 132:
  postfix  postfix
  E: Sub-process /usr/bin/dpkg returned an error code (1)  E: Sub-process /usr/bin/dpkg returned an error code (1)
 +</code>
  
 Things have changed in Debian Squeeze. Upgrading from etch or lenny to squeeze could cause any firewall.sh (or other) script to cause errors. This is due to the new dependency based boot in squeeze. Instead of using update-rc.d, you should use insserv firewall.sh Also, with dependency based boot with insserv LSB headers are required in all /etc/init.d/ scripts. Things have changed in Debian Squeeze. Upgrading from etch or lenny to squeeze could cause any firewall.sh (or other) script to cause errors. This is due to the new dependency based boot in squeeze. Instead of using update-rc.d, you should use insserv firewall.sh Also, with dependency based boot with insserv LSB headers are required in all /etc/init.d/ scripts.
  
-=== LSB Headers for Firewall script ===+== LSB Headers for Firewall script == 
 +<code>
  #! /bin/sh  #! /bin/sh
  ### BEGIN INIT INFO  ### BEGIN INIT INFO
Line 135: Line 149:
  ### END INIT INFO  ### END INIT INFO
 This was obtained from /etc/init.d/skeleton and shorewall and apf-firewall deb files. This was obtained from /etc/init.d/skeleton and shorewall and apf-firewall deb files.
 +</code>
  
-=== Init.d Firewall script complete ===+== Init.d Firewall script complete == 
 +<code>
  mv /root/firewall.sh /etc/init.d/firewall.sh  mv /root/firewall.sh /etc/init.d/firewall.sh
  cd /etc/init.d/  cd /etc/init.d/
Line 164: Line 180:
  iptables -A INPUT -p udp --dport 53 -j ACCEPT    <nowiki>//</nowiki>dns - udp for small queries   iptables -A INPUT -p udp --dport 53 -j ACCEPT    <nowiki>//</nowiki>dns - udp for small queries 
  ....  ....
 +</code>
  
-=== insserv v's update-rc.d ===+== insserv v's update-rc.d ==
 Update-rc.d required you to choose a position between 0 and 99 and it created symlinks. insserv does the same, however it does so cleaner. It also requires the correct LSB headers such as "Required-Start" and "Required-Stop" which set when it should be run. In the above firewall.sh with LSB headers we can see that it will be started after the network and any filesystems are up. $all can also be used, where the firewall will be called when all other init.d scripts have been run. See: http://wiki.debian.org/LSBInitScripts Update-rc.d required you to choose a position between 0 and 99 and it created symlinks. insserv does the same, however it does so cleaner. It also requires the correct LSB headers such as "Required-Start" and "Required-Stop" which set when it should be run. In the above firewall.sh with LSB headers we can see that it will be started after the network and any filesystems are up. $all can also be used, where the firewall will be called when all other init.d scripts have been run. See: http://wiki.debian.org/LSBInitScripts
 +<code>
  insserv -n firewall.sh  (-n = dry run)  insserv -n firewall.sh  (-n = dry run)
  insserv firewall.sh (do it. -v = verbose if you want to see it doing stuff)  insserv firewall.sh (do it. -v = verbose if you want to see it doing stuff)
  check if you like by looking in rc3.d  check if you like by looking in rc3.d
 +</code>
  
 Ref's for init.d, update-rc.d, and insserv: <br> Ref's for init.d, update-rc.d, and insserv: <br>
Line 180: Line 198:
  
  
-====== Port Forwarding & NAT - Network Address Translation - V.Basic: ======+===== Port Forwarding & NAT - Network Address Translation - V.Basic: ===== 
 +<code>
  iptables -t nat -A PREROUTING -p tcp -d 136.201.xxx.xxx --dport 443 -j DNAT --to 136.201.xxx.xxx:22  iptables -t nat -A PREROUTING -p tcp -d 136.201.xxx.xxx --dport 443 -j DNAT --to 136.201.xxx.xxx:22
  The Above will do on its Own. The above allows someone to ssh into the box on port 443 incase port 22 is blocked by User ISP.  The Above will do on its Own. The above allows someone to ssh into the box on port 443 incase port 22 is blocked by User ISP.
Line 187: Line 206:
  iptables -A FORWARD -p tcp -d 136.201.xxx.xxx --dport 22 -j ACCEPT  iptables -A FORWARD -p tcp -d 136.201.xxx.xxx --dport 22 -j ACCEPT
  Web Port Forwarding: http://www.hackorama.com/network/portfwd.shtml  Web Port Forwarding: http://www.hackorama.com/network/portfwd.shtml
 +</code>
  
 NB: Must allow IN Traffic and Connections the server started/ initiated (http://rimuhosting.com/howto/firewall.jsp): NB: Must allow IN Traffic and Connections the server started/ initiated (http://rimuhosting.com/howto/firewall.jsp):
 +<code>
  iptables -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT  iptables -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
  iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT  iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
  iptables -A INPUT -m state --state RELATED -j ACCEPT  iptables -A INPUT -m state --state RELATED -j ACCEPT
 +</code>
  
-===== Iptables Forward with NAT =====+==== Iptables Forward with NAT ====
 This is already covered on this wiki here [[iptables_forward]] This is already covered on this wiki here [[iptables_forward]]
  
-====== Using iptables directly ======+===== Using iptables directly =====
 Of course iptable commands can be entered live and will take effect immediately (instead of editing the firewall.sh script and re-running it). Of course iptable commands can be entered live and will take effect immediately (instead of editing the firewall.sh script and re-running it).
  
-===== Remove / Delete an individual /single Iptable Rule =====+==== Remove / Delete an individual /single Iptable Rule ==== 
 +<code>
  iptables -D INPUT -s 127.0.0.1 -p tcp --dport 111 -j ACCEPT  iptables -D INPUT -s 127.0.0.1 -p tcp --dport 111 -j ACCEPT
  <nowiki>//</nowiki> -D = delete appropriate rule. If you dont know the exact syntax of the rule to delete do the following:  <nowiki>//</nowiki> -D = delete appropriate rule. If you dont know the exact syntax of the rule to delete do the following:
Line 206: Line 229:
  iptables -D INPUT 4  iptables -D INPUT 4
  <nowiki>//</nowiki>format = iptables -D CHAIN #Rule_No  <nowiki>//</nowiki>format = iptables -D CHAIN #Rule_No
 +</code>
  
-===== Other pieces of information to remember: =====+==== Other pieces of information to remember: ==== 
 +<code>
 iptables -P INPUT DROP (Setting the Default Policy)<br> iptables -P INPUT DROP (Setting the Default Policy)<br>
 iptables -A INPUT * * * -j ACCEPT | REJECT (send back 'connection refused') | DROP (keep quiet) iptables -A INPUT * * * -j ACCEPT | REJECT (send back 'connection refused') | DROP (keep quiet)
Line 213: Line 238:
  iptables -A INPUT -s 5.10.83.0/24 -p tcp --dport 80 -j REJECT  iptables -A INPUT -s 5.10.83.0/24 -p tcp --dport 80 -j REJECT
  # Drop all from that IP Address range. I.e. block from 5.10.83.0 to 5.10.83.255  # Drop all from that IP Address range. I.e. block from 5.10.83.0 to 5.10.83.255
 +</code>
  
-====== fail2ban - Debian Etch/Ubuntu ======+===== fail2ban - Debian Etch/Ubuntu =====
 Fail2ban is a simple Debian etch package which uses iptables to dynamically add rules which blocks ips after various incorrect Authentication/Password attempts. To install: Fail2ban is a simple Debian etch package which uses iptables to dynamically add rules which blocks ips after various incorrect Authentication/Password attempts. To install:
 +<code>
  apt-get install fail2ban  apt-get install fail2ban
  <nowiki>//</nowiki>configuration file is in /etc/fail2ban.conf  <nowiki>//</nowiki>configuration file is in /etc/fail2ban.conf
  <nowiki>//</nowiki>fail and ban logs are saved in /var/log/fail2ban.log and /var/log/faillog  <nowiki>//</nowiki>fail and ban logs are saved in /var/log/fail2ban.log and /var/log/faillog
 +</code>
  
 It monitors incorrect attempts in /var/log/auth.log for ssh attempts by default. The defaults are: 5 attempts before a rule is added blocking the client ip (on port 22) for 10minutes. Its a very very very nice package -) It monitors incorrect attempts in /var/log/auth.log for ssh attempts by default. The defaults are: 5 attempts before a rule is added blocking the client ip (on port 22) for 10minutes. Its a very very very nice package -)
  
-===== Problems with fail2ban and ssh attempts on ubuntu =====+==== Problems with fail2ban and ssh attempts on ubuntu ====
 fail2ban was only banning ssh attempts where the user was "unknown". It was not stopping brute force attempts at root for example. The failregex for the sshd.conf had to be changed. fail2ban was only banning ssh attempts where the user was "unknown". It was not stopping brute force attempts at root for example. The failregex for the sshd.conf had to be changed.
 +<code>
  vi /etc/fail2ban/filter.d/sshd.conf  vi /etc/fail2ban/filter.d/sshd.conf
  #change the failregex line to:  #change the failregex line to:
  failregex = (?:Failed password [[-/\w+]]+) .*(?: from|FROM) <HOST>  failregex = (?:Failed password [[-/\w+]]+) .*(?: from|FROM) <HOST>
 +</code>
 It could be done a lot better, but the above works. It could be done a lot better, but the above works.
 Also see:  <br> Also see:  <br>
Line 232: Line 262:
 http://debaday.debian.net/2007/04/29/fail2ban-an-enemy-of-script-kiddies/ http://debaday.debian.net/2007/04/29/fail2ban-an-enemy-of-script-kiddies/
  
-====== Firewall on Centos / RH ======+===== Firewall on Centos / RH =====
 http://www.linuxtopia.org/online_books/centos_linux_guides/centos_linux_reference_guide/s1-iptables-init.html http://www.linuxtopia.org/online_books/centos_linux_guides/centos_linux_reference_guide/s1-iptables-init.html
  
Line 247: Line 277:
  
  
-====== Archive ======+===== Archive =====
 <del> <del>
 old debian sarge old debian sarge
-The init (start/stop) script for iptables is new within sarge - using if-up and if-down. The old init script is still available to load and save iptables rules. Do the following to set-up the iptables init script (details obtained from http://www.howtoforge.com/linux_iptables_sarge):+The init (start/stop) script for iptables is new within sarge - using if-up and if-down. The old init script is still available to load and save iptables rules. Do the following to set-up the iptables init script (details obtained from http://www.howtoforge.com/linux_iptables_sarge):</del> 
 +<code>
  gunzip /usr/share/doc/iptables/examples/oldinitdscript.gz -c > /etc/init.d/iptables  gunzip /usr/share/doc/iptables/examples/oldinitdscript.gz -c > /etc/init.d/iptables
  chmod +x /etc/init.d/iptables  chmod +x /etc/init.d/iptables
  mkdir /var/lib/iptables  mkdir /var/lib/iptables
  chmod 700 /var/lib/iptables  chmod 700 /var/lib/iptables
 +</code>
  
-===== Control of Iptables (inactive is a blank file with no rules): =====+==== Control of Iptables (inactive is a blank file with no rules): ==== 
 +<code>
  /etc/init.d/iptables save active  /etc/init.d/iptables save active
  /etc/init.d/iptables load active | inactive  /etc/init.d/iptables load active | inactive
 +</code>
  
-===== Saving ALL IPTABLE Rules =====+==== Saving ALL IPTABLE Rules ====
 It seems that the method for saving & loading iptable rules from /etc/init.d/iptables load|save active|inactive does not save NAT rules. It seems that the method for saving & loading iptable rules from /etc/init.d/iptables load|save active|inactive does not save NAT rules.
  
 The command for saving iptable rules manually is: The command for saving iptable rules manually is:
 +
 +<code>
  
  root:~# iptables-save > rules-saved  root:~# iptables-save > rules-saved
 There is also command called iptables-restore. It is: There is also command called iptables-restore. It is:
  root:~# iptables-restore rules-saved  root:~# iptables-restore rules-saved
 +</code>
  
  
-</del> 
iptables_firewall.txt · Last modified: 2022/07/23 00:14 by admin