iptables_firewall
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
iptables_firewall [2022/07/19 19:52] – created 85.134.209.200 | iptables_firewall [2022/07/22 23:14] (current) – admin | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Iptables_Firewall ====== | + | **Iptables Firewall** |
Iptables is tool used to configure firewall rules. There are various firewall programs available in most Linux OSs which sit on top of and use iptable commands. However I prefer to use a simple bash .sh script to set my custom firewall rules. | Iptables is tool used to configure firewall rules. There are various firewall programs available in most Linux OSs which sit on top of and use iptable commands. However I prefer to use a simple bash .sh script to set my custom firewall rules. | ||
- | ====== Iptables Setup on Debian Squeeze | + | ===== Iptables Setup on Debian Squeeze ===== |
| | ||
- | ====== Iptable command line options/ | + | ===== Iptable command line options/ |
+ | < | ||
-A => Append this rule to the WhatEver Chain | -A => Append this rule to the WhatEver Chain | ||
-s => Source Address | -s => Source Address | ||
Line 15: | Line 16: | ||
-I => Insert at position 1 of the ACCEPT Chain | -I => Insert at position 1 of the ACCEPT Chain | ||
-P => Set Policy e.g. iptables -P INPUT DROP | -P => Set Policy e.g. iptables -P INPUT DROP | ||
- | + | </ | |
- | ====== Rules of Iptables: | + | ===== Rules of Iptables: ===== |
As it is a table of rules, the first rule has precedence. If the first rule dis-allows everything then nothing else afterwards will matter. | As it is a table of rules, the first rule has precedence. If the first rule dis-allows everything then nothing else afterwards will matter. | ||
- | *INIVIDUAL REJECTS FIRST | + | |
- | *THEN OPEN IT UP | + | * THEN OPEN IT UP |
- | *BLOCK ALL | + | * BLOCK ALL |
+ | < | ||
List iptable rules: | List iptable rules: | ||
| | ||
Line 33: | Line 34: | ||
Block All: | Block All: | ||
| | ||
+ | </ | ||
- | ====== My Firewall Config Script ====== | + | ===== My Firewall Config Script ===== |
+ | < | ||
vi / | vi / | ||
# | # | ||
Line 73: | Line 76: | ||
| | ||
################################# | ################################# | ||
- | + | </ | |
- | ===== Control / Use Firewall Script | + | ==== Control / Use Firewall Script ==== |
As its a simple bash file, it just needs to be executed. It is OK to run this at any time. Any existing connections will not be dropped. | As its a simple bash file, it just needs to be executed. It is OK to run this at any time. Any existing connections will not be dropped. | ||
+ | < | ||
chmod 755 / | chmod 755 / | ||
/ | / | ||
+ | </ | ||
- | ===== Update Firewall | + | ==== Update Firewall ==== |
It's a simple case of editing the firewall.sh script and re-running it. | It's a simple case of editing the firewall.sh script and re-running it. | ||
+ | < | ||
vi / | vi / | ||
/add or adjust as necessary | /add or adjust as necessary | ||
/ | / | ||
+ | </ | ||
===== Stop Firewall ===== | ===== Stop Firewall ===== | ||
iptables does not run as a daemon, so instead of stopping it, we " | iptables does not run as a daemon, so instead of stopping it, we " | ||
+ | < | ||
| | ||
| | ||
Line 92: | Line 100: | ||
| | ||
| | ||
+ | </ | ||
- | ===== Calling the Firewall script on boot ===== | + | ==== Calling the Firewall script on boot ==== |
When the computer is rebooted, the firewall rules are flushed. As we have all the iptable rules in firewall.sh, | When the computer is rebooted, the firewall rules are flushed. As we have all the iptable rules in firewall.sh, | ||
- | ==== 1. Simplest Method of Executing Firewall Script on boot ==== | + | === 1. Simplest Method of Executing Firewall Script on boot === |
+ | < | ||
vi / | vi / | ||
#add in: | #add in: | ||
/ | / | ||
+ | </ | ||
- | ==== 2. Init.d firewall script | + | === 2. Init.d firewall script === |
I used just to place the firewall.sh script in / | I used just to place the firewall.sh script in / | ||
- | === Errors recieved with firewall script in / | + | == Errors recieved with firewall script in / |
+ | < | ||
| | ||
| | ||
Line 120: | Line 132: | ||
| | ||
E: Sub-process / | E: Sub-process / | ||
+ | </ | ||
Things have changed in Debian Squeeze. Upgrading from etch or lenny to squeeze could cause any firewall.sh (or other) script to cause errors. This is due to the new dependency based boot in squeeze. Instead of using update-rc.d, | Things have changed in Debian Squeeze. Upgrading from etch or lenny to squeeze could cause any firewall.sh (or other) script to cause errors. This is due to the new dependency based boot in squeeze. Instead of using update-rc.d, | ||
- | === LSB Headers for Firewall script === | + | == LSB Headers for Firewall script == |
+ | < | ||
#! /bin/sh | #! /bin/sh | ||
### BEGIN INIT INFO | ### BEGIN INIT INFO | ||
Line 135: | Line 149: | ||
### END INIT INFO | ### END INIT INFO | ||
This was obtained from / | This was obtained from / | ||
+ | </ | ||
- | === Init.d Firewall script complete === | + | == Init.d Firewall script complete == |
+ | < | ||
mv / | mv / | ||
cd / | cd / | ||
Line 164: | Line 180: | ||
| | ||
.... | .... | ||
+ | </ | ||
- | === insserv v's update-rc.d | + | == insserv v's update-rc.d == |
Update-rc.d required you to choose a position between 0 and 99 and it created symlinks. insserv does the same, however it does so cleaner. It also requires the correct LSB headers such as " | Update-rc.d required you to choose a position between 0 and 99 and it created symlinks. insserv does the same, however it does so cleaner. It also requires the correct LSB headers such as " | ||
+ | < | ||
| | ||
| | ||
check if you like by looking in rc3.d | check if you like by looking in rc3.d | ||
+ | </ | ||
Ref's for init.d, update-rc.d, | Ref's for init.d, update-rc.d, | ||
Line 180: | Line 198: | ||
- | ====== Port Forwarding & NAT - Network Address Translation - V.Basic: ====== | + | ===== Port Forwarding & NAT - Network Address Translation - V.Basic: ===== |
+ | < | ||
| | ||
The Above will do on its Own. The above allows someone to ssh into the box on port 443 incase port 22 is blocked by User ISP. | The Above will do on its Own. The above allows someone to ssh into the box on port 443 incase port 22 is blocked by User ISP. | ||
Line 187: | Line 206: | ||
| | ||
Web Port Forwarding: http:// | Web Port Forwarding: http:// | ||
+ | </ | ||
NB: Must allow IN Traffic and Connections the server started/ initiated (http:// | NB: Must allow IN Traffic and Connections the server started/ initiated (http:// | ||
+ | < | ||
| | ||
| | ||
| | ||
+ | </ | ||
- | ===== Iptables Forward with NAT ===== | + | ==== Iptables Forward with NAT ==== |
This is already covered on this wiki here [[iptables_forward]] | This is already covered on this wiki here [[iptables_forward]] | ||
- | ====== Using iptables directly | + | ===== Using iptables directly ===== |
Of course iptable commands can be entered live and will take effect immediately (instead of editing the firewall.sh script and re-running it). | Of course iptable commands can be entered live and will take effect immediately (instead of editing the firewall.sh script and re-running it). | ||
- | ===== Remove / Delete an individual /single Iptable Rule ===== | + | ==== Remove / Delete an individual /single Iptable Rule ==== |
+ | < | ||
| | ||
< | < | ||
Line 206: | Line 229: | ||
| | ||
< | < | ||
+ | </ | ||
- | ===== Other pieces of information to remember: ===== | + | ==== Other pieces of information to remember: ==== |
+ | < | ||
iptables -P INPUT DROP (Setting the Default Policy)< | iptables -P INPUT DROP (Setting the Default Policy)< | ||
iptables -A INPUT * * * -j ACCEPT | REJECT (send back ' | iptables -A INPUT * * * -j ACCEPT | REJECT (send back ' | ||
Line 213: | Line 238: | ||
| | ||
# Drop all from that IP Address range. I.e. block from 5.10.83.0 to 5.10.83.255 | # Drop all from that IP Address range. I.e. block from 5.10.83.0 to 5.10.83.255 | ||
+ | </ | ||
- | ====== fail2ban - Debian Etch/ | + | ===== fail2ban - Debian Etch/Ubuntu ===== |
Fail2ban is a simple Debian etch package which uses iptables to dynamically add rules which blocks ips after various incorrect Authentication/ | Fail2ban is a simple Debian etch package which uses iptables to dynamically add rules which blocks ips after various incorrect Authentication/ | ||
+ | < | ||
| | ||
- | < | + | #configuration file is in / |
- | < | + | #fail and ban logs are saved in / |
+ | </ | ||
It monitors incorrect attempts in / | It monitors incorrect attempts in / | ||
- | ===== Problems with fail2ban and ssh attempts on ubuntu | + | ==== Problems with fail2ban and ssh attempts on ubuntu ==== |
fail2ban was only banning ssh attempts where the user was " | fail2ban was only banning ssh attempts where the user was " | ||
+ | < | ||
vi / | vi / | ||
# | # | ||
| | ||
+ | </ | ||
It could be done a lot better, but the above works. | It could be done a lot better, but the above works. | ||
Also see: <br> | Also see: <br> | ||
Line 232: | Line 262: | ||
http:// | http:// | ||
- | ====== Firewall on Centos / RH ====== | + | ==== fail2ban blocking apache2 htaccess attempts ==== |
+ | Working on Debian Bullseye | ||
+ | < | ||
+ | vi / | ||
+ | #below the entry for ssh, enter | ||
+ | |||
+ | [apache-auth] | ||
+ | enabled = true | ||
+ | port = http, | ||
+ | logpath | ||
+ | |||
+ | / | ||
+ | |||
+ | Make incorrect attempts. Monitor using " | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== Firewall on Centos / RH ===== | ||
http:// | http:// | ||
Line 247: | Line 294: | ||
- | ====== Archive | + | ===== Archive ===== |
<del> | <del> | ||
old debian sarge | old debian sarge | ||
- | The init (start/ | + | The init (start/ |
+ | < | ||
| | ||
chmod +x / | chmod +x / | ||
mkdir / | mkdir / | ||
chmod 700 / | chmod 700 / | ||
+ | </ | ||
- | ===== Control of Iptables (inactive is a blank file with no rules): ===== | + | ==== Control of Iptables (inactive is a blank file with no rules): ==== |
+ | < | ||
/ | / | ||
/ | / | ||
+ | </ | ||
- | ===== Saving ALL IPTABLE Rules ===== | + | ==== Saving ALL IPTABLE Rules ==== |
It seems that the method for saving & loading iptable rules from / | It seems that the method for saving & loading iptable rules from / | ||
The command for saving iptable rules manually is: | The command for saving iptable rules manually is: | ||
+ | |||
+ | < | ||
| | ||
There is also command called iptables-restore. It is: | There is also command called iptables-restore. It is: | ||
| | ||
+ | </ | ||
- | </ |
iptables_firewall.1658260370.txt.gz · Last modified: 2022/07/19 20:13 (external edit)