Ubuntu/iptables

From r00tedvw.com wiki
Jump to: navigation, search
iptables
allows you to configure network ports and more

Note: iptables rules are processes sequentially with the proceeding rules taking precedence over following rules.
lookup current active rules

iptables -L -n -v

remove a rule from IP Tables. Make sure to include the comment if a comment exists.

iptables -D INPUT 1
or
iptables -D INPUT -s 0.0.0.0/0 -p tcp --dport 22 -j ACCEPT
or
iptables -D INPUT -s 0.0.0.0/0 -p tcp --dport 22 -j ACCEPT -m comment --comment "limit ssh access"

specify policy default

-P INPUT DROP

allow anything from itself (loopback)

-A INPUT -i lo -j ACCEPT

allow connection from specific address, inbound, using only TCP on a specific port

-A INPUT -s ip.address -p tcp --dport 22 -j ACCEPT

add a comment to the iptables rule

-m comment --comment "limit ssh access"

allow related and established

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

prevent packets from forwarding (like a router)

iptables -P FORWARD DROP

delete chain from iptables

iptables -X chain.name

reject everything without an ICMP specific message, just a generic "port unreachable"

iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

save current IP Tables config

sudo sh -c "iptables-save > /etc/iptables.rules"

restore IP Tables config (also add this line to /etc/rc.local for it to auto run during boot)

iptables-restore < /etc/iptables.rules

Contents

CVE-2015-7547

attempt to mitigate glibc vuln.

~$ sudo iptables -A INPUT -p udp -m length --length 512:0xffff --dport 53 -j DROP -m comment --comment "mitigate CVE-2015-7547"


Init.d startup script

Below is a method designed in hopes of a reliable auto-load of iptable rules on bootup. adding entry to rc.local entry was not 100% reliable.

Create startup script under /etc/init.d

 ~$ sudo vi /etc/init.d/iptables.rules

Script

#!/bin/sh
 ### BEGIN INIT INFO
 # Provides: iptables.rules
 # Required-Start: $remote_fs $syslog
 # Required-Stop: $remote_fs $syslog
 # Default-Start: 2 3 4 5
 # Default-Stop: 0 1 6
 # Short-Description: Start iptables.rules at boot time
 # Description: Load iptable rules at startup, provide flushing (stop) or flush and reload (restart) of rules.
 ### END INIT INFO

#startup function
start_iptables_rules() {
	printf "\nRestoring iptable rules ..."
	iptables-restore < /etc/iptables.rules > /dev/null 2>&1 &
	printf "\n... restored.\n"
}

#stopping function that flushes iptables
stop_iptables_rules () {
	printf "\nFlushing iptable rules ..."
	iptables -F
	iptables -X
	iptables -t nat -F
	iptables -t nat -X
	iptables -t mangle -F
	iptables -t mangle -X
	iptables -P INPUT ACCEPT
	iptables -P FORWARD ACCEPT
	iptables -P OUTPUT ACCEPT
	printf "\n... flushed.\n"
}

#restarting function that stops and starts iptables.rules
restart_iptables_rules () {
	printf "\nFlushing and reloading iptable rules ..."
	stop_iptables_rules
	start_iptables_rules
}

#list iptable rules currently configured
status_iptables_rules () {
	iptables -L -n -v
}

#save current iptable rules to iptables.rules file
save_iptables_rules () {
        printf "\nSaving current iptable rules ..."
        iptables-save > /etc/iptables.rules
        printf "\n... saved.\n"
}

case "$1" in
	start)
		start_iptables_rules
		;;
	stop)
		stop_iptables_rules
		;;
	restart)
		restart_iptables_rules
		;;
	status)
		status_iptables_rules
		;;
        save)
                save_iptables_rules
                ;;
	*)
		printf "Usage: /etc/init.d/iptables.rules {start|stop|restart|status|save}"
		exit 1
		;;

esac
exit 0

Permissions and Boot

Add permissions to execute

~$ chmod 755 /etc/init.d/iptables.rules

Enable dependency based boot sequence

~$ update-rc.d iptables.rules defaults
Personal tools
Namespaces

Variants
Actions
Navigation
Mediawiki
Confluence
DevOps Tools
Ubuntu
Oracle Linux
AWS
Windows
OpenVPN
Grafana
Pivotal
osTicket
OTRS
phpBB
WordPress
VmWare ESXI 5.1
Crypto currencies
HTML
CSS
Python
Java Script
PHP
Raspberry Pi
Canvas LMS
Kaltura Media Server
MetaSploit
Zoneminder
Photoshop CS2
Fortinet
Uploaded
Certifications
General Info
Games
Meal Plans
NC Statutes
Toolbox