Ubuntu/iptables
- iptables
- allows you to configure network ports and more
Note: iptables rules are processes sequentially with the proceeding rules taking precedence over following rules.
lookup current active rules
iptables -L -n -v
remove a rule from IP Tables. Make sure to include the comment if a comment exists.
iptables -D INPUT 1 or iptables -D INPUT -s 0.0.0.0/0 -p tcp --dport 22 -j ACCEPT or iptables -D INPUT -s 0.0.0.0/0 -p tcp --dport 22 -j ACCEPT -m comment --comment "limit ssh access"
specify policy default
-P INPUT DROP
allow anything from itself (loopback)
-A INPUT -i lo -j ACCEPT
allow connection from specific address, inbound, using only TCP on a specific port
-A INPUT -s ip.address -p tcp --dport 22 -j ACCEPT
allow a range of ports
-A INPUT -s ip.address -p tcp –dport 30000:20000 -j ACCEPT
add a comment to the iptables rule
-m comment --comment "limit ssh access"
allow related and established
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
prevent packets from forwarding (like a router)
iptables -P FORWARD DROP
delete chain from iptables
iptables -X chain.name
reject everything without an ICMP specific message, just a generic "port unreachable"
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
save current IP Tables config
sudo sh -c "iptables-save > /etc/iptables.rules"
restore IP Tables config (also add this line to /etc/rc.local for it to auto run during boot)
iptables-restore < /etc/iptables.rules
Contents[hide] |
CVE-2015-7547
attempt to mitigate glibc vuln.
~$ sudo iptables -A INPUT -p udp -m length --length 512:0xffff --dport 53 -j DROP -m comment --comment "mitigate CVE-2015-7547"
Init.d startup script
Below is a method designed in hopes of a reliable auto-load of iptable rules on bootup. adding entry to rc.local entry was not 100% reliable.
Create startup script under /etc/init.d
~$ sudo vi /etc/init.d/iptables.rules
Script
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables.rules
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start iptables.rules at boot time
# Description: Load iptable rules at startup, provide flushing (stop) or flush and reload (restart) of rules.
### END INIT INFO
#startup function
start_iptables_rules() {
printf "\nRestoring iptable rules ..."
iptables-restore < /etc/iptables.rules > /dev/null 2>&1 &
printf "\n... restored.\n"
}
#stopping function that flushes iptables
stop_iptables_rules () {
printf "\nFlushing iptable rules ..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
printf "\n... flushed.\n"
}
#restarting function that stops and starts iptables.rules
restart_iptables_rules () {
printf "\nFlushing and reloading iptable rules ..."
stop_iptables_rules
start_iptables_rules
}
#list iptable rules currently configured
status_iptables_rules () {
iptables -L -n -v
}
#save current iptable rules to iptables.rules file
save_iptables_rules () {
printf "\nSaving current iptable rules ..."
iptables-save > /etc/iptables.rules
printf "\n... saved.\n"
}
case "$1" in
start)
start_iptables_rules
;;
stop)
stop_iptables_rules
;;
restart)
restart_iptables_rules
;;
status)
status_iptables_rules
;;
save)
save_iptables_rules
;;
*)
printf "Usage: /etc/init.d/iptables.rules {start|stop|restart|status|save}"
exit 1
;;
esac
exit 0
Permissions and Boot
Add permissions to execute
~$ chmod 755 /etc/init.d/iptables.rules
Enable dependency based boot sequence
~$ update-rc.d iptables.rules defaults
