Ubuntu/iptables

Latest revision as of 11:27, 20 May 2021

iptables

allows you to configure network ports and more

Note: iptables rules are processes sequentially with the proceeding rules taking precedence over following rules.
lookup current active rules

iptables -L -n -v

remove a rule from IP Tables. Make sure to include the comment if a comment exists.

iptables -D INPUT 1
or
iptables -D INPUT -s 0.0.0.0/0 -p tcp --dport 22 -j ACCEPT
or
iptables -D INPUT -s 0.0.0.0/0 -p tcp --dport 22 -j ACCEPT -m comment --comment "limit ssh access"

specify policy default

-P INPUT DROP

allow anything from itself (loopback)

-A INPUT -i lo -j ACCEPT

allow connection from specific address, inbound, using only TCP on a specific port

-A INPUT -s ip.address -p tcp --dport 22 -j ACCEPT

allow a range of ports

-A INPUT -s ip.address -p tcp –dport 30000:20000 -j ACCEPT

add a comment to the iptables rule

-m comment --comment "limit ssh access"

allow related and established

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

prevent packets from forwarding (like a router)

iptables -P FORWARD DROP

delete chain from iptables

iptables -X chain.name

reject everything without an ICMP specific message, just a generic "port unreachable"

iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

save current IP Tables config

sudo sh -c "iptables-save > /etc/iptables.rules"

restore IP Tables config (also add this line to /etc/rc.local for it to auto run during boot)

iptables-restore < /etc/iptables.rules

[edit] CVE-2015-7547

attempt to mitigate glibc vuln.

~$ sudo iptables -A INPUT -p udp -m length --length 512:0xffff --dport 53 -j DROP -m comment --comment "mitigate CVE-2015-7547"

[edit] Init.d startup script

Below is a method designed in hopes of a reliable auto-load of iptable rules on bootup. adding entry to rc.local entry was not 100% reliable.

[edit] Create startup script under /etc/init.d

 ~$ sudo vi /etc/init.d/iptables.rules

[edit] Script

#!/bin/sh
 ### BEGIN INIT INFO
 # Provides: iptables.rules
 # Required-Start: $remote_fs $syslog
 # Required-Stop: $remote_fs $syslog
 # Default-Start: 2 3 4 5
 # Default-Stop: 0 1 6
 # Short-Description: Start iptables.rules at boot time
 # Description: Load iptable rules at startup, provide flushing (stop) or flush and reload (restart) of rules.
 ### END INIT INFO

#startup function
start_iptables_rules() {
	printf "\nRestoring iptable rules ..."
	iptables-restore < /etc/iptables.rules > /dev/null 2>&1 &
	printf "\n... restored.\n"
}

#stopping function that flushes iptables
stop_iptables_rules () {
	printf "\nFlushing iptable rules ..."
	iptables -F
	iptables -X
	iptables -t nat -F
	iptables -t nat -X
	iptables -t mangle -F
	iptables -t mangle -X
	iptables -P INPUT ACCEPT
	iptables -P FORWARD ACCEPT
	iptables -P OUTPUT ACCEPT
	printf "\n... flushed.\n"
}

#restarting function that stops and starts iptables.rules
restart_iptables_rules () {
	printf "\nFlushing and reloading iptable rules ..."
	stop_iptables_rules
	start_iptables_rules
}

#list iptable rules currently configured
status_iptables_rules () {
	iptables -L -n -v
}

#save current iptable rules to iptables.rules file
save_iptables_rules () {
        printf "\nSaving current iptable rules ..."
        iptables-save > /etc/iptables.rules
        printf "\n... saved.\n"
}

case "$1" in
	start)
		start_iptables_rules
		;;
	stop)
		stop_iptables_rules
		;;
	restart)
		restart_iptables_rules
		;;
	status)
		status_iptables_rules
		;;
        save)
                save_iptables_rules
                ;;
	*)
		printf "Usage: /etc/init.d/iptables.rules {start|stop|restart|status|save}"
		exit 1
		;;

esac
exit 0

[edit] Permissions and Boot

Add permissions to execute

~$ chmod 755 /etc/init.d/iptables.rules

Enable dependency based boot sequence

~$ update-rc.d iptables.rules defaults