Ubuntu/iptables
(7 intermediate revisions by one user not shown) | |||
Line 1: | Line 1: | ||
;iptables | ;iptables | ||
:allows you to configure network ports and more | :allows you to configure network ports and more | ||
+ | '''Note:''' iptables rules are processes sequentially with the proceeding rules taking precedence over following rules. | ||
<br\> | <br\> | ||
lookup current active rules | lookup current active rules | ||
iptables -L -n -v | iptables -L -n -v | ||
− | remove a rule from IP Tables | + | remove a rule from IP Tables. Make sure to include the comment if a comment exists. |
iptables -D INPUT 1 | iptables -D INPUT 1 | ||
or | or | ||
iptables -D INPUT -s 0.0.0.0/0 -p tcp --dport 22 -j ACCEPT | iptables -D INPUT -s 0.0.0.0/0 -p tcp --dport 22 -j ACCEPT | ||
+ | or | ||
+ | iptables -D INPUT -s 0.0.0.0/0 -p tcp --dport 22 -j ACCEPT -m comment --comment "limit ssh access" | ||
specify policy default | specify policy default | ||
-P INPUT DROP | -P INPUT DROP | ||
Line 14: | Line 17: | ||
allow connection from specific address, inbound, using only TCP on a specific port | allow connection from specific address, inbound, using only TCP on a specific port | ||
-A INPUT -s ip.address -p tcp --dport 22 -j ACCEPT | -A INPUT -s ip.address -p tcp --dport 22 -j ACCEPT | ||
+ | allow a range of ports | ||
+ | <nowiki>-A INPUT -s ip.address -p tcp –dport 30000:20000 -j ACCEPT</nowiki> | ||
add a comment to the iptables rule | add a comment to the iptables rule | ||
-m comment --comment "limit ssh access" | -m comment --comment "limit ssh access" | ||
Line 22: | Line 27: | ||
delete chain from iptables | delete chain from iptables | ||
iptables -X chain.name | iptables -X chain.name | ||
+ | reject everything without an ICMP specific message, just a generic "port unreachable" | ||
+ | iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited | ||
save current IP Tables config | save current IP Tables config | ||
sudo sh -c "iptables-save > /etc/iptables.rules" | sudo sh -c "iptables-save > /etc/iptables.rules" | ||
restore IP Tables config (also add this line to /etc/rc.local for it to auto run during boot) | restore IP Tables config (also add this line to /etc/rc.local for it to auto run during boot) | ||
iptables-restore < /etc/iptables.rules | iptables-restore < /etc/iptables.rules | ||
+ | |||
+ | ====CVE-2015-7547==== | ||
+ | attempt to [https://www.sourceware.org/ml/libc-alpha/2016-02/msg00416.html mitigate glibc vuln.]<br> | ||
+ | ~$ sudo iptables -A INPUT -p udp -m length --length 512:0xffff --dport 53 -j DROP -m comment --comment "mitigate CVE-2015-7547" | ||
+ | |||
+ | |||
+ | ==Init.d startup script== | ||
+ | Below is a method designed in hopes of a reliable auto-load of iptable rules on bootup. adding entry to rc.local entry was not 100% reliable. | ||
+ | |||
+ | ===Create startup script under /etc/init.d=== | ||
+ | <nowiki> ~$ sudo vi /etc/init.d/iptables.rules</nowiki> | ||
+ | ====Script==== | ||
+ | <nowiki> | ||
+ | #!/bin/sh | ||
+ | ### BEGIN INIT INFO | ||
+ | # Provides: iptables.rules | ||
+ | # Required-Start: $remote_fs $syslog | ||
+ | # Required-Stop: $remote_fs $syslog | ||
+ | # Default-Start: 2 3 4 5 | ||
+ | # Default-Stop: 0 1 6 | ||
+ | # Short-Description: Start iptables.rules at boot time | ||
+ | # Description: Load iptable rules at startup, provide flushing (stop) or flush and reload (restart) of rules. | ||
+ | ### END INIT INFO | ||
+ | |||
+ | #startup function | ||
+ | start_iptables_rules() { | ||
+ | printf "\nRestoring iptable rules ..." | ||
+ | iptables-restore < /etc/iptables.rules > /dev/null 2>&1 & | ||
+ | printf "\n... restored.\n" | ||
+ | } | ||
+ | |||
+ | #stopping function that flushes iptables | ||
+ | stop_iptables_rules () { | ||
+ | printf "\nFlushing iptable rules ..." | ||
+ | iptables -F | ||
+ | iptables -X | ||
+ | iptables -t nat -F | ||
+ | iptables -t nat -X | ||
+ | iptables -t mangle -F | ||
+ | iptables -t mangle -X | ||
+ | iptables -P INPUT ACCEPT | ||
+ | iptables -P FORWARD ACCEPT | ||
+ | iptables -P OUTPUT ACCEPT | ||
+ | printf "\n... flushed.\n" | ||
+ | } | ||
+ | |||
+ | #restarting function that stops and starts iptables.rules | ||
+ | restart_iptables_rules () { | ||
+ | printf "\nFlushing and reloading iptable rules ..." | ||
+ | stop_iptables_rules | ||
+ | start_iptables_rules | ||
+ | } | ||
+ | |||
+ | #list iptable rules currently configured | ||
+ | status_iptables_rules () { | ||
+ | iptables -L -n -v | ||
+ | } | ||
+ | |||
+ | #save current iptable rules to iptables.rules file | ||
+ | save_iptables_rules () { | ||
+ | printf "\nSaving current iptable rules ..." | ||
+ | iptables-save > /etc/iptables.rules | ||
+ | printf "\n... saved.\n" | ||
+ | } | ||
+ | |||
+ | case "$1" in | ||
+ | start) | ||
+ | start_iptables_rules | ||
+ | ;; | ||
+ | stop) | ||
+ | stop_iptables_rules | ||
+ | ;; | ||
+ | restart) | ||
+ | restart_iptables_rules | ||
+ | ;; | ||
+ | status) | ||
+ | status_iptables_rules | ||
+ | ;; | ||
+ | save) | ||
+ | save_iptables_rules | ||
+ | ;; | ||
+ | *) | ||
+ | printf "Usage: /etc/init.d/iptables.rules {start|stop|restart|status|save}" | ||
+ | exit 1 | ||
+ | ;; | ||
+ | |||
+ | esac | ||
+ | exit 0 | ||
+ | </nowiki> | ||
+ | ===Permissions and Boot=== | ||
+ | Add permissions to execute | ||
+ | <nowiki>~$ chmod 755 /etc/init.d/iptables.rules</nowiki> | ||
+ | Enable dependency based boot sequence | ||
+ | <nowiki>~$ update-rc.d iptables.rules defaults</nowiki> |
Latest revision as of 11:27, 20 May 2021
- iptables
- allows you to configure network ports and more
Note: iptables rules are processes sequentially with the proceeding rules taking precedence over following rules.
lookup current active rules
iptables -L -n -v
remove a rule from IP Tables. Make sure to include the comment if a comment exists.
iptables -D INPUT 1 or iptables -D INPUT -s 0.0.0.0/0 -p tcp --dport 22 -j ACCEPT or iptables -D INPUT -s 0.0.0.0/0 -p tcp --dport 22 -j ACCEPT -m comment --comment "limit ssh access"
specify policy default
-P INPUT DROP
allow anything from itself (loopback)
-A INPUT -i lo -j ACCEPT
allow connection from specific address, inbound, using only TCP on a specific port
-A INPUT -s ip.address -p tcp --dport 22 -j ACCEPT
allow a range of ports
-A INPUT -s ip.address -p tcp –dport 30000:20000 -j ACCEPT
add a comment to the iptables rule
-m comment --comment "limit ssh access"
allow related and established
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
prevent packets from forwarding (like a router)
iptables -P FORWARD DROP
delete chain from iptables
iptables -X chain.name
reject everything without an ICMP specific message, just a generic "port unreachable"
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
save current IP Tables config
sudo sh -c "iptables-save > /etc/iptables.rules"
restore IP Tables config (also add this line to /etc/rc.local for it to auto run during boot)
iptables-restore < /etc/iptables.rules
Contents |
[edit] CVE-2015-7547
attempt to mitigate glibc vuln.
~$ sudo iptables -A INPUT -p udp -m length --length 512:0xffff --dport 53 -j DROP -m comment --comment "mitigate CVE-2015-7547"
[edit] Init.d startup script
Below is a method designed in hopes of a reliable auto-load of iptable rules on bootup. adding entry to rc.local entry was not 100% reliable.
[edit] Create startup script under /etc/init.d
~$ sudo vi /etc/init.d/iptables.rules
[edit] Script
#!/bin/sh ### BEGIN INIT INFO # Provides: iptables.rules # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start iptables.rules at boot time # Description: Load iptable rules at startup, provide flushing (stop) or flush and reload (restart) of rules. ### END INIT INFO #startup function start_iptables_rules() { printf "\nRestoring iptable rules ..." iptables-restore < /etc/iptables.rules > /dev/null 2>&1 & printf "\n... restored.\n" } #stopping function that flushes iptables stop_iptables_rules () { printf "\nFlushing iptable rules ..." iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT printf "\n... flushed.\n" } #restarting function that stops and starts iptables.rules restart_iptables_rules () { printf "\nFlushing and reloading iptable rules ..." stop_iptables_rules start_iptables_rules } #list iptable rules currently configured status_iptables_rules () { iptables -L -n -v } #save current iptable rules to iptables.rules file save_iptables_rules () { printf "\nSaving current iptable rules ..." iptables-save > /etc/iptables.rules printf "\n... saved.\n" } case "$1" in start) start_iptables_rules ;; stop) stop_iptables_rules ;; restart) restart_iptables_rules ;; status) status_iptables_rules ;; save) save_iptables_rules ;; *) printf "Usage: /etc/init.d/iptables.rules {start|stop|restart|status|save}" exit 1 ;; esac exit 0
[edit] Permissions and Boot
Add permissions to execute
~$ chmod 755 /etc/init.d/iptables.rules
Enable dependency based boot sequence
~$ update-rc.d iptables.rules defaults