Iptables Command Line Tool Examples

From NovaOrdis Knowledge Base
Jump to navigation Jump to search

Internal

Base Configuration

Use the content below and overwrite the existing /etc/sysconfig/iptables. 

*mangle
:PREROUTING ACCEPT 
:INPUT ACCEPT 
:FORWARD ACCEPT 
:OUTPUT ACCEPT 
:POSTROUTING ACCEPT 
COMMIT

*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT 
:OUTPUT ACCEPT 
COMMIT

*filter

# the default INPUT chain policy is to DROP unless there's a rule that explicitly accepts the packet
:INPUT DROP 

# the default FORWARD chain policy is to DROP unless there's a rule that explicitly accepts the packet
:FORWARD DROP 

# the default OUTPUT chain policy is to ACCEPT unless there's a rule that explicitly rejects or drops the packet
:OUTPUT ACCEPT 

# anything that comes from us through the loopback interface is accepted
-A INPUT -i lo -j ACCEPT

# established connections initiated by us are accepted
-A INPUT -m state --state ESTABLISHED -j ACCEPT

# by default, we allow new SSH connections on port 22 all interfaces - we may want to change that and be more selective
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT

#
# everything else coming from outside will be dropped
#

#
# all outbound traffic is accepted
#
COMMIT

Base IPv6 Configuration

Use the content below and overwrite the existing /etc/sysconfig/ip6tables. 

#
# DROP all inbound and forward traffic, allow all outbound traffic
#
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT

Allow SSH Only From the Internal Network on a Non-Standard Port

Add to /etc/sysconfig/iptables. Note that all new ssh connection attempts coming on other interfaces than enp0s25 will be dropped. Make sure the enp0s25 is the internal network interface. 

[...]

# allow SSH only from the internal network on a non-standard port
-A INPUT -i enp0s25 -p tcp -m tcp --dport 12345 -m state --state NEW -s 192.168.1.0/24 -j ACCEPT

[...]

Details on how to reconfigure the sshd server to listen on a non-standard port are available here: Changing the Default sshd Port. Important! sshd server reconfiguration and the firewall rule change must be done at the same time, otherwise you may lose remote ssh access between reboots.

Allow a Web Server on a Specific Interface

In /etc/sysconfig/iptables: 


[...]

# allow a web server on a specific interface on both 80 and 443
-A INPUT -i enp15s0u2 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT
-A INPUT -i enp15s0u2 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT

[...]

Multicast

Allow Multicast Traffic to Go Out

The standard /etc/sysconfig/iptables rule that allows all traffic out should be sufficient: 


*filter
:OUTPUT ACCEPT

Allow Multicast Traffic to Come In

Add to /etc/sysconfig/iptables: 


[...]

# allow multicast traffic in
-A INPUT -m pkttype --pkt-type multicast -j ACCEPT

[...]

Organizatorium

  • How to accept just a single multicast address:port?
  • Test this and NOKB it:
# allow anything in on multicast addresses
-A INPUT -s 224.0.0.0/4 -j ACCEPT
-A INPUT -p igmp -d 224.0.0.0/4 -j ACCEPT
# needed for multicast ping responses
-A INPUT -p icmp --icmp-type 0 -j ACCEPT

Allow UDP Traffic for a Specific Port

-A INPUT -p udp -m udp --dport 54200 -j ACCEPT

Allow Incoming Connections Only from Hosts on a Specific Subnet

This rules only allows incoming TCP connections on port 8088 from hosts on the 172.20.0.0/16 subnet. 

-A INPUT -i eth0 -p tcp -m tcp --dport 8088 -m state --state NEW -s 172.20.0.0/16 -j ACCEPT

Configuring LOG

The LOG target is designed for logging information about packets (most of the IP headers, for example). It does this via the kernel logging facility, normally syslogd; the information can be read with dmesg or from the syslogd logs. It can be used for debugging. The simplest way to see what packets are dropped by the input chain with a DROP default policy is to insert 

-A INPUT -j LOG --log-level info --log-prefix "INPUT packets"

Logging data will be sent to /var/log/messages, and will be subject to usual kernel logging rules (see rsyslogd and rsyslog.conf). Because the rule is the last one in the chain, it means that all we see in the logs are packets that would be silently dropped otherwise.

This is how a dropped request will look like: 

Apr 25 12:06:45 shrike kernel: IN=eth0 OUT= MAC=00:1c:25:9a:44:ed:24:77:03:d0:a3:b4:08:00 SRC=192.168.1.137 DST=192.168.1.6 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=15079 DF PROTO=TCP SPT=51262 DPT=8009 WINDOW=8192 RES=0x00 SYN URGP=0 
Apr 25 12:06:45 shrike kernel: IN=eth0 OUT= MAC=00:1c:25:9a:44:ed:24:77:03:d0:a3:b4:08:00 SRC=192.168.1.137 DST=192.168.1.6 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=15081 DF PROTO=TCP SPT=51263 DPT=8009 WINDOW=8192 RES=0x00 SYN URGP=0

For a more refined output, edit /etc/rsyslog.conf.

NAT IP Masquerading Configuration

NAT IP Masquerading Configuration
Retrieved from "https://kb.novaordis.com/index.php?title=Iptables_Command_Line_Tool_Examples&oldid=97492"