Iptables Command Line Tool Examples: Difference between revisions
(28 intermediate revisions by the same user not shown) | |||
Line 5: | Line 5: | ||
=Base Configuration= | =Base Configuration= | ||
Use the content below and overwrite the existing < | Use the content below and overwrite the existing <code>/etc/sysconfig/iptables</code>. | ||
<pre> | <pre> | ||
Line 54: | Line 54: | ||
=Base IPv6 Configuration= | =Base IPv6 Configuration= | ||
Use the content below and overwrite the existing <code>/etc/sysconfig/ip6tables</code>. | |||
<font size=-1> | |||
# | |||
# DROP all inbound and forward traffic, allow all outbound traffic | |||
# | |||
*filter | |||
:INPUT DROP [0:0] | |||
:FORWARD DROP [0:0] | |||
:OUTPUT ACCEPT [0:0] | |||
COMMIT | |||
</font> | |||
=Allow SSH Only From the Internal Network on a Non-Standard Port= | |||
Add to <code>/etc/sysconfig/iptables</code>. Note that all new ssh connection attempts coming on other interfaces than enp0s25 will be dropped. Make sure the enp0s25 is the internal network interface. | |||
<font size=-1> | |||
[...] | |||
# allow SSH only from the internal network on a non-standard port | |||
-A INPUT -i enp0s25 -p tcp -m tcp --dport 12345 -m state --state NEW -s 192.168.1.0/24 -j ACCEPT | |||
[...] | |||
</font> | |||
Details on how to reconfigure the sshd server to listen on a non-standard port are available here: [[sshd Configuration#Change_the_Default_Port|Changing the Default sshd Port]]. '''Important!''' sshd server reconfiguration and the firewall rule change must be done at the same time, otherwise you may lose remote ssh access between reboots. | |||
=Allow a Web Server on a Specific Interface= | |||
In <code>/etc/sysconfig/iptables</code>: | |||
<pre> | <pre> | ||
# | [...] | ||
# allow a web server on a specific interface on both 80 and 443 | |||
-A INPUT -i enp15s0u2 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT | |||
-A INPUT -i enp15s0u2 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT | |||
[...] | |||
</pre> | |||
=Multicast= | |||
==Allow Multicast Traffic to Go Out== | |||
The standard <tt>/etc/sysconfig/iptables</tt> rule that allows all traffic out should be sufficient: | |||
<pre> | |||
*filter | *filter | ||
:OUTPUT ACCEPT | |||
:OUTPUT | |||
</pre> | </pre> | ||
=Allow | ==Allow Multicast Traffic to Come In== | ||
Add to <tt>/etc/sysconfig/iptables</tt> | Add to <tt>/etc/sysconfig/iptables</tt>: | ||
<pre> | <pre> | ||
Line 76: | Line 118: | ||
[...] | [...] | ||
# allow | # allow multicast traffic in | ||
-A INPUT | -A INPUT -m pkttype --pkt-type multicast -j ACCEPT | ||
[...] | [...] | ||
Line 83: | Line 125: | ||
</pre> | </pre> | ||
<font color=red> | |||
=Organizatorium= | |||
* How to accept just a single multicast address:port? | |||
* Test this and NOKB it: | |||
<pre> | |||
# allow anything in on multicast addresses | |||
-A INPUT -s 224.0.0.0/4 -j ACCEPT | |||
-A INPUT -p igmp -d 224.0.0.0/4 -j ACCEPT | |||
# needed for multicast ping responses | |||
-A INPUT -p icmp --icmp-type 0 -j ACCEPT | |||
</pre> | |||
</font> | |||
==Allow UDP Traffic for a Specific Port== | |||
<pre> | |||
-A INPUT -p udp -m udp --dport 54200 -j ACCEPT | |||
</pre> | |||
=Allow | =Allow Incoming Connections Only from Hosts on a Specific Subnet= | ||
This rules only allows incoming TCP connections on port 8088 from hosts on the 172.20.0.0/16 subnet. | |||
<pre> | <pre> | ||
-A INPUT -i eth0 -p tcp -m tcp --dport 8088 -m state --state NEW -s 172.20.0.0/16 -j ACCEPT | |||
</pre> | |||
=Configuring LOG= | |||
The LOG target is designed for logging information about packets (most of the IP headers, for example). It does this via the kernel logging facility, normally syslogd; the information can be read with [[dmesg]] or from the syslogd logs. It can be used for debugging. The simplest way to see what packets are dropped by the input chain with a DROP default policy is to insert | |||
<pre> | |||
-A INPUT -j LOG --log-level info --log-prefix "INPUT packets" | |||
</pre> | |||
Logging data will be sent to <tt>/var/log/messages</tt>, and will be subject to usual kernel logging rules (see rsyslogd and rsyslog.conf). Because the rule is the ''last'' one in the chain, it means that all we see in the logs are packets that would be silently dropped otherwise. | |||
This is how a dropped request will look like: | |||
<pre> | |||
Apr 25 12:06:45 shrike kernel: IN=eth0 OUT= MAC=00:1c:25:9a:44:ed:24:77:03:d0:a3:b4:08:00 SRC=192.168.1.137 DST=192.168.1.6 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=15079 DF PROTO=TCP SPT=51262 DPT=8009 WINDOW=8192 RES=0x00 SYN URGP=0 | |||
Apr 25 12:06:45 shrike kernel: IN=eth0 OUT= MAC=00:1c:25:9a:44:ed:24:77:03:d0:a3:b4:08:00 SRC=192.168.1.137 DST=192.168.1.6 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=15081 DF PROTO=TCP SPT=51263 DPT=8009 WINDOW=8192 RES=0x00 SYN URGP=0 | |||
</pre> | </pre> | ||
For a more refined output, edit <tt>/etc/rsyslog.conf</tt>. | |||
=NAT IP Masquerading Configuration= | |||
{{Internal|Linux_Virtualization_Configuration#NAT_IP_Masquerading|NAT IP Masquerading Configuration}} |
Latest revision as of 23:36, 5 August 2023
Internal
Base Configuration
Use the content below and overwrite the existing /etc/sysconfig/iptables
.
*mangle :PREROUTING ACCEPT :INPUT ACCEPT :FORWARD ACCEPT :OUTPUT ACCEPT :POSTROUTING ACCEPT COMMIT *nat :PREROUTING ACCEPT :POSTROUTING ACCEPT :OUTPUT ACCEPT COMMIT *filter # the default INPUT chain policy is to DROP unless there's a rule that explicitly accepts the packet :INPUT DROP # the default FORWARD chain policy is to DROP unless there's a rule that explicitly accepts the packet :FORWARD DROP # the default OUTPUT chain policy is to ACCEPT unless there's a rule that explicitly rejects or drops the packet :OUTPUT ACCEPT # anything that comes from us through the loopback interface is accepted -A INPUT -i lo -j ACCEPT # established connections initiated by us are accepted -A INPUT -m state --state ESTABLISHED -j ACCEPT # by default, we allow new SSH connections on port 22 all interfaces - we may want to change that and be more selective -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT # # everything else coming from outside will be dropped # # # all outbound traffic is accepted # COMMIT
Base IPv6 Configuration
Use the content below and overwrite the existing /etc/sysconfig/ip6tables
.
# # DROP all inbound and forward traffic, allow all outbound traffic # *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] COMMIT
Allow SSH Only From the Internal Network on a Non-Standard Port
Add to /etc/sysconfig/iptables
. Note that all new ssh connection attempts coming on other interfaces than enp0s25 will be dropped. Make sure the enp0s25 is the internal network interface.
[...] # allow SSH only from the internal network on a non-standard port -A INPUT -i enp0s25 -p tcp -m tcp --dport 12345 -m state --state NEW -s 192.168.1.0/24 -j ACCEPT [...]
Details on how to reconfigure the sshd server to listen on a non-standard port are available here: Changing the Default sshd Port. Important! sshd server reconfiguration and the firewall rule change must be done at the same time, otherwise you may lose remote ssh access between reboots.
Allow a Web Server on a Specific Interface
In /etc/sysconfig/iptables
:
[...] # allow a web server on a specific interface on both 80 and 443 -A INPUT -i enp15s0u2 -p tcp -m tcp --dport 443 -m state --state NEW -j ACCEPT -A INPUT -i enp15s0u2 -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT [...]
Multicast
Allow Multicast Traffic to Go Out
The standard /etc/sysconfig/iptables rule that allows all traffic out should be sufficient:
*filter :OUTPUT ACCEPT
Allow Multicast Traffic to Come In
Add to /etc/sysconfig/iptables:
[...] # allow multicast traffic in -A INPUT -m pkttype --pkt-type multicast -j ACCEPT [...]
Organizatorium
- How to accept just a single multicast address:port?
- Test this and NOKB it:
# allow anything in on multicast addresses -A INPUT -s 224.0.0.0/4 -j ACCEPT -A INPUT -p igmp -d 224.0.0.0/4 -j ACCEPT # needed for multicast ping responses -A INPUT -p icmp --icmp-type 0 -j ACCEPT
Allow UDP Traffic for a Specific Port
-A INPUT -p udp -m udp --dport 54200 -j ACCEPT
Allow Incoming Connections Only from Hosts on a Specific Subnet
This rules only allows incoming TCP connections on port 8088 from hosts on the 172.20.0.0/16 subnet.
-A INPUT -i eth0 -p tcp -m tcp --dport 8088 -m state --state NEW -s 172.20.0.0/16 -j ACCEPT
Configuring LOG
The LOG target is designed for logging information about packets (most of the IP headers, for example). It does this via the kernel logging facility, normally syslogd; the information can be read with dmesg or from the syslogd logs. It can be used for debugging. The simplest way to see what packets are dropped by the input chain with a DROP default policy is to insert
-A INPUT -j LOG --log-level info --log-prefix "INPUT packets"
Logging data will be sent to /var/log/messages, and will be subject to usual kernel logging rules (see rsyslogd and rsyslog.conf). Because the rule is the last one in the chain, it means that all we see in the logs are packets that would be silently dropped otherwise.
This is how a dropped request will look like:
Apr 25 12:06:45 shrike kernel: IN=eth0 OUT= MAC=00:1c:25:9a:44:ed:24:77:03:d0:a3:b4:08:00 SRC=192.168.1.137 DST=192.168.1.6 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=15079 DF PROTO=TCP SPT=51262 DPT=8009 WINDOW=8192 RES=0x00 SYN URGP=0 Apr 25 12:06:45 shrike kernel: IN=eth0 OUT= MAC=00:1c:25:9a:44:ed:24:77:03:d0:a3:b4:08:00 SRC=192.168.1.137 DST=192.168.1.6 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=15081 DF PROTO=TCP SPT=51263 DPT=8009 WINDOW=8192 RES=0x00 SYN URGP=0
For a more refined output, edit /etc/rsyslog.conf.