Iptables
From TheBeard Science Project Wiki
Revision as of 15:54, 29 February 2016 by Beard (talk | contribs) (Created page with "<pre> packages: iptables system-config-firewall system-config-securitylevel daemons: iptables ip6tables configs: /etc/sysconfig/iptables-config - config file /etc/sy...")
packages: iptables system-config-firewall system-config-securitylevel daemons: iptables ip6tables configs: /etc/sysconfig/iptables-config - config file /etc/sysconfig/iptables - list of rules. rules are listed the same as CLI arguments /etc/sysconfig/iptables.save - save/backup file /etc/sysconfig/iptables.old - manual backup file tutorials: http://www.routermods.com/2010/02/09/iptables-for-dummies-a-beginners-guide-to-iptables-firewall/ commands: *the order of arguments is unimportant *rules are applied using service iptables save - saves rules currently in memory to /etc/sysconfig/iptables iptables -L - list rules --line-numbers iptables -P <chain> <rule> - set default/implicit policy for the whole chain (ie iptables -P INPUT ACCEPT) iptables -D <chain> <rule> - delete rule. can be either a number startin at 1 or the rule itself. (ie iptables -D INPUT 2) iptables-save - saves rules to iptables.save and allows rules to be applied on restart iptables -t <table> -A <chain> -i <int> -o <int> -p <protocol> --sport <port> --dport <port> -s <source> -d <destination> -j <action> precede options with "!" to apply NOT logic (ie ! -s 0.0.0.0/0) -t <table> - table can be either: filter - default if no table specified nat - nat table mangle - mangle table -A <chain> - append to chain INPUT - packets destined to local machine OUTPUT - packets generated by local machine FORWARD - packets passing through box PREROUTING - packets as they enter local machine (nat and mangle only) POSTROUTING - packets as they leave local machine (nat and mangle only) -I <chain> <#> - same as -A but inserts rule as rule # -i <int> - input interface (optional) -o <int> - output interface (optional) -p <protocol> tcp udp udplite icmp esp ah sctp all -m <extension> <options> - match. adds extension with more options. (ie iptables -A INPUT -p tcp --dport 80 -m comment --comment "www request") comment --comment <text> state - the state of the packet --state <state> NEW - packet has started new connection. most commonly used for incoming traffic RELATED - packet started new connection but is associated with an existing connection ESTABLISHED - packet is part of another connection limit - helps prevent dictionary attacks --limit <#>/<second/minute/hour/day> - (ie -m limit --limit 2/minute) --limit-burst <#> - limit number of packets to match. mac --mac-source <address> iprange - match a range of addresses --src-range <addr>-<addr> --dst-range <addr>-<addr> --sport <port> - source port --dport <port> - destination port --tcp-flags <flag> - comma separated list of flags SYN RST ACK FIN -s <source> - source address. can be host name or address/mask (ie 192.168.0.1/24) -d <destination> - destination address. can be host name or address/mask (ie 192.168.0.1/24) -j <action> - the action to take ACCEPT REJECT - rejects packet and sends error. DROP - same as REJECT except is sends no error LOG - logs when a packet matches rule. for rejected packets, place a log rule before the rejecting rule. --log-prefix <text> --log-level <#> - 7 is appropriate examples: allow priviously established connections: iptables -A INPUT -j ACCEPT -p tcp ! –syn -s 0/0 -d (outer ip/net) - pro firewall rule allow port 80: iptables -A INPUT -p tcp --dport 80 -j ACCEPT limitations on ssh: iptables -A INPUT -p tcp --dport ssh -m limit --limit 3/minute --limit-burst 2 -j ACCEPT allow ssh and all session-related packets: iptables –A FORWARD –i eth1 –o eth0 –m state -state NEW -dport 22 –j ACCEPT iptables –A FORWARD –i eth1 –o eth0 –m state -state ESTABLISHED,RELATED –j ACCEPT
