Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
gnu_linux:iptables:sample [2012/11/25 15:34] – fix for rules deletion kolan | gnu_linux:iptables:sample [2015/11/25 08:59] (current) – kolan | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Iptables/ | + | ====== Iptables/ |
- | <code bash | Netfilter rules example># | + | <code bash | Netfilter rules for server># |
- | # Interfaces | + | # -- INTERFACES -- |
- | EXTIF1=eth0 | + | WAN0=wan0 |
- | EXTIF2=usb0 | + | LAN0=lan0 |
- | INTIF1=vboxnet0 | + | VIRBR0=virbr0 |
- | INTIF2=wlan0 | + | |
- | # Delete all existing rules | + | # -- DEFAULT POLICIES -- |
+ | iptables -P INPUT DROP | ||
+ | iptables -P FORWARD DROP | ||
+ | iptables -P OUTPUT ACCEPT | ||
+ | |||
+ | # -- CLEAR -- | ||
iptables -F | iptables -F | ||
iptables -X | iptables -X | ||
iptables -t nat -F | iptables -t nat -F | ||
iptables -t mangle -F | iptables -t mangle -F | ||
+ | iptables -t nat -X | ||
+ | iptables -t mangle -X | ||
- | # Always accept loopback traffic | + | # -- SYN FLOOD -- |
+ | iptables -N SYN-FLOOD | ||
+ | for PORT in 21 22 25 80 139 143 443 445 3128 3130 5222 5223 5269 5280 6080 9418 11194 49164; do | ||
+ | iptables -A SYN-FLOOD -p tcp --dport $PORT --syn -m hashlimit --hashlimit 10/min --hashlimit-burst 10 \ | ||
+ | --hashlimit-htable-expire 3600 --hashlimit-mode srcip --hashlimit-name synflood -j ACCEPT | ||
+ | iptables -A SYN-FLOOD -p tcp --dport $PORT --syn -j LOG --log-prefix " | ||
+ | iptables -A SYN-FLOOD -p tcp --dport $PORT --syn -j DROP | ||
+ | iptables -A SYN-FLOOD -p tcp --dport $PORT ! --syn -j RETURN | ||
+ | done | ||
+ | |||
+ | # -- INPUT -- | ||
iptables -A INPUT -i lo -j ACCEPT | iptables -A INPUT -i lo -j ACCEPT | ||
+ | iptables -A INPUT -i $WAN0 -s 192.168.1.1 -j ACCEPT # Allow Router | ||
+ | iptables -A INPUT -i $WAN0 -s xx.yy.zz.123 -j ACCEPT # Allow someone | ||
+ | iptables -A INPUT -i $LAN0 -s 192.168.0.0/ | ||
+ | iptables -A INPUT -i $VIRBR0 -s 192.168.0.0/ | ||
- | # Allow established connections, and those not coming from the outside | + | # Allow packets for established connections |
iptables -A INPUT -m conntrack --ctstate ESTABLISHED, | iptables -A INPUT -m conntrack --ctstate ESTABLISHED, | ||
+ | |||
+ | # http:// | ||
+ | iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP | ||
+ | iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP | ||
+ | iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP | ||
+ | iptables -A INPUT -f -j DROP | ||
+ | #iptables -I INPUT -m conntrack --ctstate INVALID -j DROP | ||
+ | |||
+ | # SYN-flood | ||
+ | iptables -A INPUT -i $WAN0 -p tcp --syn -j SYN-FLOOD | ||
+ | |||
+ | # Open several ports | ||
+ | iptables -A INPUT -i $WAN0 -p tcp -m tcp -m multiport --dports \ | ||
+ | 21, | ||
+ | -d 192.168.1.22 \ | ||
+ | -m conntrack --ctstate NEW -j ACCEPT | ||
+ | iptables -A INPUT -i $LAN0 -p tcp -m tcp -m multiport --dports \ | ||
+ | 22, | ||
+ | -d 192.168.1.2 \ | ||
+ | -m conntrack --ctstate NEW -j ACCEPT | ||
+ | iptables -A INPUT -i $VIRBR0 -p tcp -m tcp -m multiport --dports \ | ||
+ | 53, | ||
+ | -m conntrack --ctstate NEW -j ACCEPT | ||
+ | |||
+ | # Allow ping for local subnets | ||
+ | iptables -A INPUT -i $LAN0 -p icmp --icmp-type echo-request -d 192.168.1.2 -m limit --limit 2/s --limit-burst 3 -j ACCEPT | ||
+ | iptables -A INPUT -i $VIRBR0 -p icmp --icmp-type echo-request -d 192.168.122.1 -m limit --limit 2/s --limit-burst 3 -j ACCEPT | ||
+ | |||
+ | # Game Servers | ||
+ | iptables -A INPUT -i $WAN0 -p udp --dport 27960 -j ACCEPT | ||
+ | iptables -A INPUT -i $WAN0 -p udp --dport 30000 -j ACCEPT | ||
+ | |||
+ | # DHCP/DNS for LAN0 and VIRBR0 | ||
+ | iptables -A INPUT -i $LAN0 -p udp --dport 53 -j ACCEPT | ||
+ | iptables -A INPUT -i $VIRBR0 -p udp --dport 53 -j ACCEPT | ||
+ | iptables -A INPUT -i $VIRBR0 -p udp -d 255.255.255.255 --dport 67 -j ACCEPT | ||
+ | |||
+ | # -- FORWARD -- | ||
+ | iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu | ||
+ | #iptables -A FORWARD -j SYN-FLOOD | ||
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED, | iptables -A FORWARD -m conntrack --ctstate ESTABLISHED, | ||
- | iptables -A INPUT -m conntrack | + | iptables -A FORWARD |
- | iptables -A INPUT -m conntrack --ctstate NEW -i $INTIF2 | + | iptables -A FORWARD |
+ | iptables -A FORWARD -i $VIRBR0 -o $LAN0 -j ACCEPT | ||
+ | #iptables -A FORWARD -i $LAN0 -o $WAN0 -s 192.168.0.0/ | ||
+ | # -m conntrack --ctstate NEW -j ACCEPT | ||
- | # Allow outgoing connections from the LAN side | + | # -- MASQUERADE -- |
- | iptables | + | iptables |
- | iptables -A FORWARD | + | |
- | # Connect LANs | + | # -- SQUID -- |
- | iptables -A FORWARD | + | #iptables |
- | iptables -A FORWARD | + | #iptables |
- | iptables -A FORWARD | + | |
- | iptables -A FORWARD -i $INTIF2 | + | # -- SSH GUARD -- |
+ | iptables -N sshguard | ||
+ | iptables -A INPUT -j sshguard | ||
+ | |||
+ | # Allow tiny proxy only for Someone | ||
+ | #iptables -A INPUT -i $EXTIF -p tcp --dport 3130 ! -s xx.yy.zz.123 -j DROP | ||
+ | |||
+ | |||
+ | # | ||
+ | #--- More examples --- | ||
+ | # | ||
+ | # Deny ICMP echo-requests | ||
+ | iptables -t filter -A INPUT -i $EXTIF -p icmp --icmp-type echo-request -j DROP | ||
+ | |||
+ | # Forward traffic from local net except the routers | ||
+ | ROUTER1_IP=192.168.1.333 | ||
+ | ROUTER2_IP=192.168.1.555 | ||
+ | iptables -A FORWARD -m conntrack --ctstate ESTABLISHED, | ||
+ | iptables -A FORWARD -s $ROUTER1_IP | ||
+ | iptables -A FORWARD -s $ROUTER2_IP -m conntrack --ctstate NEW -j REJECT | ||
+ | iptables -A FORWARD -s 192.168.0.0/ | ||
+ | iptables -A FORWARD -j REJECT | ||
- | # Masquerade | + | # Squid |
- | iptables -t nat -A POSTROUTING | + | iptables -t nat -A PREROUTING |
- | iptables | + | |
- | # Don't forward from the outside to the inside | + | # SSH Guard |
- | iptables -A FORWARD -i $EXTIF1 -j REJECT | + | iptables -N sshguard |
- | iptables -A FORWARD -i $EXTIF2 | + | iptables -A INPUT -j sshguard |
- | # MTU | + | # Block Samba connections from Routers with old firmwares |
- | iptables -I FORWARD | + | iptables -A INPUT -i $EXTIF -p udp --dport 137 -s $ROUTER1_IP -j DROP |
+ | iptables -A INPUT -i $EXTIF -p udp --dport 138 -s $ROUTER1_IP -j DROP | ||
+ | iptables -A INPUT -i $EXTIF | ||
+ | iptables -A INPUT -i $EXTIF -p tcp --dport 445 -s $ROUTER1_IP | ||
+ | iptables | ||
+ | iptables -A INPUT -i $EXTIF -p udp --dport 138 -s $ROUTER2_IP -j DROP | ||
+ | iptables -A INPUT -i $EXTIF -p tcp --dport 139 -s $ROUTER2_IP -j REJECT | ||
+ | iptables -A INPUT -i $EXTIF -p tcp --dport 445 -s $ROUTER2_IP -j REJECT | ||
- | # Allow IP forward | + | # Drop all outbound UDP traffic except for the DNS, NTP |
- | echo 1 > / | + | iptables -A INPUT -p udp --sport 53 -j ACCEPT |
+ | iptables -A INPUT -p udp --dport 53 -j ACCEPT | ||
+ | iptables -A OUTPUT -p udp --sport 53 -j ACCEPT | ||
+ | iptables -A OUTPUT -p udp --dport 53 -j ACCEPT | ||
+ | iptables -A INPUT -p udp --sport 123 -j ACCEPT | ||
+ | iptables -A INPUT -p udp --dport 123 -j ACCEPT | ||
+ | iptables -A OUTPUT -p udp --sport 123 -j ACCEPT | ||
+ | iptables -A OUTPUT -p udp --dport 123 -j ACCEPT | ||
+ | iptables -A INPUT -p udp -j DROP | ||
+ | iptables -A OUTPUT -p udp -j DROP | ||
- | # Switch On rp_filter | + | # Don't forward UPD traffic except |
- | for f in / | + | iptables -A FORWARD -p udp --sport 53 -j ACCEPT |
+ | iptables -A FORWARD -p udp --dport 53 -j ACCEPT | ||
+ | iptables -A FORWARD -p udp --sport 123 -j ACCEPT | ||
+ | iptables -A FORWARD -p udp --dport 123 -j ACCEPT | ||
+ | iptables -A FORWARD -p udp -j DROP | ||
+ | </ |