Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | |||
gnu_linux:iptables:sample [2014/10/20 07:34] – More examples added kolan | gnu_linux:iptables:sample [2015/11/25 08:59] (current) – kolan | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Iptables/ | + | ====== Iptables/ |
- | <code bash | Netfilter rules example># | + | <code bash | Netfilter rules for server># |
- | # Interfaces | + | # -- INTERFACES -- |
- | EXTIF1=eth0 | + | WAN0=wan0 |
- | EXTIF2=usb0 | + | LAN0=lan0 |
- | INTIF1=vboxnet0 | + | VIRBR0=virbr0 |
- | INTIF2=wlan0 | + | |
- | # Delete all existing rules | + | # -- DEFAULT POLICIES -- |
+ | iptables -P INPUT DROP | ||
+ | iptables -P FORWARD DROP | ||
+ | iptables -P OUTPUT ACCEPT | ||
+ | |||
+ | # -- CLEAR -- | ||
iptables -F | iptables -F | ||
iptables -X | iptables -X | ||
iptables -t nat -F | iptables -t nat -F | ||
iptables -t mangle -F | iptables -t mangle -F | ||
+ | iptables -t nat -X | ||
+ | iptables -t mangle -X | ||
- | # Always accept loopback traffic | + | # -- SYN FLOOD -- |
+ | iptables -N SYN-FLOOD | ||
+ | for PORT in 21 22 25 80 139 143 443 445 3128 3130 5222 5223 5269 5280 6080 9418 11194 49164; do | ||
+ | iptables -A SYN-FLOOD -p tcp --dport $PORT --syn -m hashlimit --hashlimit 10/min --hashlimit-burst 10 \ | ||
+ | --hashlimit-htable-expire 3600 --hashlimit-mode srcip --hashlimit-name synflood -j ACCEPT | ||
+ | iptables -A SYN-FLOOD -p tcp --dport $PORT --syn -j LOG --log-prefix " | ||
+ | iptables -A SYN-FLOOD -p tcp --dport $PORT --syn -j DROP | ||
+ | iptables -A SYN-FLOOD -p tcp --dport $PORT ! --syn -j RETURN | ||
+ | done | ||
+ | |||
+ | # -- INPUT -- | ||
iptables -A INPUT -i lo -j ACCEPT | iptables -A INPUT -i lo -j ACCEPT | ||
+ | iptables -A INPUT -i $WAN0 -s 192.168.1.1 -j ACCEPT # Allow Router | ||
+ | iptables -A INPUT -i $WAN0 -s xx.yy.zz.123 -j ACCEPT # Allow someone | ||
+ | iptables -A INPUT -i $LAN0 -s 192.168.0.0/ | ||
+ | iptables -A INPUT -i $VIRBR0 -s 192.168.0.0/ | ||
- | # Allow established connections, and those not coming from the outside | + | # Allow packets for established connections |
iptables -A INPUT -m conntrack --ctstate ESTABLISHED, | iptables -A INPUT -m conntrack --ctstate ESTABLISHED, | ||
- | iptables -A FORWARD -m conntrack --ctstate ESTABLISHED, | ||
- | iptables -A INPUT -m conntrack --ctstate NEW -i $INTIF1 -j ACCEPT | ||
- | iptables -A INPUT -m conntrack --ctstate NEW -i $INTIF2 -j ACCEPT | ||
- | # Allow outgoing | + | # http:// |
- | iptables -A FORWARD | + | iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP |
- | iptables -A FORWARD | + | iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP |
+ | iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP | ||
+ | iptables -A INPUT -f -j DROP | ||
+ | #iptables -I INPUT -m conntrack --ctstate INVALID | ||
- | # Connect LANs | + | # SYN-flood |
- | iptables | + | iptables -A INPUT -i $WAN0 -p tcp --syn -j SYN-FLOOD |
- | iptables -A FORWARD | + | |
- | iptables | + | |
- | iptables | + | |
- | # Masquerade | + | # Open several ports |
- | iptables | + | iptables -A INPUT -i $WAN0 -p tcp -m tcp -m multiport --dports \ |
- | iptables -t nat -A POSTROUTING | + | 21, |
+ | -d 192.168.1.22 \ | ||
+ | -m conntrack --ctstate NEW -j ACCEPT | ||
+ | iptables -A INPUT -i $LAN0 -p tcp -m tcp -m multiport --dports \ | ||
+ | 22, | ||
+ | -d 192.168.1.2 \ | ||
+ | -m conntrack --ctstate NEW -j ACCEPT | ||
+ | iptables | ||
+ | 53, | ||
+ | -m conntrack --ctstate NEW -j ACCEPT | ||
- | # Don't forward from the outside to the inside | + | # Allow ping for local subnets |
- | iptables -A FORWARD | + | iptables -A INPUT -i $LAN0 -p icmp --icmp-type echo-request -d 192.168.1.2 -m limit --limit 2/s --limit-burst 3 -j ACCEPT |
- | iptables -A FORWARD | + | iptables -A INPUT -i $VIRBR0 -p icmp --icmp-type echo-request -d 192.168.122.1 -m limit --limit 2/s --limit-burst 3 -j ACCEPT |
- | # MTU | + | # Game Servers |
- | iptables -I FORWARD | + | iptables -A INPUT -i $WAN0 -p udp --dport 27960 -j ACCEPT |
+ | iptables | ||
- | # Block all outgoing connections from $INTIF2 to all except several ips/subnets | + | # DHCP/DNS for LAN0 and VIRBR0 |
- | iptables -I FORWARD | + | iptables -A INPUT -i $LAN0 -p udp --dport 53 -j ACCEPT |
- | iptables -I FORWARD | + | iptables -A INPUT -i $VIRBR0 -p udp --dport 53 -j ACCEPT |
- | iptables -I FORWARD -i $INTIF2 | + | iptables -A INPUT -i $VIRBR0 -p udp -d 255.255.255.255 --dport 67 -j ACCEPT |
- | iptables -I FORWARD -i $INTIF2 | + | |
- | iptables -I FORWARD -i $INTIF2 | + | # -- FORWARD -- |
- | iptables -I FORWARD | + | iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
+ | #iptables -A FORWARD -j SYN-FLOOD | ||
+ | iptables -A FORWARD -m conntrack --ctstate ESTABLISHED, | ||
+ | iptables -A FORWARD -i $VIRBR0 | ||
+ | iptables -A FORWARD -i $LAN0 -o $VIRBR0 | ||
+ | iptables -A FORWARD -i $VIRBR0 -o $LAN0 -j ACCEPT | ||
+ | #iptables -A FORWARD -i $LAN0 -o $WAN0 -s 192.168.0.0/ | ||
+ | # -m conntrack --ctstate NEW -j ACCEPT | ||
+ | |||
+ | # -- MASQUERADE -- | ||
+ | iptables -t nat -A POSTROUTING -o $WAN0 -j MASQUERADE | ||
+ | |||
+ | # -- SQUID -- | ||
+ | #iptables -t nat -A PREROUTING | ||
+ | #iptables | ||
+ | |||
+ | # -- SSH GUARD -- | ||
+ | iptables -N sshguard | ||
+ | iptables -A INPUT -j sshguard | ||
+ | |||
+ | # Allow tiny proxy only for Someone | ||
+ | #iptables -A INPUT -i $EXTIF -p tcp --dport 3130 ! -s xx.yy.zz.123 -j DROP | ||
- | # BROOT FORCE protection on several ports | ||
- | for PORT in 4369 5222 5223 5269 5280 8090 11194 49164; do | ||
- | iptables -A INPUT -p tcp --dport $PORT --syn -m limit --limit 1/m --limit-burst 5 -j ACCEPT | ||
- | iptables -A INPUT -p tcp --dport $PORT --syn -j DROP | ||
- | done | ||
# | # |