Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revision | |||
| gnu_linux:iptables:sample [2014/10/20 07:34] – More examples added kolan | gnu_linux:iptables:sample [2015/11/25 08:59] (current) – kolan | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Iptables/ | + | ====== Iptables/ |
| - | <code bash | Netfilter rules example># | + | <code bash | Netfilter rules for server># |
| - | # Interfaces | + | # -- INTERFACES -- |
| - | EXTIF1=eth0 | + | WAN0=wan0 |
| - | EXTIF2=usb0 | + | LAN0=lan0 |
| - | INTIF1=vboxnet0 | + | VIRBR0=virbr0 |
| - | INTIF2=wlan0 | + | |
| - | # Delete all existing rules | + | # -- DEFAULT POLICIES -- |
| + | iptables -P INPUT DROP | ||
| + | iptables -P FORWARD DROP | ||
| + | iptables -P OUTPUT ACCEPT | ||
| + | |||
| + | # -- CLEAR -- | ||
| iptables -F | iptables -F | ||
| iptables -X | iptables -X | ||
| iptables -t nat -F | iptables -t nat -F | ||
| iptables -t mangle -F | iptables -t mangle -F | ||
| + | iptables -t nat -X | ||
| + | iptables -t mangle -X | ||
| - | # Always accept loopback traffic | + | # -- SYN FLOOD -- |
| + | iptables -N SYN-FLOOD | ||
| + | for PORT in 21 22 25 80 139 143 443 445 3128 3130 5222 5223 5269 5280 6080 9418 11194 49164; do | ||
| + | iptables -A SYN-FLOOD -p tcp --dport $PORT --syn -m hashlimit --hashlimit 10/min --hashlimit-burst 10 \ | ||
| + | --hashlimit-htable-expire 3600 --hashlimit-mode srcip --hashlimit-name synflood -j ACCEPT | ||
| + | iptables -A SYN-FLOOD -p tcp --dport $PORT --syn -j LOG --log-prefix " | ||
| + | iptables -A SYN-FLOOD -p tcp --dport $PORT --syn -j DROP | ||
| + | iptables -A SYN-FLOOD -p tcp --dport $PORT ! --syn -j RETURN | ||
| + | done | ||
| + | |||
| + | # -- INPUT -- | ||
| iptables -A INPUT -i lo -j ACCEPT | iptables -A INPUT -i lo -j ACCEPT | ||
| + | iptables -A INPUT -i $WAN0 -s 192.168.1.1 -j ACCEPT # Allow Router | ||
| + | iptables -A INPUT -i $WAN0 -s xx.yy.zz.123 -j ACCEPT # Allow someone | ||
| + | iptables -A INPUT -i $LAN0 -s 192.168.0.0/ | ||
| + | iptables -A INPUT -i $VIRBR0 -s 192.168.0.0/ | ||
| - | # Allow established connections, and those not coming from the outside | + | # Allow packets for established connections |
| iptables -A INPUT -m conntrack --ctstate ESTABLISHED, | iptables -A INPUT -m conntrack --ctstate ESTABLISHED, | ||
| - | iptables -A FORWARD -m conntrack --ctstate ESTABLISHED, | ||
| - | iptables -A INPUT -m conntrack --ctstate NEW -i $INTIF1 -j ACCEPT | ||
| - | iptables -A INPUT -m conntrack --ctstate NEW -i $INTIF2 -j ACCEPT | ||
| - | # Allow outgoing | + | # http:// |
| - | iptables -A FORWARD | + | iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP |
| - | iptables -A FORWARD | + | iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP |
| + | iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP | ||
| + | iptables -A INPUT -f -j DROP | ||
| + | #iptables -I INPUT -m conntrack --ctstate INVALID | ||
| - | # Connect LANs | + | # SYN-flood |
| - | iptables | + | iptables -A INPUT -i $WAN0 -p tcp --syn -j SYN-FLOOD |
| - | iptables -A FORWARD | + | |
| - | iptables | + | |
| - | iptables | + | |
| - | # Masquerade | + | # Open several ports |
| - | iptables | + | iptables -A INPUT -i $WAN0 -p tcp -m tcp -m multiport --dports \ |
| - | iptables -t nat -A POSTROUTING | + | 21, |
| + | -d 192.168.1.22 \ | ||
| + | -m conntrack --ctstate NEW -j ACCEPT | ||
| + | iptables -A INPUT -i $LAN0 -p tcp -m tcp -m multiport --dports \ | ||
| + | 22, | ||
| + | -d 192.168.1.2 \ | ||
| + | -m conntrack --ctstate NEW -j ACCEPT | ||
| + | iptables | ||
| + | 53, | ||
| + | -m conntrack --ctstate NEW -j ACCEPT | ||
| - | # Don't forward from the outside to the inside | + | # Allow ping for local subnets |
| - | iptables -A FORWARD | + | iptables -A INPUT -i $LAN0 -p icmp --icmp-type echo-request -d 192.168.1.2 -m limit --limit 2/s --limit-burst 3 -j ACCEPT |
| - | iptables -A FORWARD | + | iptables -A INPUT -i $VIRBR0 -p icmp --icmp-type echo-request -d 192.168.122.1 -m limit --limit 2/s --limit-burst 3 -j ACCEPT |
| - | # MTU | + | # Game Servers |
| - | iptables -I FORWARD | + | iptables -A INPUT -i $WAN0 -p udp --dport 27960 -j ACCEPT |
| + | iptables | ||
| - | # Block all outgoing connections from $INTIF2 to all except several ips/subnets | + | # DHCP/DNS for LAN0 and VIRBR0 |
| - | iptables -I FORWARD | + | iptables -A INPUT -i $LAN0 -p udp --dport 53 -j ACCEPT |
| - | iptables -I FORWARD | + | iptables -A INPUT -i $VIRBR0 -p udp --dport 53 -j ACCEPT |
| - | iptables -I FORWARD -i $INTIF2 | + | iptables -A INPUT -i $VIRBR0 -p udp -d 255.255.255.255 --dport 67 -j ACCEPT |
| - | iptables -I FORWARD -i $INTIF2 | + | |
| - | iptables -I FORWARD -i $INTIF2 | + | # -- FORWARD -- |
| - | iptables -I FORWARD | + | iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu |
| + | #iptables -A FORWARD -j SYN-FLOOD | ||
| + | iptables -A FORWARD -m conntrack --ctstate ESTABLISHED, | ||
| + | iptables -A FORWARD -i $VIRBR0 | ||
| + | iptables -A FORWARD -i $LAN0 -o $VIRBR0 | ||
| + | iptables -A FORWARD -i $VIRBR0 -o $LAN0 -j ACCEPT | ||
| + | #iptables -A FORWARD -i $LAN0 -o $WAN0 -s 192.168.0.0/ | ||
| + | # -m conntrack --ctstate NEW -j ACCEPT | ||
| + | |||
| + | # -- MASQUERADE -- | ||
| + | iptables -t nat -A POSTROUTING -o $WAN0 -j MASQUERADE | ||
| + | |||
| + | # -- SQUID -- | ||
| + | #iptables -t nat -A PREROUTING | ||
| + | #iptables | ||
| + | |||
| + | # -- SSH GUARD -- | ||
| + | iptables -N sshguard | ||
| + | iptables -A INPUT -j sshguard | ||
| + | |||
| + | # Allow tiny proxy only for Someone | ||
| + | #iptables -A INPUT -i $EXTIF -p tcp --dport 3130 ! -s xx.yy.zz.123 -j DROP | ||
| - | # BROOT FORCE protection on several ports | ||
| - | for PORT in 4369 5222 5223 5269 5280 8090 11194 49164; do | ||
| - | iptables -A INPUT -p tcp --dport $PORT --syn -m limit --limit 1/m --limit-burst 5 -j ACCEPT | ||
| - | iptables -A INPUT -p tcp --dport $PORT --syn -j DROP | ||
| - | done | ||
| # | # | ||