iptables

Posted by on

Очистка правил в таблице INPUT

iptables -F INPUT

Обнулить счетчики

iptables -Z INPUT

Посмотреть список правил в таблице (v -)

iptables -t nat -L -v

Создать цепочки пользователя

iptables -N tcp_filter
iptables -N udp_filter
iptables -N icmp_filter

Удалить цепочку

iptables -X tcp_filter

Установить политику по умолчанию

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

Посмотреть пронумерованный список правил

iptables -t nat -L -v --line-numbers

Правило для NAT

iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

Правило для MAC

iptables -A INPUT -m mac --mac-source 00:12:23:ad:bb:2d -j ACCEPT

Правило для

 

Правило для

 

Block the most common attacks

# iptables -F

First, we start with blocking null packets

# iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

We told the firewall to take all incoming packets with tcp flags NONE and just DROP them. The next pattern to reject is a syn-flood attack

# iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Syn-flood attack means that the attackers open a new connection, but do not state what they want (ie. SYN, ACK, whatever). They just want to take up our servers’ resources. We won’t accept such packages. Now we move on to one more common pattern: XMAS packets, also a recon packet.

# iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

Open up ports for selected services

Now we can allow web server traffic:

# iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
# iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT

Now, let’s allow users use our SMTP servers:

# iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
# iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT

POP3 traffic:

# iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
# iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT

Now we also need to allow IMAP mail protocol:

# iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
# iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT

Limiting SSH access

We should also allow SSH traffic, so we can connect to the VPS remotely.
The simple way to do it would be with this command:

# iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
[root@cen752 svm]# w
 10:04:14 up 2 days, 20:42, 5 users, load average: 0,09, 0,07, 0,05
USER   TTY     FROM           LOGIN@   IDLE   JCPU  PCPU   WHAT
root   tty1                   Птн16    2days               -bash
svm    pts/0   gateway        Птн17    2days               sshd: svm [priv]
svm    pts/1   192.168.113.11 Птн16                        sshd: svm [priv]

Now, you can create the firewall rule to only allow traffic to SSH port if it comes from one source: your IP address:

# iptables -A INPUT -p tcp -s YOUR_IP_ADDRESS -m tcp --dport 22 -j ACCEPT

Replace YOUR_IP_ADDRESS with the actuall IP, of course.

Right now, we need to add one more rule that will allow us to use outgoing connections
(ie. ping from VPS or run software updates);

# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

It will allow any established outgoing connections to receive replies from the VPS on the other side of that connection. When we have it all set up, we will block everything else, and allow all outgoing connections.

# iptables -P OUTPUT ACCEPT
# iptables -P INPUT DROP

 

*****

Предположим надо заблокировать ip-шник 123.123.123.123, тогда делаем это так:

iptables -A INPUT -s 123.123.123.123 -j DROP
image_pdfimage_print