{"id":1841,"date":"2017-02-14T12:48:50","date_gmt":"2017-02-14T12:48:50","guid":{"rendered":"https:\/\/tst-amo.pp.ua\/blog\/?page_id=1841"},"modified":"2018-06-11T07:09:32","modified_gmt":"2018-06-11T07:09:32","slug":"iptables","status":"publish","type":"post","link":"https:\/\/tst-amo.net.ua\/blog\/?p=1841","title":{"rendered":"iptables"},"content":{"rendered":"

\u041e\u0447\u0438\u0441\u0442\u043a\u0430 \u043f\u0440\u0430\u0432\u0438\u043b \u0432 \u0442\u0430\u0431\u043b\u0438\u0446\u0435 INPUT<\/p>\n

iptables -F INPUT<\/pre>\n
\u041e\u0431\u043d\u0443\u043b\u0438\u0442\u044c \u0441\u0447\u0435\u0442\u0447\u0438\u043a\u0438<\/p>\n
iptables -Z INPUT<\/pre>\n
\u041f\u043e\u0441\u043c\u043e\u0442\u0440\u0435\u0442\u044c \u0441\u043f\u0438\u0441\u043e\u043a \u043f\u0440\u0430\u0432\u0438\u043b \u0432 \u0442\u0430\u0431\u043b\u0438\u0446\u0435 (v -)<\/p>\n
iptables -t nat -L -v<\/pre>\n
\u0421\u043e\u0437\u0434\u0430\u0442\u044c \u0446\u0435\u043f\u043e\u0447\u043a\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f<\/p>\n
iptables -N tcp_filter<\/pre>\n
iptables -N udp_filter<\/pre>\n
iptables -N icmp_filter<\/pre>\n
\u0423\u0434\u0430\u043b\u0438\u0442\u044c \u0446\u0435\u043f\u043e\u0447\u043a\u0443<\/p>\n
iptables -X tcp_filter<\/pre>\n
\u0423\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0443 \u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e<\/p>\n
iptables -P INPUT DROP<\/pre>\n
iptables -P OUTPUT ACCEPT<\/pre>\n
\u041f\u043e\u0441\u043c\u043e\u0442\u0440\u0435\u0442\u044c \u043f\u0440\u043e\u043d\u0443\u043c\u0435\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0441\u043f\u0438\u0441\u043e\u043a \u043f\u0440\u0430\u0432\u0438\u043b<\/p>\n
iptables -t nat -L -v --line-numbers<\/pre>\n
\u041f\u0440\u0430\u0432\u0438\u043b\u043e \u0434\u043b\u044f NAT<\/p>\n
iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE<\/pre>\n
\u041f\u0440\u0430\u0432\u0438\u043b\u043e \u0434\u043b\u044f MAC<\/p>\n
iptables -A INPUT -m mac --mac-source 00:12:23:ad:bb:2d -j ACCEPT<\/pre>\n
\u041f\u0440\u0430\u0432\u0438\u043b\u043e \u0434\u043b\u044f<\/p>\n
 <\/p>\n
\u041f\u0440\u0430\u0432\u0438\u043b\u043e \u0434\u043b\u044f<\/p>\n
 <\/p>\n
Block the most common attacks<\/a><\/h4>\n
# iptables -F<\/pre>\n
First, we start with blocking null packets<\/p>\n
# iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP<\/pre>\n
We told the firewall to take all incoming packets with tcp flags NONE and just DROP them.\u00a0The next pattern to reject is a syn-flood attack<\/p>\n
# iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP<\/pre>\n
Syn-flood attack means that the attackers open a new connection, but do not state\u00a0what they want (ie. SYN, ACK, whatever). They just want to take up our servers’ resources.\u00a0We won’t accept such packages. Now we move on to one more common pattern:\u00a0XMAS packets, also a recon packet.<\/p>\n
# iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP<\/pre>\n
Open up ports for selected services<\/h4>\n
Now we can allow web server traffic:<\/p>\n
# iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT\r\n# iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT<\/pre>\n
Now, let’s allow users use our SMTP servers:<\/p>\n
# iptables -A INPUT -p tcp -m tcp --dport 25 -j ACCEPT\r\n# iptables -A INPUT -p tcp -m tcp --dport 465 -j ACCEPT<\/pre>\n
POP3 traffic:<\/p>\n
# iptables -A INPUT -p tcp -m tcp --dport 110 -j ACCEPT\r\n# iptables -A INPUT -p tcp -m tcp --dport 995 -j ACCEPT<\/pre>\n
Now we also need to allow IMAP mail protocol:<\/p>\n
# iptables -A INPUT -p tcp -m tcp --dport 143 -j ACCEPT\r\n# iptables -A INPUT -p tcp -m tcp --dport 993 -j ACCEPT<\/pre>\n
Limiting SSH access<\/h4>\n
We should also allow SSH traffic, so we can connect to the VPS remotely.
\nThe simple way to do it would be with this command:<\/p>\n
# iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT<\/pre>\n
[root@cen752 svm]# w\r\n 10:04:14 up 2 days, 20:42, 5 users, load average: 0,09, 0,07, 0,05\r\nUSER   TTY     FROM           LOGIN@   IDLE   JCPU  PCPU   WHAT\r\nroot   tty1                   \u041f\u0442\u043d16    2days               -bash\r\nsvm    pts\/0   gateway        \u041f\u0442\u043d17    2days               sshd: svm [priv]\r\nsvm    pts\/1   192.168.113.11<\/span> \u041f\u0442\u043d16                        sshd: svm [priv]<\/pre>\n
Now, you can create the firewall rule to only allow traffic to SSH port\u00a0if it comes from one source: your IP address:<\/p>\n
# iptables -A INPUT -p tcp -s YOUR_IP_ADDRESS -m tcp --dport 22 -j ACCEPT<\/pre>\n
Replace YOUR_IP_ADDRESS with the actuall IP, of course.<\/p>\n
Right now, we need to add one more rule that will allow us to use outgoing connections
\n(ie. ping from VPS or run software updates);<\/p>\n
# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<\/pre>\n
It will allow any established outgoing connections to receive replies from the VPS\u00a0on the other side of that connection. When we have it all set up,\u00a0we will block everything else, and allow all outgoing connections.<\/p>\n
# iptables -P OUTPUT ACCEPT\r\n# iptables -P INPUT DROP<\/pre>\n
 <\/p>\n
*****<\/p>\n
\u041f\u0440\u0435\u0434\u043f\u043e\u043b\u043e\u0436\u0438\u043c \u043d\u0430\u0434\u043e \u0437\u0430\u0431\u043b\u043e\u043a\u0438\u0440\u043e\u0432\u0430\u0442\u044c ip-\u0448\u043d\u0438\u043a 123.123.123.123, \u0442\u043e\u0433\u0434\u0430 \u0434\u0435\u043b\u0430\u0435\u043c \u044d\u0442\u043e \u0442\u0430\u043a:<\/p>\n
iptables -A<\/span> INPUT -s<\/span> 123.123.123.123 -j<\/span> DROP<\/pre>\n
<\/div>\n
<\/div>\n
<\/div>\n
\"image_pdf\"<\/a>\"image_print\"<\/a><\/div>","protected":false},"excerpt":{"rendered":"
\u041e\u0447\u0438\u0441\u0442\u043a\u0430 \u043f\u0440\u0430\u0432\u0438\u043b \u0432 \u0442\u0430\u0431\u043b\u0438\u0446\u0435 INPUT iptables -F INPUT \u041e\u0431\u043d\u0443\u043b\u0438\u0442\u044c \u0441\u0447\u0435\u0442\u0447\u0438\u043a\u0438 iptables -Z INPUT \u041f\u043e\u0441\u043c\u043e\u0442\u0440\u0435\u0442\u044c \u0441\u043f\u0438\u0441\u043e\u043a \u043f\u0440\u0430\u0432\u0438\u043b \u0432 \u0442\u0430\u0431\u043b\u0438\u0446\u0435 (v -) iptables -t nat -L -v \u0421\u043e\u0437\u0434\u0430\u0442\u044c \u0446\u0435\u043f\u043e\u0447\u043a\u0438 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f iptables -N tcp_filter iptables -N udp_filter iptables -N icmp_filter \u0423\u0434\u0430\u043b\u0438\u0442\u044c \u0446\u0435\u043f\u043e\u0447\u043a\u0443 iptables -X tcp_filter \u0423\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u043e\u043b\u0438\u0442\u0438\u043a\u0443 \u043f\u043e \u0443\u043c\u043e\u043b\u0447\u0430\u043d\u0438\u044e iptables -P INPUT DROP iptables -P OUTPUT ACCEPT \u041f\u043e\u0441\u043c\u043e\u0442\u0440\u0435\u0442\u044c …<\/p>\n
Continue reading ‘iptables’ »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[80,47],"tags":[],"class_list":["post-1841","post","type-post","status-publish","format-standard","hentry","category-iptables","category-linux"],"_links":{"self":[{"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1841"}],"collection":[{"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1841"}],"version-history":[{"count":6,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1841\/revisions"}],"predecessor-version":[{"id":2768,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1841\/revisions\/2768"}],"wp:attachment":[{"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1841"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1841"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1841"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}