Default Configurations
When you install Ubuntu, iptables is there, but it allows all traffic by default.List your current iptables configuration
Please enter the below command.#sudo iptables -L
If you have just set up your server or if your configuration is in default state, you will have no rules, and you should see:
Allowing Established Sessions
To allow the established sessions to receive traffics, enter the below command (Below rule has no spaces either side of the comma in ESTABLISHED,RELATED)#sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
If the above rule is not working, please use the below rule:
#sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
To check whether the above configuration is successfully applied, enter
#sudo iptables -L
You will get the below output.
Allowing Incoming Traffic on Specific Ports
When ever you planning to block traffic, if you are working remotely through a ssh session, first allow ssh traffic. To allow incoming traffic on the default SSH port (22), you could tell iptables to allow all TCP traffic on that port to come in.
#sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
-A - Append this rule to a rule chain. Valid chains for what we're doing are INPUT, FORWARD and OUTPUT, but we mostly deal with INPUT in this tutorial, which affects only incoming traffic.
-p - The connection protocol used.
--dport - The destination port(s) required for this rule. A single port may be given, or a range may be given as start:end, which will match all ports from start to end, inclusive.
-j - Jump to the specified target. By default, iptables allows four targets:
ACCEPT - Accept the packet and stop processing rules in this chain.
REJECT - Reject the packet and notify the sender that we did so, and stop processing rules in this chain.
DROP - Silently ignore the packet, and stop processing rules in this chain.
LOG - Log the packet, and continue processing more rules in this chain. Allows the use of the --log-prefix and --log-level options.
To check whether the above configuration is successfully applied, enter
#sudo iptables -L
You will get the below output.
Below rule will allow all incoming http traffic.
#sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
For an example, if you are planning to configure iptables for a web server, above two rules is to allow ssh, www traffic.
Blocking Traffic
Always the default method is to apply rules based on the top-down approach. Once a decision is made to accept a packet, no more rules affect it. As your rules allowing ssh and web traffic come first, as long as your rule to block all traffic comes after them, you can still accept the traffic you want. All you need to do is put the rule to block all traffic at the end.Below command is to add default deny rule to the end. Because the below rule don't specify an interface or a protocol, any traffic for any port on any interface is blocked, except for web and ssh.
When you follow the above step you are going to block the loopback interface also. You can write the drop rule for just eth0 by specifying -i eth0.
#sudo iptables -A INPUT -i eth0 -j DROP
To allow traffic for the loopback port, you can now append a rule. But If you append this rule, it will come too late - after all the traffic has been dropped. You need to insert this rule before that. The below command inserts it as the second rule for the list.
#sudo iptables -I INPUT 2 -i lo -j ACCEPT
2 - of the above rule specify that this rule should be added as the second rule for the allowed list.
To view the configuration, use the below command
#sudo iptables -L -v
The output would look like below.
Logging
In the above examples none of the traffic will be logged. If you would like to log dropped packets to syslog, this would be the quickest way:
#sudo iptables -I INPUT 5 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
Saving iptables
If you were to reboot your machine right now, your iptables configuration would disappear. Rather than type this each time you reboot, however, you can save the configuration, and have it start up automatically. To save the configuration, you can use iptables-save and iptables-restore.
Save your firewall rules to a file
#sudo sh -c "iptables-save > /etc/iptables.rules"
At this point you have several options. You can make changes to /etc/network/interfaces or add scripts to /etc/network/if-pre-up.d/ and /etc/network/if-post-down.d/ to achieve similar ends. The script solution allows for slightly more flexibility.
Solution #1 - /etc/network/interfaces
(NB: be careful - entering incorrect configuration directives into the interface file could disable all interfaces, potentially locking you out of a remote machine.)
Modify the /etc/network/interfaces configuration file to apply the rules automatically. You will need to know the interface that you are using in order to apply the rules - if you do not know, you are probably using the interface eth0, although you should check with the following command first to see if there are any wireless cards:
iwconfig
If you get output similar to the following, then you do not have any wireless cards at all and your best bet is probably eth0.
lo no wireless extensions.
eth0 no wireless extensions.
When you have found out the interface you are using, edit (using #sudo) your /etc/network/interfaces:
#sudo nano /etc/network/interfaces
When in the file, search for the interface you found, and at the end of the network related lines for that interface, add the line:
pre-up iptables-restore < /etc/iptables.rules
You can also prepare a set of down rules, save them into second file /etc/iptables.downrules and apply it automatically using the above steps:
post-down iptables-restore < /etc/iptables.downrules
A fully working example using both from above:
auto eth0
iface eth0 inet dhcp
pre-up iptables-restore < /etc/iptables.rules
post-down iptables-restore < /etc/iptables.downrules
You may also want to keep information from byte and packet counters.
#sudo sh -c "iptables-save -c > /etc/iptables.rules"
The above command will save the whole rule-set to a file called /etc/iptables.rules with byte and packet counters still intact.
Solution #2 /etc/network/if-pre-up.d and ../if-post-down.d
NOTE: This solution uses iptables-save -c to save the counters. Just remove the -c to only save the rules.
Alternatively you could add the iptables-restore and iptables-save to the if-pre-up.d and if-post-down.d directories in the /etc/network directory instead of modifying /etc/network/interface directly.
The script /etc/network/if-pre-up.d/iptablesload will contain:
#!/bin/sh
iptables-restore < /etc/iptables.rules
exit 0
and /etc/network/if-post-down.d/iptablessave will contain:
#!/bin/sh
iptables-save -c > /etc/iptables.rules
if [ -f /etc/iptables.downrules ]; then
iptables-restore < /etc/iptables.downrules
fi
exit 0
Then be sure to give both scripts execute permissions:
#sudo chmod +x /etc/network/if-post-down.d/iptablessave
#sudo chmod +x /etc/network/if-pre-up.d/iptablesload
0 comments:
Post a Comment