systemctl stop ufw systemctl disable ufw
ls -lF /etc/iptables* ls -lF /etc/iptables/rules.v4 ls -lF /etc/iptables/rules.v6
systemctl stop firewalld systemctl disable firewalld yum install iptables-services iptables-utils ls -lF /etc/sysconfig/iptables ls -lF /etc/sysconfig/ip6tables
check what chains you got and if DOCKER is there already
iptables -L | grep ^Chain ps auxww | grep dockerd iptables -L -t filter iptables -L -t nat iptables -L -t mangle
==> in case you have Docker, see the dedicated guide for that purpose
see netfilter.nat
Dealing with all network interfaces at once here, otherwise add -i netif to the rules
wget https://pub.nethence.com/bin/network/iptables.bash.txt mv iptables.bash.txt iptables.bash chmod +x iptables.bash vi iptables.bash (tune accordingly)
Flush all the chains on three tables
iptables -F iptables -F -t nat iptables -F -t mangle
to flush a specific chain e.g.
iptables -F INPUT
Delete any custom chain on three tables
iptables -X iptables -X -t nat iptables -X -t mangle
The equivalent for block in all
iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT
and happy troubleshooting
iptables -A INPUT -p icmp -j ACCEPT
Save thes rule set
iptables-save #> /etc/iptables.rules
and check that it re-applies fine
iptables-restore < /etc/iptables.rules iptables -nvL
also
service iptables restore
RHEL/CentOS7+
systemctl start iptables systemctl start ip6tables systemctl enable iptables systemctl enable ip6tables
RHEL/CentOS6-
cd /etc/sysconfig/ cp -pi iptables-config iptables-config.`date +%s` cp -pi system-config-securitylevel system-config-securitylevel.`date +%s` #system-config-securitylevel-tui chkconfig iptables on chkconfig ip6tables on
Debian
apt install iptables-persistent systemctl enable netfilter-persistent
Debian DIY
vi /etc/network/if-pre-up.d/iptables #!/bin/sh /sbin/iptables-restore < /etc/iptables.rules chmod +x /etc/network/if-pre-up.d/iptables
DIY
vi /etc/rc.local echo -n loading /etc/iptables.rules... iptables-restore < /etc/iptables.rules && echo done chmod +x /etc/rc.local
Reboot and check that you can ping and reach your services from a remote host and that the rest is truly filtered accordingly (return, not drop) using ping, nmap, nc, telnet, …
To be safe while accessing a remote server and testing new rules, flush those every 5 minutes,
crontab -e */5 * * * * /usr/sbin/iptables -F
# log iptables denied calls (access via 'dmesg' command) -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
If you really want to restrict ICMP to ping (bad idea),
#-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
you can also add other restrictions to ICMP e.g.,
-A INPUT -p icmp -m state --state NEW,ESTABLISHED -m limit --limit 10/s -j ACCEPT
If you’re experiencing some issues accessing some services, maybe -m state --state NEW is in cause and try without it.
You can define some restrictions for tcp ports e.g.,
#-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -m limit --limit 1/s -j ACCEPT #-A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
Note. the short and simplest form would be,
#iptables -A INPUT -m state --state NEW -j ACCEPT #iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #iptables -A INPUT -p tcp --dport 22 -j ACCEPT
Note. also worth interesting,
#... -j REJECT --reject-with tcp-reset
Allow your NIC to talk to a precise subnet only
iptables -A INPUT -i eth0 -s 10.1.1.0/24 -d 10.1.1.0/24 -j ACCEPT iptables -A OUTPUT -o eth0 -s 10.1.1.0/24 -d 10.1.1.0/24 -j ACCEPT
Or allow the whole computer to talk to a precise subnet only
iptables -A INPUT -s 10.1.1.0/24 -d 10.1.1.0/24 -j ACCEPT iptables -A OUTPUT -s 10.1.1.0/24 -d 10.1.1.0/24 -j ACCEPT
leftovers
iptables -t nat -A POSTROUTING -o xenbr0 -s 192.168.56.0/24 -j MASQUERADE iptables -A FORWARD -i xenbr0 -o vboxnet0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i vboxnet0 -o xenbr0 -j ACCEPT #iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT #iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.56.0/24 -j ACCEPT iptables -A FORWARD -j LOG #iptables -A INPUT -i vboxnet0 -s 192.168.56.0/24 -d 192.168.56.0/24 -j ACCEPT #iptables -A OUTPUT -o vboxnet0 -s 192.168.56.0/24 -d 192.168.56.0/24 -j ACCEPT iptables -A INPUT -i vboxnet0 -j ACCEPT iptables -A OUTPUT -o vboxnet0 -j ACCEPT
Chapter 11. iptables firewall http://linux-training.be/security/ch11.html
Laptop Iptables configuration http://www.pantz.org/software/iptables/laptopiptables.html
DMZ IP Firewall script for Linux 2.4.x and iptables http://iptables-tutorial.frozentux.net/scripts/rc.DMZ.firewall.txt
Chapter 1: Care and Feeding of iptables http://www.cipherdyne.org/LinuxFirewalls/ch01/
iptables & netfilter - How to get started http://security.maruhn.com/
Netfilter et IP Tables… http://christian.caleca.free.fr/netfilter.html
https://www.man7.org/linux/man-pages/man8/iptables.8.html
https://ipset.netfilter.org/iptables-extensions.man.html
REJECT https://unix.stackexchange.com/questions/191607/iptables-and-return-target
DROP http://www.chiark.greenend.org.uk/~peterb/network/drop-vs-reject
What is the correct way to open a range of ports in iptables https://serverfault.com/questions/594835/what-is-the-correct-way-to-open-a-range-of-ports-in-iptables
Linux: Iptables Forward Multiple Ports https://www.cyberciti.biz/faq/linux-iptables-multiport-range/
https://wiki.debian.org/iptables
https://wiki.debian.org/DebianFirewall
How To Install and Configure Config Server Firewall (CSF) on Ubuntu https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-config-server-firewall-csf-on-ubuntu
https://www.linuxtopia.org/Linux_Firewall_iptables/x2682.html
==> those rules are just “matches” as in --match