Iptables

From Wiki
Jump to: navigation, search

Contents

Block Traffic from public interface

iptables -A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 8833 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 8080 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 8443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 8443 -j ACCEPT
iptables -A INPUT -i eth0 -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " 
iptables -A INPUT -i eth0 -j DROP

We are accepting first the established and related, we accept all services, logging the traffic and blocking.

Log the traces

Log is handled by klogd without going to syslog. We need no make sure that klogd uses syslog to log the entries.

To do that we need to make sure klogd runs with the -s

:/var/log# ps -edaf | grep klogd
root     10405     1  0 17:38 ?        00:00:00 /sbin/klogd -x -s
root     10964  9790  0 17:44 pts/0    00:00:00 grep klogd

this can be enabed on /etc/default/klogd

We also need to have an entry in /etc/syslogd.conf

kern.*				-/var/log/kern.log


Check status

et1-etch:~# iptables -L -v -n
Chain INPUT (policy ACCEPT 8227 packets, 4614K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1225  103K ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW limit: avg 3/sec burst 9 
31863 2676K DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:137:139 
   0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:445 
   0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:137:139 
   0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:445 

Chain OUTPUT (policy ACCEPT 7140 packets, 668K bytes)
 pkts bytes target     prot opt in     out     source               destination         


Save and restore

iptables-save > /tmp/firewall.txt
iptables-restore /tmp/firewall.txt


NAT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

one to one NAT

ip a add 87.119.194.81/27 dev eth0
iptables -t nat -I PREROUTING -i eth0 -d  87.119.194.81  -j DNAT --to-destination 192.168.10.17
iptables -t nat -I POSTROUTING -o eth0 -s 192.168.10.17 -j SNAT --to-source 87.119.194.81

port forwarding

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.20.19:80


port redirection (on the same machine)

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j REDIRECT --to-ports 8833

FTP connection track

In case we want to port forward FTP on 30001 to be sent to another machine on 30001 with this rule:

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 30001 -j DNAT --to-destination 192.168.20.19:30001

On passive ftp this will not work, becuase the control channel will send the IP 192.168.20.19 to the client and will break with "no route to host".

We need a way to change this control packet in the firewall to send the correct IP address that needs to access.

This is done by connection tracking the ftp:

modprobe nf_conntrack_ftp ports=30001
modprobe nf_nat_ftp 

In order to keep this rule persistent we can set it up in the /etc/network/interfaces before loading the firewall

up  modprobe nf_conntrack_ftp ports=30001
up  modprobe nf_nat_ftp
up  iptables-restore < /etc/network/iptables.rules
Personal tools
Namespaces
Variants
Actions
Navigation
Content
Toolbox