Some Linux Iptables Examples

# iptables -L -n -v
Where:
-L : List rules.
-v : Display detailed information.
-n : Display IP address and port in numeric format

[panel style=»panel-success»] [panel-header] Inactive firewall output:
[/panel-header] [panel-content]
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
[/panel-content] [/panel] [panel style=»panel-success»] [panel-header] active firewall output:
[/panel-header] [panel-content]
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
  394 43586 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   93 17292 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
    1   142 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
    0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 wanin      all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0
    0     0 wanout     all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
Chain OUTPUT (policy ACCEPT 425 packets, 113K bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain wanin (1 references)
 pkts bytes target     prot opt in     out     source               destination
Chain wanout (1 references)
 pkts bytes target     prot opt in     out     source               destination
[/panel-content] [/panel]

INPUT or OUTPUT chain rules

# iptables -L INPUT -n -v
# iptables -L OUTPUT -n -v --line-numbers

Drop all incoming/forwarded, allow outgoing traffic

# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -L -v -n

Blocking an IP Address

# iptables -A INPUT -s 1.2.3.4 -j DROP
# iptables -A INPUT -s 192.168.0.0/24 -j DROP

Block Incoming Port

To block all service requests on port 80, enter:

# iptables -A INPUT -p tcp --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP

To block port 80 only for an ip address 1.2.3.4, enter:

# iptables -A INPUT -p tcp -s 1.2.3.4 --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROP

Block Domain

First, find out all ip address of facebook.com, enter:

# host -t a www.facebook.com
[panel style=»panel-success»] [panel-header] Sample outputs:
[/panel-header] [panel-content]
www.facebook.com has address 69.171.228.40
[/panel-content] [/panel] Find CIDR for 69.171.228.40, enter:

# whois 69.171.228.40 | grep CIDR
[panel style=»panel-success»] [panel-header] Sample outputs:
[/panel-header] [panel-content]
CIDR:           69.171.224.0/19
[/panel-content] [/panel] DROP outgoing access to www.facebook.com:

# iptables -A OUTPUT -p tcp -d 69.171.224.0/19 -j DROP

OR

# iptables -A OUTPUT -p tcp -d www.facebook.com -j DROP
# iptables -A OUTPUT -p tcp -d facebook.com -j DROP
[toggles class=»yourcustomclass»] [toggle title=»MY IPTABLES» class=»in»]
#!/bin/bash
export IPT="iptables"
export WAN=eth0
export LAN=vboxnet0
export LAN_IP_RANGE=192.168.1.0/24
#iptables
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
#loopback
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i $LAN -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -o $LAN -j ACCEPT
$IPT -A INPUT -p all -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p all -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#MTU
$IPT -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP
#
$IPT -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
#
$IPT -A FORWARD -i $LAN -o $WAN -j ACCEPT
$IPT -A FORWARD -i $WAN -o $LAN -j REJECT
$IPT -t nat -A POSTROUTING -s 10.11.0.0/24 -o $WAN - j MASQUERADE
$IPT -A FORWARD -s 10.11.0.0/24 -j ACCEPT
# **********************************************************************
#ICMP(ping)
$IPT -A INPUT -i $WAN -p icmp -j ACCEPT
#HTTP on WAN
$IPT -A INPUT -i $WAN -p tcp --dport 80 -j ACCEPT
#FTP
$IPT -A INPUT -i $WAN -p tcp --dport 20 -j ACCEPT
$IPT -A INPUT -i $WAN -p tcp --dport 21 -j ACCEPT
#SSH
$IPT -A INPUT -i $WAN -p tcp --dport 22 -j ACCEPT
$IPT -A INPUT -i $WAN -p tcp --dport 443 -j ACCEPT
#************************************************************************
#PORT FORWARD(WAN -> LAN)
#RDP
$IPT -t nat -A PREROUTING -p tcp --dport 3391 -i $WAN -j DNAT --to 192.168.1.2:3389
# **********************************************************************
$IPT -L
[/toggle] [/toggles]

Автор записи: Patap

Patap

Добавить комментарий

Этот сайт использует Akismet для борьбы со спамом. Узнайте как обрабатываются ваши данные комментариев.