Nethence Documentation Lab Webmail Your IP BBDock  


Those documents are obsolete, please use the Nethence Documentation instead.

HomeUnixWindowsOracleObsoleteHardwareDIYMechanicsScriptsConfigsPrivate

Setting up Netfilter
 
Setting up Netfilter on Debian Jessie (8)
Check and select (write down) what services you want to enable,
netstat -an --inet --inet6 | grep LISTEN
note. for example say 22, 389, 636
then prepare the rules restoration file,
cd /etc/
vi iptables.rules
*filter

# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allow inbound ports
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
-A INPUT -p tcp --dport 389 -j ACCEPT
-A INPUT -p tcp --dport 636 -j ACCEPT

# Allow ping
# note that blocking other types of icmp packets is considered a bad idea by some
# remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:
# https://security.stackexchange.com/questions/22711
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT
apply and enable the shit,
iptables-restore < /etc/iptables.rules
iptables -n -L
vi /etc/network/if-pre-up.d/iptables
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.rules
chmod +x /etc/network/if-pre-up.d/iptables
Refs.
https://wiki.debian.org/iptables
https://wiki.debian.org/DebianFirewall
 
Setting up Netfilter on Redhat systems
On Redhat systems, enable the firewall and backup the defaults,
system-config-securitylevel-tui
cd /etc/sysconfig
cp iptables iptables.dist
cp ip6tables ip6tables.dist
cp iptables-config iptables-config.dist
cp system-config-securitylevel system-config-securitylevel.dist
 
Block everything but ICMP echo requests and TCP port 22,
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A INPUT -p icmp -m state --state NEW,ESTABLISHED \
--icmp-type echo-request -m limit --limit 1/s -j ACCEPT

iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT

iptables -A INPUT -p tcp -m state --state ESTABLISHED -i eth0 -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED -i eth0 -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -o eth0 -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -o eth0 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 22 \
--tcp-flags SYN,RST,ACK SYN -m state --state NEW \
-m limit --limit 1/s -i eth0 -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport 80 \
--tcp-flags SYN,RST,ACK SYN -m state --state NEW -i eth0 -j ACCEPT
check,
iptables -L
 
Note. on Redhat systems, add this one to save the rules,
chkconfig --list | grep tables
/etc/init.d/iptables save
#cat /etc/sysconfig/iptables
#chkconfig iptables on
#chkconfig ip6tables on
 
Note. to be safe while testing new rules, flush the rules every 5 minutes on some remote box,
crontab -e
like,
SHELL=/bin/ksh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
MAILTO=root
HOME=/root
#
*/5 * * * * iptables -F
 
Note. to enable NAT, add those,
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -P FORWARD ACCEPT
iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth0 -j MASQUERADE
iptables -A INPUT -i dummy0 -s 10.1.1.0/24 -j ACCEPT
iptables -A OUTPUT -o dummy0 -d 10.1.1.0/24 -j ACCEPT
and to redirect port 80 to 10.1.1.1,
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
-j DNAT --to-destination 10.1.1.1:80
 
Note. the short and simplest form would be,
#iptables -A INPUT -m state --state NEW -j ACCEPT
#iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -p tcp --dport 22 -j ACCEPT
 
Note. also worth interesting,
#... -j REJECT --reject-with tcp-reset
 
Note. to enable port redirect, e.g. redirect TCP port 80 to 8080 on eth1,
iptables -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080
 
 
Wipe out the rules
Just in case, to totally disable firewalling rules,
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
check,
iptables -L
 
 
References
Laptop Iptables configuration
DMZ IP Firewall script for Linux 2.4.x and iptables
Chapter 1: Care and Feeding of iptables
iptables & netfilter - How to get started
Netfilter et IP Tables...
 

Last update: Mar 02, 2016