Iptables
Updated 11 March 2019
Contents
Install iptables
emerge -av net-firewall/iptables
Iptables control commands
Check status
/etc/init.d/iptables status
Start service
/etc/init.d/iptables start
Stop service
/etc/init.d/iptables stop
Restart service
/etc/init.d/iptables restart
Add to autostart
rc-update add iptables default
If adding rules manually, the current rules must be saved in /var/lib/iptables/rules-save so that they can be applied when the system starts:
/etc/init.d/iptables save
Create a script with iptables rules
Tip To quickly adjust iptables parameters, we recommend editing the settings script. and a better visibility of the new configuration.
Create the iptables.sh script anywhere you like on your disk and fill it with the necessary parameters:
/root/iptables.sh
#!/bin/bash # Clear all iptables chains iptables -F iptables -X iptables -Z # Policies for traffic that does not comply to any rule iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # Enable Ping iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Miscellaneous settings iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT iptables -A INPUT -p tcp --syn --dport 113 -j REJECT --reject-with tcp-reset # ssh access iptables -A INPUT -p TCP --dport 22 -j ACCEPT # Access to webserver via http and https iptables -A INPUT -p TCP --dport 80 -j ACCEPT iptables -A INPUT -p TCP --dport 443 -j ACCEPT # Save the rules # Calculate/Gentoo saves the iptables rules at /var/lib/iptables/rules-save rc-service iptables save
В конце скрипта указана команда для сохранения настроек
Give the script the right to be executed:
chmod +x /root/iptables.sh
Run the script now:
sh /root/iptables.sh
View information on iptables rules
On the absence of rules:
iptables -L -v -n
... Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
On currently valid rules:
iptables -L -v -n
...
Chain INPUT (policy DROP 31 packets, 2260 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
6 504 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8
91 8220 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 12
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 flags:0x17/0x02 reject-with tcp-reset
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 80 packets, 9864 bytes)
pkts bytes target prot opt in out source destination
On parameters to be applied at startup:
/var/lib/iptables/rules-save
# iptables-save # Generated by iptables-save v1.4.21 on Tue Dec 5 01:15:23 2017 *filter :INPUT DROP [3:172] :FORWARD DROP [0:0] :OUTPUT ACCEPT [897:354826] :DOCKER - [0:0] :DOCKER-ISOLATION - [0:0] :DOCKER-USER - [0:0] -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT -A INPUT -p tcp -m tcp --dport 113 --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -p tcp -m tcp --dport 10050 -j ACCEPT -A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT -A FORWARD -j DOCKER-USER -A FORWARD -j DOCKER-ISOLATION -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -o docker0 -j DOCKER -A FORWARD -i docker0 ! -o docker0 -j ACCEPT -A FORWARD -i docker0 -o docker0 -j ACCEPT -A DOCKER -d 172.17.0.2/32 ! -i docker0 -o docker0 -p tcp -m tcp --dport 9980 -j ACCEPT -A DOCKER-ISOLATION -j RETURN -A DOCKER-USER -j RETURN COMMIT # Completed on Tue Dec 5 01:15:23 2017 # Generated by iptables-save v1.4.21 on Tue Dec 5 01:15:23 2017 *nat :PREROUTING ACCEPT [48:2828] :INPUT ACCEPT [40:2444] :OUTPUT ACCEPT [9:540] :POSTROUTING ACCEPT [9:540] :DOCKER - [0:0] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE -A POSTROUTING -s 172.17.0.2/32 -d 172.17.0.2/32 -p tcp -m tcp --dport 9980 -j MASQUERADE -A DOCKER -i docker0 -j RETURN -A DOCKER -d 127.0.0.1/32 ! -i docker0 -p tcp -m tcp --dport 9980 -j DNAT --to-destination 172.17.0.2:9980 COMMIT # Completed on Tue Dec 5 01:15:23 2017 # Generated by iptables-save v1.4.21 on Tue Dec 5 01:15:23 2017 *mangle :PREROUTING ACCEPT [25186740:78903988813] :INPUT ACCEPT [25137767:78901761780] :FORWARD ACCEPT [48:4224] :OUTPUT ACCEPT [16725801:4605075841] :POSTROUTING ACCEPT [16725849:4605080065] COMMIT # Completed on Tue Dec 5 01:15:23 2017